PROPOSED REFORMS TO EU DATA PROTECTION LAW
Does your business operate in a European union (EU) member state? Or do you provide services to EU residents?
On 25 January 2012, European Commissioner Vivian Reading announced proposed reforms to EU data protection law, which had not been previously amended for 17 years. In this time, technological developments and the explosion of internet use has brought data privacy concerns to the fore. The reform aims are twofold:
- to increase the protection of personal information;
- by introducing a single set of rules to apply across the EU and to any organisation offering services to EU residents, to reduce the administrative burdens of transferring data within the EU.
Companies and organisations that process personal data will now only need to ensure compliance with a single data protection authority. Nevertheless, the new rights imposed by the proposals bring with it increased responsibility and accountability. Contravention of the new rules can attract fines of up to €1 million or 2% of a company’s annual worldwide turnover. As a matter of ‘one step back, two steps forward’, businesses will have to initially absorb the necessary costs to ensure proper compliance to the new rules before the benefits of uniformity can be reaped.
SOME KEY REFORMS EXTRACTED
User right to be forgotten
Building on the existing right to deletion, the reforms now include the right to be forgotten and the right to erasure. This includes the right, if the personal data has been made public, “to erasure of any public internet link to, copy or replication of personal data relating to the data”.
User right to data portability
Users will have the right to transfer data between service providers without intervention. To effect any such transfer, service providers will need to provide to users their data in the appropriate electronic format.
Obligations
Businesses and organisations will carry a number of obligations with respect to processing personal data, including:
- to maintain prescribed documentation of all processing operations;
- to inform users and the data protection authority about data breaches without undue delay;
- to carry out a data protection impact assessment prior to risky processing operations; and
- to designate a data protection officer for enterprises employing 250 or more persons.
WHAT DOES THIS MEAN FOR YOU?
The draft laws are currently with the European Parliament and the Irish EU Presidency for consideration. It is expected that the new proposals will be adopted before the end of 2013. If your company or organisation processes personal data of EU residents, or if your company is active within an EU member state, then these new rules and obligations are directly applicable to you. In light of the penalties attached to these new rules, it will be prudent to carefully review your company policies and procedures with respect to privacy and confidential information to ensure compliance.