By Clare Atkinson, Associate, Corporate Department, Fox Williams LLP
The European Commission is proposing the first significant update of data protection legislation since 1995. Companies found to be breaching data protection law could be liable to fines of up to 5 per cent of the company’s annual worldwide turnover, which for large multi-nationals could mean billions of Euros.
The European Commission has circulated two draft legal instruments for interservice consultation proposing wide-spread amendments to current data protection legislation.
The draft documents propose a regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and a proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (Police and Criminal Justice Data Protection Directive).
The drafts have been circulated to the Directorates-General of the Commission, who will provide comments on the drafts before they are formally released as legislative proposals. It is expected that Justice Commissioner and Commissioner Vice-President, Viviane Reding, will formally announce final versions of the drafts at the World Economic Forum in late January 2012.
The measures will have to be approved by national governments and it is likely to be two to three years before the measures become law.
More Business-friendly Regulatory Environment
The Commission is aiming to reduce unnecessary costs and administrative burdens for businesses, to encourage businesses to operate across borders. To this end, it proposes to create a “one-stop shop” for data protection, meaning that companies will only have to comply with the data protection laws in the jurisdiction in which it has its main establishment.
The Commission also plans to eliminate the need to notify data protection authorities of data processing activities.
The rules on international transfers of data will be reformed to reflect the way in which data is transferred internationally. This will include improving the system of Binding Corporate Rules (“BCR”), so that all data protection authorities recognise BCRs approved by one data protection authority, which will ease compliance.
Data Protection Authorities would be given harmonized and greatly enhanced powers to impose sanctions, which could be up to a maximum of 5 per cent of a company’s annual turnover.
There will be a general requirement for companies to notify data protection authorities and data subjects where there has been a data security breach and data loss.
Viviane Reading described one of her aims as putting “individuals in control of their data” to ensure that individuals are always in a position to take informed decisions about how their personal data is used.
To this end there will be a focus on transparency, with companies being obliged to inform individuals about how their data is being used. The requirement to obtain consent (or “opt-in”) to the use of their personal data will be reinforced and the right to be forgotten will be introduced.
The “opt-in” is a controversial area, especially with regard to online behavioural advertising. Online behavioural advertising is big business and some advertisers have claimed that stringent restrictions on online behavioural advertising through the necessity of obtaining “specific and explicit” consent could threaten the concept of a free internet. This is an area to watch next year, as further developments are expected.
Businesses will welcome some of the reforms which are aimed at making doing business for multi-national companies in the EU much more cost-efficient and thus more attractive. However, the strengthening of individual’s rights will lead to additional burdens for businesses. It will be a case of wait and see until next year for the final draft and more detail on the measures to be implemented.
Clare Atkinson is an associate in Fox Williams LLP’s Corporate department and a member of the Technology team. She can be contacted on 020 7614 2557 or email@example.com.
Join us on