In January 2012, the European Commission presented proposals for a comprehensive reform of the data protection rules with an objective to strengthen online privacy rights and boost Europe's digital economy. This proposed reform contained two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. The proposed Regulation will replace the current Data Protection Directive from 1995. The proposed Directive, on the other hand, will protect personal data in criminal and justice matters. In this text we will focus solely on the Regulation.
The main purpose of this comprehensive reform is to update the data protection rules across the EU so that they reflect the way personal information is used today and in the future. By proposing the new framework, the Commission seeks to take into account the realities of modern data flows, cloud computing, location-based services and smart cards. The proposed Regulation is aiming to do away with the current fragmentation and costly administrative burdens, while helping to eliminate all the uncertainty created by a patchwork of data protection laws.
The Commission's initial proposal for the new Regulation contained the following key changes:
Single Set of Rules: The proposed form of new legislation (i.e. regulation instead of directive) will be directly applicable and valid across the EU. This will reduce the administrative burden for companies as unnecessary administrative requirements, such as notification requirements for companies, will be removed. "One-Stop Shop": Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. The proposed Regulation will have an extra-territorial effect, which means that people can turn to the data protection authority in their country, even when their data is processed by a company based outside the EU. Extra-territorial effect: Organisations processing personal data about European residents will be subject to the Regulation if they: i) offer goods or services to data subjects in the European Union; ii) monitor the behaviour of those data subjects. Data Breach Notifications: Stricter obligations on companies to report serious data protection breaches. Notice of data...