The European Commission has published proposals for a comprehensive reform of the EU’s 1995 data protection rules, aimed at strengthening online privacy rights and boosting Europe’s digital economy. Proposed to be implemented by way of a regulation, this new single set of rules will be valid across the EU. Key changes include:
- The right for independent national data protection authorities to fine companies up to €1 million or 2% of the global annual turnover for breach of EU data protection rules.
- A requirement for organisations to notify national authorities of serious data breaches as soon as possible (within 24 hours, if feasible).
- People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily.
- A new “‘right to be forgotten’” whereby people will be able to delete their data if there are no legitimate grounds for retaining it.
- Businesses that have 250 or more employees will be required to appoint an independent data protection officer who will be responsible for monitoring data protection compliance.
- Wherever consent is required for data to be processed, it must be given explicitly, and can no longer be inferred or assumed.
- Businesses outside the EU but which offer goods or services to, or monitor the behaviour of, EU citizens will also be required to comply with the rules.
The Commission's proposals will now be passed to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.
For further information on these proposals please contact Beverley Flynn.