European Commission publishes its legislative proposals for reform of the Data Protection Directive
.jpg){kind=small}
The European Commission has published its proposals to reform the EU's Data Protection Directive (95/46/EC).
The proposed Regulation, unlike the 1995 Data Protection Directive, which gives Member States a wide discretion in respect of its implementation, will be directly applicable once implemented. The Vice President of the European Commission, Viviane Reding, has said that the implementation of a single set of rules on data protection, valid across the EU, law will do away with the current fragmentation and costly administrative burdens.
Under the new proposals, multinational companies will be regulated in a ‘one-stop shop’. Companies will only have to deal with a single national data protection authority in the EU country where they have their main establishment. At the moment, businesses are supervised by a different authority in each Member State in which they carry out data processing activities.
The Irish Data Protection Commissioner will therefore have responsibility for overseeing data protection law compliance by some of the world's leading technology companies, such as Google, Facebook, Microsoft and Apple, who all have their European headquarters in Ireland.
One of the key changes includes the creation of a ‘right to be forgotten’ to address privacy risks online. This will allow people to request internet websites to delete their data if there are no legitimate grounds for retaining it. It will also be mandatory for data controllers to notify data protection authorities and the individuals concerned when a data breach is discovered.
The proposed Regulation empowers national data protection authorities to impose far-reaching sanctions for breaches. The proposed fines will be on a sliding scale from €250,000 or 0.5% of a company's global turnover for less serious offences (charging a fee for a data request), and move up to €500,000 or up to 1% (for refusing to hand over data or failing to comply with the right to be forgotten or to erasure).
For serious violations (such as not alerting or notifying a personal data breach, or not timely or completely notifying a breach to the supervisory authority or to the data subject) supervisory authorities shall impose penalties up to €1 million or up to 2% of the global annual turnover of a company.
The Commission's proposals will now be passed on to the European Parliament for approval. They will take effect two years after they have been adopted.
Please click here to access a copy of the Commission’s proposals, which include two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
