Impending changes to EU data protection laws will see the implementation of a framework designed to harmonise laws across the EU. A new draft EU Regulation contemplates that rules will be directly applicable in all EU member states without the need for implementation at national level.
Evidently a response to the increasing use of digital material, the draft Regulation places a greater burden on businesses to be more open and transparent about the way they store and transfer data while strengthening individuals’ rights regarding protection of their personal data.
Data Controllers and Collection of Data
Current data protection laws provide for organisations to be regulated by a different Data Protection Authority (DPA) in each EU state in which they carry on their business. The new Regulation will simplify data protection laws by providing that there will be only one DPA for a data controller; the DPA of the member state in which the company has its main establishment.
While the data controller will have only one DPA, there will be an increased burden on the controller regarding consent. The controller will need to obtain consent explicitly from individuals for data to be processed which could prove more difficult. Passive consent will no longer be able to be relied upon. The data controller will need to satisfy a burden of proof demonstrating that consent was obtained from each subject. Data controllers will have increased responsibility and accountability.
Notifications of Data Security Breaches
There will also be increased regulatory requirements on notifications of data security breaches. Businesses will have to notify their DPA about a data security breach as soon as possible, generally within twenty-four hours. Where an individual’s privacy is likely to be affected, that person must be informed.
The Right to be Forgotten
Furthermore, individuals will have a ‘right to be forgotten’ which means they may require that personal data relating to them be erased unless required for compelling reason such as, ‘historical, statistical or research purposes’. Many social media companies are against this as they may find it difficult to comply where content they do not have full control over has gone viral.
Data Regulation Beyond the EU
The Regulation will extend the application of the law to data controllers beyond the EU if their activities involve collecting data related to EU residents. The Regulation also proposes the implementation of an independent European Data Protection Board which will be compromised of the heads of the DPAs.
The changes will be backed by serious sanctions, tiered according to the severity of the incident. Serious violations may see penalties up to one million Euros or two per cent of turnover. The new Regulation is therefore likely to have a significant impact on the way business manage data and they should be prepared for any changes that make it into the final legislation. For more information please contact James Crichton via e-mail firstname.lastname@example.org or by telephone on 0207 611 4848.