The EU's data protection reform

Posted: 10/02/2012

On 25 January 2012, the European Commission announced its proposal for the comprehensive reform of the EU's data protection rules. Its aim is to strengthen, modernise and simplify online privacy rights and ultimately boost Europe's digital economy by fostering growth, innovation and job creation. It aims to create a 'single set of rules on data protection across the EU'.

The new regulation will apply to establishments based anywhere in the EU as well as establishments based outside the EU but which offer goods and/or services to individuals within the EU or which monitor their behaviour. This significantly extends the reach of current EU privacy and data protection law.

Currently businesses that operate throughout the EU have to deal with 27 different national data protection rules. This fragmentation of rules between EU countries is a costly and administrative burden that makes it hard for new businesses to access new markets.

Under the new proposals, businesses will only have to deal with one set of data protection rules throughout the EU and will be answerable to a single data protection authority. The aim is to simplify the way businesses interact with data protection laws and give them incentives to trade and invest cross-border in the internal market.

However, every aspect of an organisation's compliance obligations will increase and there will be fines of up to 2% of global turnover for breach.

The responsibilities on data controllers (a company or individual that determines how personal data is processed) will be increased. Data controllers will be required to have 'transparent' and 'easily accessible' policies regarding the processing of personal data. Data controllers will also have to demonstrate compliance by keeping documentation showing that they are compliant with the new regulation. In addition 'Privacy by design' and 'Privacy by default' are principles that would need to be integrated into business processes. This means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-protecting default settings should be the norm, for example in relation to social networks.

The European Commission's aims to create a 'single-set' of rules on data protection throughout the EU should be a good thing. It will be interesting to see how the UK Government and larger businesses respond to the proposals for increased restrictions on the collection and use of personal data, especially in relation to online businesses.

The draft regulation still needs to be approved by EU member states and ratified by the European Parliament. It is expected that it could take up to two years or longer before the new regulations will come into force. However businesses should be prepared for most of the provisions in the draft regulation to be adopted.

Return to news headlines