EU Data Protection Reforms Are a Big Deal
As expected The European Commission released two principal documents outlining proposed reforms of the EU’s 1995 data protection rules. And as promised last week I will do my best to put it into context for IT professionals. First off, from all accounts, It appears to be relatively close to what was leaked in November so there are no big surprises in it. However, that doesn’t mean that it isn’t a big deal—it is.
At least it has the potential to be. It’s important to remember that the next step is for the Commission’s proposals to be passed on to the European Parliament and EU Council of Ministers for discussion. Then, if passes as is (which is unlikely), they will take effect starting two years after adoption.
Keeping all that in mind, to follow are the key points from the proposed reforms. Keep in mind I’m not a lawyer, I’m an IT professional, so key provisions from the document that may be important in other aspects aren’t import to me and aren’t mentioned here.
- EU rules would apply on any personal data handled abroad by organizations that are active in the EU market and offer their services to EU citizens.
- Organizations will no longer be able to rely on implicit consent. If they plan on gathering an personal data they have to get explicit consent from data subjects.
- Individuals will have a right to be forgotten requiring organizations to delete data on the person upon request if there are no legitimate grounds for retaining it.
- Organization would be expected to follow “Privacy by Design” principals. Simply put an organization would have to integrate privacy considerations into all aspects of design, development and maintenance.
- Organizations would be expected to notify the proper authorities within 24 hours of detecting a data breach and communicate to the data subjects without delay.
- Organizations would be exposed to penalties of up to €1 million or up to 2% of the global annual revenue of a company.
The big items to consider are the need to get explicit consent, the breadth of applicability to multinationals doing business in Europe, and the right to be forgotten. I would strongly suggest to all that you start planning to account for these provisions sooner rather than later when possible.
As one expert noted:
Given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that the final documents should be substantially similar to what was published on January 25, 2012, and that a final vote will take place sooner than later.