In January, the European Commission proposed significant reforms of the 1995 EU Data Protection Directive. When these rules were implemented, less than 1% of Europeans used the Internet. Today, the Internet is a widely-used, powerful tool of commerce. Massive transfers of data occur between countries, across continents and around the world at the speed of light.
Like other EU directives, the Data Protection Directive was addressed to the member states. It was up to the member states to transpose the directive’s elements into internal law. By 1998, all member states had enacted their own data protection laws.
One of the problems with the 1995 Directive was that the 27 member states implemented the rules differently. This created a confusing and expensive compliance environment for multi-national companies. Under the new rules, organizations will only have to deal with a single national data protection authority in the EU country where they have their main establishment.
Other key changes in the reform:
- A single set of rules on data protection, valid across the EU.
- Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
- Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
- A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
Where the 1995 Directive lacked adequate enforcement, the new rules would include fines for those breaching EU data protection rules of up to €1m, or 2% of their global annual turnover.
Viviane Reding, EU Justice Commissioner said, “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information.”
The European Commission's rules will now be handed off to the European Parliament and EU Member States for discussion. If approved, they will take effect two years after they have been adopted.
Source: European Commission – Press release (Brussels, 25 January 2012)