European Commission Presents Data Protection Reform

On 25 January 2012, the European Commission proposed a legislative package to reform the European data protection rules. The package includes (i) a proposal for a Regulation to replace the existing Directive 95/46/EC of 24 October 1995 (the “proposed Regulation”); and (ii) a proposal for a Directive setting out rules on the protection of personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities (the “proposed Directive”).

In her presentation of the package, Commissioner Reding announced that the proposed Regulation would provide a harmonised set of rules throughout the EU and thus eliminate the difficulties that arise from the current differences in national laws. In addition, the proposed Regulation would strengthen the rights of data subjects and reduce the administrative burden for companies by, inter alia¸ limiting notification obligations.

Nevertheless, the proposed Regulation also introduces a number of new obligations. For instance, companies with more than 250 employees will have to appoint a data protection officer and keep documentation of data processing activities. Moreover, certain processing operations will require a prior “data protection impact assessment”.

In addition, companies will have to report data breaches “as soon as possible” (i.e., within 24 hours, if feasible) to the competent data protection authorities and inform the affected data subjects.

Finally, national data protection authorities are granted the power to impose fines of up to €1 million, or, in the case of companies, up to 2% of the company’s annual worldwide turnover.

The proposed Regulation and the proposed Directive now continue their course in the European legislative process through the European Parliament and the Council of Ministers before final texts (which may differ significantly from the current proposals) will be signed into law. This process is expected to take between 1 and 2 years. Once adopted, the proposed Regulation provides for a 2-year transition period before it fully comes into force.

A copy of the proposed Regulation and proposed Directive, as well as a number of accompanying documents, can be found here: http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm.