New data protection regime

LEGAL UPDATE: THE EUROPEAN Commission has published a draft regulation in what will be a comprehensive reform of the EU’s data…

LEGAL UPDATE:THE EUROPEAN Commission has published a draft regulation in what will be a comprehensive reform of the EU's data protection law. This is aimed at giving users more control over how their personal information is handled on the internet, while also facilitating online commerce.

The proposals have arisen as a result of several public consultations and a strategy set out in 2010 to strengthen and streamline data-protection rules in Europe. Currently, each EU member state has its own system in place based on the manner in which it implemented the 1995 Data Protection Directive. The new proposals will implement a single set of rules across the EU and will not require any further implementing measures by member states. Key changes proposed include:

Substantial Fines Increased powers will be given to national authorities to impose severe fines on companies in breach of the new laws, potentially up to two per cent of global annual turnover.

Right to be forgotten Internet users will be afforded a “right to be forgotten”, enabling them to ensure the deletion of their online data if there are no legitimate grounds for it being stored.

READ MORE

Data portability There will be a right to data portability, enabling users to transfer personal information freely to and from competing companies.

One-stop shop It is proposed to make companies operating in at least one EU member state (including companies based outside the EU) subject to these obligations. The regulator in one home member state will oversee the application of the company’s data-protection regime across the entire EU. These companies will need to ensure the appropriate member state is the regulator.

After the thorough, practical and positive way the Irish Office of the Data Protection Commissioner (ODPC) reviewed the operations of Facebook in the EU, Ireland will be a prime candidate in this regard.

Data transfers Businesses can establish a single set of binding corporate rules (BCRs) to be approved by one regulator which will then apply across the EU.

Registration/Notification It will no longer be necessary to register or to file data-transfer contracts with the local regulator. The ODPC already generally exempts businesses from the need for registration and has never required data transfer contracts to be filed, but many other EU countries impose such requirements.

The commission has estimated that the removal of red tape and the expected increase in consumer confidence online will generate more than €2 billion annually for EU companies. It is hoped this will encourage international organisations to set up in EU member states.

The proposed reforms will now be passed to the European Parliament for discussion. If approved, the draft regulation contained in the proposal will become directly effective in all EU member states in approximately two years.

This is taken from the Publications section of the website of William Fry,

williamfry.ieOpens in new window ]