Last week, the European Commission set out its proposal for a new data protection framework. Eduardo Ustaran explains what this means
The process of reform of the European data protection legislation has been going on for over two years, but on 25 January 2012 the European Commission unveiled its proposal for a new data protection framework. This is the most significant global legislative development affecting the collection, use and protection of personal information for 15 years.
As expected, the proposed new general framework for data protection is set out in a regulation, rather than another directive. This means that once adopted, the regulation will be directly and universally applicable across all EU member states without the need for national legislation.
There are obvious pros and cons to this approach, so while a single law will be beneficial to companies operating internationally, UK companies will lose the benefit of the business-friendly approach of the UK data protection legislation.
The new framework is aimed at rejuvenating a law which has lost its effectiveness to tackle the data protection challenges of the 21st century.
The main novelties introduced by the proposed regime include:
Applicability based on establishment and targeting of European residents
Any company that processes personal data in the context of an EU-based establishment will be subject to the new law in any event. However, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that use personal information in relation to the offering of goods or services to, or the monitoring of the behaviour of, individuals who live in the EU.
Some rather radical changes are likely to come in the shape of new or strengthened individuals' rights. Expanding on the current directive, the regulation will also require companies to provide their customers with additional transparency information such as the period for which the personal data will be stored, the different rights available to individuals and whether their personal data will be transferred internationally.
As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles, such as privacy by design and privacy by default, to the training of staff and the appointment of data protection officers.
Data breach notification
An obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) within 24 hours will now apply to all controllers. This will make the likelihood of investigations by the data protection regulators much greater.
International data transfers
Greater flexibility is provided on this issue through an express recognition for binding corporate rules (BCR). The European Commission has made it clear that it expects BCR to become the norm for all international companies going forward.
The promise by the commission of stronger enforcement powers for the data protection authorities has materialised through hefty monetary fines of potentially up to 2% of the annual worldwide turnover of a company.
â- Identify any aspects that may have a significant impact on the business and consider appropriate outreach actions.
â- Identify the relevant individuals and institutions at both EU and national level in order to make representations on behalf of a business or industry sector.
â- Prepare for compliance with the new obligations.
This will be a crucial year to influence the outcome of the new law and policy makers will be looking for input from all key stakeholders, but the time to act is now.
Eduardo Ustaran is a partner and head of the European data protection team at law firm Field Fisher Waterhouse