Launched on 2012 by the Commission, the Data protection reform (the “Reform”)1 is a package aiming to update, on one hand, the rules of the 1995 Data Protection Directive2and, on the other hand, the 2008 framework decision on data protection in judicial cooperation in criminal matters and police cooperation3.
The Reform concerns two legislative instruments:
- the General Data Protection Regulation: this instrument, intended to replace directive 95/46/EC, aims to enable people to better control their personal data and increase business opportunities in the Digital Single Market including through reduced administrative burden; and
- the Data Protection Directive in the area of law enforcement: this instrument, intended to replace the 2008 data protection framework decision, aims to protect personal data processed for prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
On December 15, 2015, under the Luxembourg Presidency of the Council, an agreement was reached between the representative of the Council, the European Parliament and the European Commission, following final negotiations between the three institutions in “Trilogue” meetings.
In an extraordinary meeting on December 17, 2015, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee expressed its position on the texts agreed.
Finally, on December 18, 2015, the Permanent Representatives Committee (Coreper) confirmed the compromise texts.
Following such compromise was agreed, the Council adopted – on April 8, 2016 – its position at first reading on the Reform.
On April 14, 2016, the European Parliament – in a plenary vote supporting the Reform – adopted the draft text of the Reform package. This vote completed the legislative process for adoption of the Reform.
On May 4, 2016, the General Data Protection Regulation and the Data Protection Directive have been published in the Official Journal of the European Union, in all official languages.
Twenty days after its publication, i.e., on May 24, 2016, the General Data Protection Regulation will come into force. There will be a two-year grace period, after which its provisions will be directly applicable and will become enforceable in all Member States, i.e. on May 25, 2018.
The Data Protection Directive has entered into force on May 5, 2016. The Members States have now a two-year transition period, to transpose its provisions into national law, i.e. the transposition deadline will be on May 6, 2018. Concerning the United Kingdom and Ireland, the provisions of the Data Protection Directive will only apply to a limited extent, due to their special status regarding justice and home affairs legislation. In addition, Denmark will have the opportunity to decide, within six months after the final adoption of the Data Protection Directive, whether it is willing to implement it in its national law.
KEY POINTS OF THE REFORM
In a few words, the General Data Protection Regulation focuses on reinforcing individuals’ rights and strengthening the EU internal market.
In these aims, the General Data Protection Regulation provides tools for individuals in order to allow them to control of their personal data.
Among those tools, are foreseen:
- a right to be forgotten and to erasure, keeping in mind the two objectives of the safeguard of, on one hand the freedom of expression and on the other hand the historical and scientific researches.
- a higher level of data protection: more specific rules are set allowing data controllers to process personal data, among which the requirement for the consent of the individuals concerned4.
- a specific protection for children: parental consent for processing the data of children must be obtained.
- an easier access to one’s data with a right to data portability: more information in a clear and understandable way will be provided to the individuals regarding the processing of their personal data. Transfer of personal data from one electronic processing system to and into another will be easier.
- the right to know when one’s data has been hacked: in case of data breaches, companies and organisations will have to notify them to the national data protection authority, in most cases, within 72 hours. In certain situations, breaches will also have to be communicated to the individuals.
- anonymisation, pseudonymisation and encryption: introduction of the concept of ‘‘pseudonymisation5’’ and promotion of techniques such as anonymisation and encryption.
- “data protection by design and by default”: appropriate technical and organisational measures have to be taken by the controller, both at the time of the design of the processing and at the time of the processing itself in order to ensure the protection of the rights of the individuals. By default, only personal data which are necessary for each specific purpose of the processing will be processed. Moreover, those data will not be collected or retained beyond the minimum necessary for the specific purpose, both in terms of the amount of data and the time of their storage.
- a stronger enforcement of the rules: in case of violations of the new rules, the national supervisory authority is allowed to impose administrative fine. In each individual case, the fine will be fixed proportionality to the specific situation, with regard in particular to the nature, gravity and duration of the breach. For legal entity, the fine could be up to 4% of its annual worldwide turnover.
The General Data Protection Regulation provides clarity and consistency of the rules to be applied.
Indeed, a single law for data protection will replace the current different national laws.
As a consequence, companies and organisations will only have to deal with one single supervisory authority (their national data protection authority) and the same rules will apply for all companies regardless the State within which they are established.
Finally, in accordance with the provisions foreseen by the Data Protection Directive in the area of law enforcement:
- law enforcement authorities will be able to exchange data more efficiently and effectively;
- criminal law enforcement authorities will no longer have to apply different sets of data protection rules according to the origin of the personal data; and
- the European Union’s area of freedom, security and justice still continues to be developed.
1 Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM-2012-011 , 25.01.2012; and
Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, COM-2012-010 , 25.01.2012.
2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 , 23.11.1995, p. 31 - 50
3 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ L 350, 30.12.2008, p. 60 -71
4 “the data subject’s consent means any freely-given, specific and informed indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”, Article 4 (8) of the General Data Protection Regulation
5 « means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person », Article 4 (3b) of the General Data Protection Regulation