Reform of the EU's Data Protection Directive expected in early 2012
.jpg)
The Vice President of the European Commission and EU Justice Commissioner, Viviane Reding, recently issued a statement regarding the proposed reform of the Data Protection Directive (95/46/EC), indicating the proposal will be published in early 2012. The proposals contained in the new legislative package, which is intended to fix weaknesses in the current data protection framework, include:
· A 'one-stop-shop' for businesses and consumers when it comes to data protection matters - one law and one single data protection authority for each business; that of the Member State in which they have their main establishment. Under the current data protection regime, companies that operate in several Member States must comply with different laws and different decisions taken by data protection authorities in 27 Member States. A non-European company operating in the European Union has to abide by 27 different interpretations of the EU law on data protection.
· Making the binding corporate rules simpler to use, with a single point of contact for companies amongst the European data protection authorities. Once the binding corporate rules are approved by one data protection authority, they should be recognised by all European data protection authorities, without the need for additional national authorisation in case of further transfers.
· Cutting red tape by eliminating unnecessary costs and administrative burdens to create a more business-friendly regulatory environment. This means doing away with the general requirement to notify data processing to data protection authorities.
· Strengthening coordination and cooperation between national data protection authorities to make sure that the rules are enforced consistently.
· Putting individuals in control of their information. Firstly, businesses must ensure transparency for individuals, who must be provided – in a simple and understandable language – with appropriate information about the processing of their data. Secondly, business responsibility means that whenever users give their agreement to the processing of their data, it has to be meaningful. This requires individuals to be informed about privacy policies and their consent needs to be specific and explicit. Thirdly, business responsibility means better control for individuals over their own data: that's requires easier access to one's own data. If a user requests their information, it should be given to them in a widely used format which makes it simple to transfer elsewhere.
· Creating a right to be forgotten, to address the privacy risks online. Accordingly, if an individual no longer wants their personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.
· A mandatory obligation for data controllers to notify data protection authorities and the individuals concerned when a data breach is discovered.
The proposal that businesses will be subject to just one Member State's data protection law aims to make it less costly for businesses to comply with data protection laws, and will no doubt be welcomed by businesses who operate across the the EU. It also might also lead to an increase in cross-border trade and increase consumer confidence regarding the protection of their privacy rights.
