The European Parliament has voted overwhelmingly in favour of the draft EU Data Protection Regulation, which will now need to be adopted by the Council of Ministers to become law.
The Regulation was first published in January 2012 by the European Commission and it will replace the current Data Protection Directive (95/46/EC). It will be directly applicable in all EU member states.
If adopted in its current form, some of the most significant changes will be as follows:
- Pan-European Law: businesses will be required to comply with a single, EU-wide data protection regime without the need for implementation.
- Single Supervisory Authority: the aim of the Regulation is to create a "one-stop shop" for businesses that operate in several Member States.
- Wider Territorial Scope: It will extend the territorial scope to cover the processing of personal data of data subjects in the Union by both data controllers and data processors not established in the Union where processing relates to: (a) the offering of goods or services to data subjects, irrespective of whether payment is required; or (b) the monitoring of such data subjects.
- Right to Erasure: where there are no longer legitimate grounds for retaining personal data, EU citizens will be given a right, in certain circumstances, to require data controllers to delete such data. Data subjects will also have a right to obtain from third parties the erasure of any links to, copies of and replication of their personal data where certain grounds apply.
- Data portability: Data subjects will have a right to "data portability", making it easier to transfer their personal data between service providers.
- Consent: where consent to process data is required, the Regulation provides that such consent must be given explicitly and cannot be assumed. Businesses will also be required to inform data subjects without undue delay about any data breaches that could adversely affect them.
- Data protection first, not an afterthought: the new rules will require that businesses build data protection safeguards into their products and services at the earliest stage of development, and that privacy should be the default setting.
- Fines: companies which fail to comply with the new EU Regulation if imposed will face stricter sanctions. The regulators will now be able to impose fines up to the greater of €100,000,000 or 5% of annual worldwide turnover (previously 2%).