Published and draft legislation - European Union

Proposal for European Data Protection Regulation

On 12th March 2014, the European Parliament adopted the text proposed by the LIBE Committee Civil Liberties, Justice & Home Affairs) giving the go-ahead to the reform of the European Data Protection Framework. All it requires now is approval from the Council for the new regulation to replace the prevailing directive 95/46 (dating back to 1995).

The draft includes the Regulations as such, plus a directive of minimums, which will be applicable to personal data processed in the framework of police and judicial cooperation.

The reform is aimed at modernising European legislation on data protection in response to the latest communication and technology systems, establishing new control mechanisms and grievance procedures for data processing, as well as the standardisation of the currently inconsistent patchwork of laws in different member states.

The proposals have been highly controversial, eliciting criticism from different sectors, but especially from business associations, due to the proliferation of regulations the reform would introduce, which could overload companies with checks and controls, and expose them to the risk of extremely tough fines.

The main changes contained in the proposal include:

  • Apointment of Data Protection Officers throughout Europe
  • Privacy by design and privacy by default requirements for products and services. (The aim here is to protect product users’ privacy with a set of measures to provide greater control to stakeholders on the dissemination of their own data and the way it is processed)
  • Privacy impact assessments. (Data controllers and processers are obliged to assess the impact of data protection)
  • Principal of accountability. (The company assumes overall liability for any data process, whether done in-house or outsourced to a third party).
  •  Obligation to report incidents. (Notification must be submitted to the Control Authority and the parties affected by the incident).
  • Audits and controls on compliance.
  • Fines: up to €100m or 5% of global annual turnover. (Discretionary fines disappear).

European Data Protection Seal. (This is awarded as a guarantee that personal data are processed in compliance with EU standards)