On 15 December 2015, after three years of fierce negotiations, the new European (“EU”) data framework has finally been agreed. The text of the agreement has yet to be finalised, and minor changes are still possible.
However, the final version will be very similar to the one that has been made publicly available and will be submitted to a formal vote of the Parliament and the Council in the weeks to come and will be applicable two years after its adoption.
The “Data Protection” package includes a regulation establishing the general framework for the protection of personal data(1) (“Regulation”) and a directive on the protection of personal data processed for the purpose of law enforcement(2) (“Directive”). It is an essential step towards strengthening citizens’ fundamental rights in the digital age and facilitating business by simplifying rules for companies in the digital single market.
1. General framework for the protection of personal data: the Regulation
Regarding the Regulation, the changes will be significant both for companies and individuals.
- In relation to companies
The new Regulation will apply to any controller or processor of data of an EU citizen, regardless of where the controller or processor is headquartered or keeps its servers.
Privacy “by design” and “by default” will become essential elements in EU data protection rules.
Privacy by design means that each business that makes use of personal data must take the protection of such data into consideration. An organisation needs to be able to show that they have adequate security measures in place and that compliance is monitored.
In regard to privacy by default, data controllers shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage.
All public bodies processing data, all companies where data processing is the main activity and all companies where sensitive data is processed on a “large scale” will now be required to appoint a data protection officer.
The Regulation will also impose direct obligations on data processors who will need to implement technical and organisational measures.
In addition, data processors will need to notify the data controller without undue delay in case of a data breach. Data controllers will have to notify data protection authorities of any data breach that creates significant risk for the data subjects involved within 72 hours after discovering the breach. However, this notification will not be necessary if the breach is unlikely to result in a risk to the rights and freedom of individuals.
In case of a violation of data protection law, the national data protection will be able to impose fines of up to 4% of the company’s worldwide turnover.
But there will also be advantages for companies.
For example, the requirement for a prior notification to a supervisory authority will be abolished and obligations imposed on companies are adjusted in relation to the potential threat to privacy which may potentially be caused by the activities of the company in question.
Member States may however, within the limits of the Regulation, adopt law-specific rules for example with regard to the processing of employees’ personal data and in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
In addition, there will be enhanced cooperation between the national authorities of the 28 Member States in order to apply a single set of rules and consequently avoid conflicting decisions.
- In relation to individuals
First of all, the same level of protection will be applicable for all European citizens even if the data processor is established outside the EU.
The consent of data subjects for the processing of personal data must be freely given, specific, informed and unambiguous and has to be demonstrated by “a clear affirmative action by the data subject”. Explicit consent must be given for sensitive data. Consent can be withdrawn at any time.
The rights for individuals to control their personal data will be strengthened and their access to the data will be eased. For instance, the Regulation will codify the “right to be forgotten” which means that data subjects can require the erasure of their personal data by the data controller in certain situations.
Individuals will also have the possibility of transferring personal data from one online service to another (”right to data portability”) and of contesting target online advertising.
Furthermore, when personal data is processed for direct marketing, the data subject will have a right to object to the processing of its personal data and this right will have to be explicitly brought to their attention.
Regarding the protection of children, parental or custodian consent will be required for children below the age of 13 in order to receive information society services.
2. Protection of personal data processed for the purpose of law enforcement: the Directive
The Directive will enable law enforcement authorities to exchange data more efficiently and effectively. They will no longer be required to apply different sets of data protection rules according to the origin of the data.
The citizens’ rights will be better protected because law enforcement processing must comply with the principles of necessity, proportionality and legality. Nevertheless, police authorities will be allowed to limit the information on the data they hold and limit the access to the processed data in order to avoid compromising ongoing investigations.
Finally, the transfer of data from public authorities to private entities will be possible and consequently will enable police authorities to take swift action in case of a terrorist attack or other emergencies.
(1) Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
(2) Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.