Tuesday, 24 January 2012

EU data protection reform

Tomorrow, the European Commission is supposed to present new proposals for laws regulating data protection rules. While we are waiting for the suggested texts of a regulation and a directive, certain 'leaks' as to their scope have already been made public (see e.g. "The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age", as well as "EU proposes 'right to be forgotten' by internet firms").

According to Commissioner Reding, the new regulation will simplify the regulatory environment and drastically cut red tape. The plan is to delete any general notification requirements and replace them with general responsibility and accountability of companies for the protection of personal data in their business field. This means that the companies will need to appoint a data protection officer within their company who will be responsible for handling such complaints. This is expected to generate savings of ca. 130 million euro a year. Moreover, the companies who conduct business in many Member States will need to comply with the legal requirements for data protection for only one Member State and will deal with only one data protection authority - the one applicable for the Member State in which the main seat of the company is located. According to Commissioner Reding, all data protection authorities in the EU will have the same adequate tools and powers so it will not matter which of them the businesses will need to deal with. The plan is also to simplify international data transfers, since if a company has their binding corporate rules as far as data protection is concerned approved by one data protection authority, they will be recognised by all such authorities in the EU (no further national authorisation).

As far as protection of consumers' data is concerned the Commissioner mentions the need for the information about the processing of their data in simple and clear language. Such information shall contain details as to which data is collected, for what purposes, how long it will be stored and with which third parties it will be shared. Consumers should also be notified with which authority they should get in touch in case their rights are violated. This is supposed to give control to the internet users over which data they reveal and to whom. Such an informed consumer may consent to give his personal data for further processing - the consent should be specific and given explicitly. Moreover, the internet users should have a power to have their data moved from one service provider to another, and to have their data deleted. This right to be forgotten is interesting, due to many fears that if you share something via your social network, e.g. Facebook, it will be forever linked to you, even if you chose to delete a given photo or information at a later date. Commissioner Reding underlines that it should be a consumer's right not just a possibility to withdraw his consent to the processing of the personal data they have given previously. Additionally, in case of a data breach, i.e. data being lost, stolen or hacked, there will be a general obligation placed on the data controllers to notify such a data breach to data protection authorities and to the individuals concerned without undue delay (which seems to mean 24 hours).

Let us see what the language of the proposals will be and what further will be changed in the negotiations on these regulations.

No comments:

Post a Comment