The main characteristics of the new EU DATA PROTECTION RULES
The current EU Data Protection laws date from 1995, from pre- Internet times. In 1993, the Internet carried only 1% of all telecommunicated information. Today, the figure has risen to more than 97%. Today personal data has become one of companies' most valuable assets: the market for analysis of large sets of data is growing by 40% per year worldwide. The Internet economy will continue to grow exponentially under one pre-condition: trust has to prevail.
Personal data is the currency of today's digital market. And like any currency it needs stability and trust. Only if consumers can 'trust' that their data is well protected, will they continue to entrust businesses and authorities with it, buy online, and accept new services – the new services. Reliable, consistently applied rules make data processing safer, cheaper and inspire users' confidence.
This week, Viviane Reding, Vice-President of the European Commission, EU Justice Commissioner will present her proposals for a reform of the EU’s data protection rules. She has outlined the main characteristics of the new legislation. Currently Companies in Europe have to deal with 27 often conflicting data protection laws with data protection authorities that apply the law in different ways. Legal uncertainty and legal fragmentation are a burden for those companies – both small and large – that want to do business in Europe's Single Market. This fragmentation of data protection laws in Europe is not only an extra cost for business, but it is also holds back economic growth and innovation. In addition, companies very often are burdened with red tape: cumbersome and costly notification requirements for processing data without bringing a feeling of safety to the citizens. On the contrary, privacy concerns are one of the most frequent reasons why people don’t buy goods and services online.
To address all these challenges, the Commissioner will propose this week a comprehensive reform of the data protection rules. There will be two legislative texts to accomplish these goals :
- First, a Regulation to enhance opportunities for companies that want to do business in the EU's internal market, while ensuring a high level of data protection for individuals.
- Second, a Directive to ensure a smoother exchange of information between Member States' police and judicial authorities in the fight against serious crime while at the same time protecting people’s fundamental right to data protection.
The new rules would help businesses in three ways :
i). Firstly, they create legal certainty.
ii). Secondly, they simplify the regulatory environment.
iii). Thirdly, they provide clear rules for international data transfers .
As regard the first point : legal certainty :
Instead of a patchwork of 27 different rules in 27 countries, there will be one law that will apply to all Member States in the European Union and to all companies which are offering their goods and services to consumers in the EU – even if their servers are based outside of the European Union .
The directly applicable Regulation will create a strong, clear and uniform legislative framework that will help unleash the potential of the Digital Single Market. It will do away with the fragmentation that will save businesses around 2.3 billion euros per year. The new Regulation will remove barriers to market entry – a factor of particular importance to small and medium-sized enterprises.
The savings will be achieved by a series of measures. First, by simplifying the regulatory environment and by drastically cutting red tape. No more general notification requirements. Instead, companies across Europe will be themselves responsible and accountable for the protection of personal data in their business field. They will have to appoint a data protection officer – a requirement that businesses here in Germany are already very familiar with. The scrapping of the general notification rule alone brings about savings worth 130 million euro a year.
As regard the second point : simplify the regulatory environment :
Second, there will a regulatory 'one-stop-shop' for businesses for all data protection matters. A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the Member State in which the company has its main establishment.
It will not matter anymore which data protection authority deals with a case. All data protection authorities in whichever EU country will have the same adequate tools and powers to enforce EU law. Data protection authorities should be able to deal with complaints, carry out investigations, take binding decisions and impose effective and dissuasive sanctions, whether the French, the Irish, the Romanian or the Bavarian data protection authority is in charge of a case. This will give the legislation the necessary 'teeth' so the rules can be enforced.
Data protection authorities must be independent from political and economic interests and have sufficient resources to do their job. They will need to work closely together – especially in cross-border cases – to make sure that the rules are enforced consistently across Europe.
As regard the third point : clear rules for international data transfers :
The third element to ease burdens on companies is to ensure clear rules for international data transfers. In a world where the free flow of data is fundamental to business models and physical boundaries are meaningless, we need to rethink the way we transfer data. It seems odd that data held by a European company is adequately protected whilst it is inside the borders of the European Union, but not when it is transferred to a different part of that same company in Asia or South America, even when there are safeguards in place. In the Internet age, data protection laws need to take account of this global dimension. If they only focus on the activities of a company within a given country, they will not reflect reality.
Personal data can be collected in Berlin and processed in Bangalore. The Commissioner therefore wants to improve the current system of binding corporate rules to make these exchanges less burdensome and more secure. she will propose a consistent and streamlined approval process with a single point of contact for companies. And once the binding corporate rules are approved by one data protection authority, they will be recognised by all the data protection authorities in the European Union. There should be no need for additional national authorisation in case of further transfers.
The reform will give individuals better control over their own data. An easier access to one's own data in the new rules will be included. People must be able to easily take their data to another provider or have it deleted if they no longer want it to be used.
The new rules will provide for data portability. Another important way to give people control over their data : the right to be forgotten. They will clarify that people shall have the right – and not only the ‘possibility’ – to withdraw their consent to the processing of the personal data they have given out themselves. If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.
The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a data base. The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media. The new EU rules will include explicit provisions that ensure the respect of freedom of expression and information.
Finally, individuals must be swiftly informed when their personal data is lost, stolen or hacked. Whether user data gets stolen from an online gaming service, or credit card details are hacked on a firms' website: these security breaches affect millions of users around the world. There were recently many serious data breach incidents which highlight why companies need to reinforce the security of the information they hold. Frequent data security breaches risk undermining consumers' trust in the digital economy. The new regulation will introduce a general obligation for data controllers to notify data breaches.
Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay.
The Commissioner has indicated : “ For some time there has been a heated debate about the freedom of the Internet. According to the Fundamental Rights Charter, the freedom of expression and the freedom of information are basic rights for the European citizens. They are directly linked to a free internet which has thus to be preserved. But those are not the only freedoms. The right of the creator to the content and fruits of his creation are equally important. This right also has to be preserved.
In order to achieve this, European policy aims at equilibrating the respect of both rights. Freedom of information and copyright must not be enemies; they are partners!
The protection of creators must never be used as a pretext to intervene in the freedom of the Internet. That is why for Europe, blocking the Internet is not an option.”
Extract from : Viviane Reding, Vice-President of the European Commission, EU Justice Commissioner : - The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age, SPEECH /12/26 – 24/01/2012