Overhaul of EU Data Protection

The Commission has proposed a comprehensive reform of the EU's 1995 data protection rules.

Some of the main changes that would be introduced by the overhaul, as currently proposed by the Commission, are:
• Compulsory notification of data breaches within 24 hours and the individuals affected without undue delay. 
• Right of private individuals to object to automated evaluation processes called “profiling”. 
• Right of private individuals to be “forgotten” – in other words to have their personal data completely deleted by a company
• Extension of scope to non-EU companies who market to or collect data on citizens in the EU, even if data-processing operations are based elsewhere.
• Tougher penalties for breaches of the Regulation, fines can go as high as one million or 2% of global turnover.

The Package

The proposed package is made up of three components:  a proposed Regulation revising the current rules on data processing and exchange in the private and public sector, a proposed Directive regulating data processing for criminal justice purposes and a Communication setting out the new EU strategy for data protection.

Proposed Regulation on Processing and Exchange of Personal Data

This proposed Regulation lays down the conditions under which the processing of personal data would be lawful. According to these conditions:
• Individuals whose data are collected and processed (the data subjects) must have given consent to the processing of their personal data for one or more specific purposes
• Processing of personal data must be necessary for the performance of a contract in which the data subject is a party
• The controller needs to process the personal data of an individual in order to comply with a legal obligation
• Processing of personal data is required for the protection of the vital interests of the data subject
• Processing is necessary for the controller to perform a task of public interest
• The controller must carry out the processing in order to fulfil a legitimate interest

Rights of data subjects

The controller of personal data must provide information to individuals whose data are collected and processed, using clear and understandable language. In cases where personal data are collected, the controller must provide information to the data subject on the identity and the contact details of the controller, the purposes of the processing for which the personal data is intended and the period for which the personal data will be stored.

The controller must also provide information on the right of data subjects to request from the controller access to and deletion of their personal data and the right of the data subject to lodge a complaint to the competent supervisory authority.

The data subject will also have the right to request from the controller the deletion of their personal data. The controller is then required to erase them without delay in the following cases:
• The data are no longer necessary for the purposes for which they were collected or processed 
• The data subject withdraws consent on which the processing is based
• The storage period for which the data subject has given their consent has expired
• The data subject objects to the processing of personal data 
• The processing of the data does not comply with this Regulation
The proposed Regulation also provides for the obligation of controllers to restrict the processing of personal data in cases where the data subject contests the accuracy of these data and the controllers no longer need the personal data for the purposes for which they have processed them. Processing must also be restricted if the data subject does not wish the deletion of their data but requests the restriction of their use instead.

The data subjects will be entitled to object to the processing of their data in case where they prove that the processing is not necessary in order to protect their vital interests, the processing is not necessary for the performance of a task carried out to fulfil a public interest and processing is not necessary for the purposes of legitimate interests pursued by a controller. They can also object when personal data are processed for direct marketing purposes. In this last case, the data subject will have the right to object free of charge to the processing of their personal data for such marketing.

In the event of a personal data breach, the controller must without delay and, if possible, within 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority must: 
• Describe the nature of the personal data breach
• Communicate the identity and contact details of the data protection officer where more information can be obtained
• Describe the consequences of the personal data breach 
• Propose measures to minimise the negative effects of the related breach

Proposed Directive on Processing of Personal Data

Under the proposed Directive, the processing of personal data for criminal justice purposes would be lawful when the processing is necessary for the performance of a task carried out by a competent authority, or for the controller to comply with a legal obligation.

Other lawful circumstances include the need to protect the vital interests of the data subject or of another person and the need to prevent an immediate and serious threat to public security.

Member States must also provide for the right of the data subject to obtain from the controller confirmation whether or not personal data relating to them are being processed. In cases where personal data are processed, the controller must provide to data subjects information on the following issues:
• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom the personal data have been disclosed
• The period for which the personal data will be stored
• The right to request from the controller deletion or restriction of processing of personal data concerning the data subject
• The right to lodge a complaint to the supervisory authority
• The personal data which undergo processing 

Communication on EU Data Protection

This Communication aims to set out the Commission’s objectives with regard to the new EU legal framework on data protection. According to the Communication, the Commission wants: 
• A stronger and more consistent EU legislative framework on data protection
• To reduce the administrative burden for businesses, which prior to the Commission proposals had to notify all data protection activities to the competent authorities
• To help individuals and consumers to have a better control over their personal data
• To strengthen the accountability of those processing data, by requiring data controllers to designate a Data Protection Officer in companies with more than 250 employees and in firms which are involved in processing operations
• Apply general data protection principles to police cooperation and judicial cooperation in criminal matters
• Lay down clear rules defining when EU law is applicable to data controllers established in third countries, by specifying that whenever goods and services are offered to individuals in the EU, then EU rules will apply

Next Steps

The proposed Regulation and Directive will now be sent to the European Parliament and Council for consideration following the ordinary legislative procedure.

The Communication will also be sent to both institutions for examination. The institutions may officially respond to it in the following months.