The European Commission has published a draft Regulation in what will be a comprehensive reform of the EU’s data protection law.  This is aimed at giving users more control over how their personal information is handled on the Internet, while also facilitating online commerce.

The proposals have arisen as a result of several public consultations and a strategy set out in 2010 to strengthen and streamline data protection rules in Europe. Currently, each EU member state has its own system in place based on the manner in which it implemented the 1995 Data Protection Directive. The new proposals will implement a single set of rules across the EU and will not require any further implementing measures by member states. 

Key changes are as follows:

• Substantial Fines – Increased powers will be given to national authorities to impose severe fines on companies in breach of the new laws, potentially up to 2% of global annual turnover
• Right To Be Forgotten – Internet users will be afforded a “right to be forgotten”, enabling them to ensure the deletion of their online data if there are no legitimate grounds for it being stored
• Data Portability – There will also be a right to data portability that will allow users to transfer personal information freely to and from competing companies
• One Stop Shop – It is proposed to make companies operating in at least one EU member state (including companies based outside the EU) subject to these data protection obligations.  The regulator in one home member state will oversee the application of this data protection regime for the entire EU. These companies will need to take care to ensure that the appropriate member state is the regulator. After the thorough, practical and positive way the Irish Office of the Data Protection Commissioner (ODPC) reviewed the operations of Facebook in the EU (see our article here) Ireland will be a prime candidate in this regard
• Data Transfers – Businesses will be able to establish a single set of binding corporate rules (BCRs) to be approved by one regulator which will then apply across the EU
• Registration/Notification – It will no longer be necessary to register or to file data transfer contracts with the local regulator.  The ODPC already generally exempts businesses from the need for registration and has never required data transfer contracts to be filed.  However, many other EU countries impose such requirements, so overall this pro-business approach is very welcome.

The Commission has estimated that the removal of red tape and increased consumer confidence online will generate over €2 billion annually for EU companies.  It is hoped this will encourage international organisations to set up in EU member states.

It will be interesting to see if a proposal for mandatory reporting of data breaches within 24 hours survives in the final wording.  There is a valid argument that 24 hours is not a sufficient amount of time for companies to assess the impact of any suspected breach and recommend effective remedies to customers.  Indeed, concerns have been raised by some that the reforms are overly focused on penalising companies that have suffered data breaches rather than encouraging the prevention of these situations, through education and staff training.

It remains to be seen how regulators can be adequately funded, especially if there are no registration fees.  It is important that compliant companies are not expected to compete with others operating unfairly and illegally due to a lack of resources to enforce these new measures.

The proposed reforms will now be passed to the European Parliament for discussion. If approved, the draft Regulation contained in the proposal will become directly effective in all EU member states in approximately two years.

Contributed by David Cullen.