EU Data Protection Reforms Move Forward

The proposed reforms to the EU data protection rules moved on in March (2014) with the European Parliament proposing a series of amendments under a process begun two years ago by the European Commission. The next step is for the EU Council of Ministers to consider the proposed amendments. Once finally agreed, the new rules are not expected to be applicable until 2016.

These reforms are not without controversy, to say the least. Although the existing EU rules are being entirely replaced, the core elements of data protection set up under the existing rules will not only remain, but, they will be tripled in length, or even longer if the Parliament’s amendments are finally taken up. Further, although one of the Commission’s reform aims is to bring the rules in line with new technologies, quite whether this will be achieved is doubted in several quarters.

Key new elements of the proposed reforms, in very general terms, along with a few comments designed to provoke some debate are as follows:

  • One port of call – the basic idea here is that those concerned should only have to deal with one data protection regulator, i.e in one EU Member State. Although the idea sounds attractive it may in fact simply encourage some to seek out countries that are perceived to be more attractive than others, for example, for linguistic reasons, which probably isn’t what the EU legislators have in mind.
  • The long arm of the EU – the new rules will apply not only to those based in the EU and processing data there, but also to those based outside the EU who are active on the EU market and processing the data of EU residents to whom they offer services. But how will this be enforced in practice?
  • Forget me – there will be a right to have data deleted, for example when the purpose of retaining the data is obsolete. One idea behind this was apparently to assist social media users who wish to withdraw items that they have later regretted posting, but, might it not be better to encourage putting resources into better educating social media users in using social media?
  • A new position – an internal data protection officer will have to be appointed where data processing is carried out by a public entity, or, by a business employing over 250 people. But are there enough qualified people out there right now who can do this?
  • Report breaches fast – data breaches will have to be reported to data protection regulators without delay and, where feasible, not later than a period to be set under the new rules. In the initial draft this period is 24 hours but some are calling for a longer period – the notification to the regulator will have to be accompanied by a reasoned justification in cases where it is not made within the set period. Whilst data breaches are undoubtedly a serious issue, might that well-favoured EU buzz word “proportionality” be applied here, for example, by limiting such a short period for only serious breaches?
  • Big fines – data protection regulators will have the power to impose fines for infringing the data rules of up to Euro 1 million or up to 2% of the global annual turnover of a business, whichever is the greater – these figures may well go up in the final version. Will this create a temptation for resource-strapped data protection regulators to go for those with the deepest pockets?

What are your thoughts?

Andre.Bywater@corderycompliance.com

Originally published on May 7, 2014, in DaftBlogger, at http://www.daftblogger…