The EC data protection directive is nearly 16 years old and in dire need of reform. Brussels has been on the case for a while, but the precise nature of the suggested reforms has not been revealed. Not that is until mid December 2011, when a copy of the draft instrument amending Directive 95/46/EC was supposedly leaked. Mark Smith reports.
Who: European Commission
When: 7 December 2011
Law stated as at: 9 January 2012
Last month the European Commission’s planned proposals regarding amendments to existing EU data protection laws, due to be released at the end of January 2012, were leaked and posted on www.statewatch.org.
The proposals represent the first significant update of EU data protection legislation since 1995 and follow the European Commission's investigations into the functioning of the current legislation. Clearly there have been significant developments since the mid-nineties, such as the emergence of social media and online behavioral advertising, which have seen a dramatic increase in the scale of data collection and sharing.
Some of the key changes the current proposals would bring if adopted include the following:
- eye-watering fines of up to 5% of global turnover;
- mandatory requirement to appoint a Data Protection Officer for companies of more than 250 employees;
- security breaches must be notified to data protection authorities within 24 hours of the breach being established;
- the so called ‘Right to be forgotten’ to be introduced entitling individuals to require websites to delete information published about them;
- obligations to carry out audits and privacy impact assessments to be enshrined in law;
- explicit prior consent required before any personal data, including IP addresses, are processed for direct marketing purposes;
- specific child-focused laws to apply to those under the age of 18;
- the laws would apply to activities targeted at individuals resident in the EU, whether or not the systems used or the data controller are located in the EU.
The proposals are currently being worked on by the European Commission prior to their official publication scheduled for late January 2012. They will then have to be debated and approved by national governments. The whole process of finalising the new laws is likely to take some time, maybe two years or more, with a further two year period before they would come into effect.
Why this matters:
Even if the leaked proposals are changed significantly before they are implemented, they provide a real insight into how the EU intends to regulate in this area going forward. Inevitably compliance costs will increase as the collection, use and sharing of personal data becomes ever more regulated.
Parallels can be drawn with the EU's bullish approach to competition law, breaches of which can result in fines of up to 10% of a company's turnover. In 2009, for example, these powers resulted in Intel being issued with a fine of around $1.5bn. Bearing this in mind, it would be prudent for many organisations to starting moving data protection issues higher up their list of priorities.