DATA PROTECTION : COMMISSION PROPOSES STRONGER AND BINDING EU FRAMEWORK.

Stronger data protection rights with easier circulation of data in the European Union is the main objective of the draft regulation presented by the European Commission, on 25 January, after intense inter-departmental discussions(1). This would impose new obligations on data protection authorities. This proposal revises Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data.

In addition to further harmonising the EU framework, as evidenced by the choice of a regulation as the legal instrument, the text aims to meet the challenges of the digital environment. "The Commission will create a genuine digital single market for businesses and consumers," commented Justice Commissioner Viviane Reding.

"There are many improvements over existing legislation" in terms of strengthening data protection rights, Konstantinos Rossoglou, legal expert with the European Consumers' Organisation (BEUC), told Europolitics information society.

First, the text improves transparency since companies that process personal data will have to provide clear and transparent information on such processing (reasons for data collection, arrangements, right to complain) and notify data breaches immediately to the control authority and the individuals concerned. Another key aspect is the right to personal data portability, which is especially important to give individuals a right to transmit personal data to another data processing service provider in a common electronic format.

The text also defines in detail the right for individuals to have personal data deleted. Application of this right nevertheless entails certain exceptions. This concerns cases such as having a photo deleted from a social network.

The text also improves the right to complain, the right of judicial remedy on decisions by the control authority, companies that process data and subcontractors, and common rules concerning judicial procedures. For example, if a person in Austria has a problem with a social network based in Ireland related to the processing of his personal data, he can take his case to the Austrian regulator, who will contact the Irish regulator, in line with the draft regulation. The problem will be settled "based on the same rules," explained Reding. If the person is not satisfied with the solution found, "there are two possibilities: he can take action before an Austrian court or through a consumer protection...