The European Commission published on the 25th of January 2012 its proposal for a new legislation aiming to update and modernize the principles included in the 1995 Data Protection Directive

The Commission proposed that the new framework should consist of:  a. the General Data Protection Regulation which would replace the EU Directive 95/46/EC and set out a general EU framework for data protection and b. a Directive which would replace Framework Decision 2008/977/JHA and would set out rules on the protection of personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and other related judicial activities.

Key features of the new draft General Data Protection Regulation, which is likely to come into force by 2014, include the following:

a. Introduction of a harmonized set of core rules: the Regulation is considered to be the most appropriate legal instrument to define the framework for the protection of personal data in the EU since its direct applicability will reduce legal fragmentation (the “patchwork of data protection laws in Europe”) and provide greater legal certainty.

b. “One-stop-shop”: individuals and organizations will have to address only to one single data protection authority, located in the country of their main establishment or residence.

c. Replacement of the notification requirements: the new principle of accountability will require data controllers to demonstrate their compliance with the law by maintaining documentation on their processing, implementing appropriate security measures and performing Privacy Impact Assessments (PIAs) when required.

d. Extraterritorial applicability: the jurisdictional reach of the EU Framework will be changed as it will be applicable to all companies which will be offering goods and services to consumers in the EU (the “directed to” criterion). In her press conference on the 25th of November 2012, Vice-President Viviane Reding, EU Commissioner for Justice, clarified that US based companies which have subsidiaries in the EU would also have to comply with the EU data protection law.

e. Binding Corporate Rules: BCR’s will be expressly recognized as an appropriate form of compliance for international data transfers and once approved by one data protection authority they will be recognized by all the data protection authorities within the EU.

f. Right to be forgotten and data portability: the Regulation introduces a new right to have data deleted or transferred from one provider to another, unless required by law or there is a legitimate and legally justified interest to keep such data (freedom of expression, reasons of public interest – e.g. public health-, historical, statistical and scientific research purposes etc).

g. Data breach notifications: under the new regime all data breaches would have to be reported to supervisory authorities within 24 hours, while serious data breaches (which would be likely to affect the protection of privacy of the data subject) would also have to be reported to individuals affected.
h. Fines: the new Regulation will empower the data protection authorities to impose fines reaching up to 2% of an organization’ s annual turnover for the most serious data breaches.

i. Data Protection Officers: Organizations with more than 250 employees will need to appoint independent data protection officers whose principal task would be to monitor the data processing of the organization.

j. Consent: in case that consent is a ground for data processing, it should be explicit and once given data controllers should enable data subjects to withdraw it at any time.

Edited by Maria Giannakaki