Background

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified

3. Compliance with these rules shall be subject to control by an independent authority.

Since the adoption of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data a lot has changed in the area of data protection, notably technological developments, increased collection and processing of personal data for law enforcement purposes with a patchwork of applicable data protection rules and globalization of markets and cooperation. Furthermore the directive has failed to achieve a proper harmonisation due to the different implementation of its provisions in the Member States. In this context it has become increasingly difficult for individuals (‘data subjects’) to exercise their right to data protection. This problem is particularly visible as regards social networking sites like Facebook and surveillance measures like the use of telecommunication data (Data retention) and Passenger Name Records for law enforcement purposes. Furthermore it has hampered the development of the Single Market with companies (controlling or processing personal data, ‘data controllers’) and consumers facing differences in data protection requirements. There is also a concern regarding the protection in particular sectors, such as employment

Since the entry into force of the Lisbon Treaty the Union has an explicit legal basis for data protection covering processing of personal data in the public and private sector but also in the context of law enforcement (resulting from the collapse of the pre Lisbon “pillar structure”). The Commission has now used this legal (article 16 (2) TFEU) to present proposals for a revision of the Union's data protection framework. It proposes a Regulation (COM (2012)11) that will replace Directive 95/46 and amend Directive 2002/58/EC on E-privacy and a Directive (COM(2012)10) that will replace Framework decision 2008/977/JHA on the protection of personal data processed for the purpose of prevention, detection, investigation or prosecution of criminal offences.

The fact that the Commission chose to replace Directive 95/46 with a (directly applicable) Regulation should reduce the fragmented approach to data protection among Member States. It did however choose to leave quite some room for Member States to maintain or adopt specific rules (e.g. regarding the public interest (article 21), freedom of expression, professional secrecy, health and employment (articles 80-85) and for the Commission to adopt delegated and implementing acts, such as on the threshold for a data breach notification.

Furthermore the Commission failed to deliver a comprehensive system of data protection as Parliament called for in the Resolution 2011/0323 adopted on 6 July 2011. The Regulation does not cover law enforcement cooperation (on which the separate Directive is proposed). Furthermore data protection rules for EU institutions and bodies based on Regulation 45/2001 are excluded from its scope. Processing by Europol and Eurojust and data processing within the context of Common Foreign and Security Policy are also excluded.

This leaves legal uncertainty as regards rights and obligation in borderline issues, for instance where commercial data is used for law enforcement purposes and transfers between authorities that are responsible for law enforcement and those that are not. Further clarification, for instance in article 21, is needed.

The proposed regulation will be applicable to EU and non-EU companies. It  will therefore have an extra-territorial effect, meaning that it will apply to controllers that are not established in the EU but are active in the market of the EU by offering goods or services to data subjects residing in the EU or by monitoring their behaviour.

The Regulation clarifies and strengthens a number of data protection rights and principles in the light of technological changes and globalization.

The inclusion of a transparency requirement (articles 11, 14) leads to stricter obligations to inform data subjects. It is also specified that accordance with the principle of data minimization the collection of and processing personal data should be limited to a minimum. Furthermore the data controller has to demonstrate compliance with the Regulation. The principle that data should be limited for a specific purpose and must not be further processed in a way incompatible with the purposes for which they have been collected.

The requirements for obtaining consent of the data subject for data collection and processing are clarified (article 7). Consent has to be given explicitly (‘opt-in’).  For children under the age of 13 the parent’s consent is explicitly required before data collection and storage is allowed.

The right of access is strengthened by imposing deadlines and the duty to motivate a refusal to grant access. Furthermore the right to erasure has been strengthened into a ‘right to be forgotten’ (article 17). Data subjects will be able to demand that the data controllers take all reasonable steps to ensure deletion of their data if there are no legitimate grounds for retaining them and especially where those data have been published and republished online. There has been some controversy around this provision, particularly as regards its enforceability, the relationships with the freedom of expression and burdens on business.

In addition a right to data portability is introduced (article 18). This right is designed to facilitate an individual's access to personal data and ensure that people will be able to transfer personal data from one service provider to another more easily.

There is a fear that the rules on profiling will be difficult to understand and apply in practice. The regulation only imposes limits on automated processing of personal data (article 20), which results in decisions adversely affecting the person or are based on sensitive data. This ensures that human intervention remains necessary. It does however not prohibit the sorting of people based on profiles as such.

An important element of the proposal is a shift from notification requirements to the data protection authorities to practical compliance and individual empowerment (article 22). The regulation furthermore introduces the obligation to keep documentation of all processing operations (article 28), to notify security breaches (articles 31,32) and to perform a data protection impact assessment (article 33).

The proposed Regulation sets out obligations of the controller arising from the principles of privacy by design and by default (article 23 (1) and (2) respectively). “Privacy by design” means that data protection safeguards should be built into products and services from the earliest stage of development. “Privacy by default” means that the default setting should be those that provide the most privacy.

The article on data protection by design and default is important to ensure that for instance the privacy settings of social networking platform allow the data subject the choice to opt for more intrusive use of its personal data then strictly necessary for the simple use of it.

The security breach notification builds on article 4(3) of the E-privacy directive. If data is accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorised persons, organisations will have to notify both individuals and the relevant supervisory authority, where feasible within 24 hours. It will have to be debated how realistic the 24 hour threshold is.

In accordance with article 35 of the proposal data controllers or processors with more than 250 employees or whose core business it is to process personal data will have to appoint a data protection officer to monitor internal compliance with the regulation. The benchmark of 250 employees has been criticised for being either to high (effectiveness) or too low (costs). It is unclear whether the number of employees is the right standard to be applied.

The provisions relating to the third country data transfers are modified compared to the existing rules. As an example, the current prohibition of any transfer to countries that are not deemed adequate is replaced by a general principle that transfers can take place only if the conditions for transfers set fourth in the proposal are met. As hitherto, the Commission’s power to adopt decisions recognising the adequacy or the non-adequacy of a third country, will be maintained, but will now also involve international organisations and sectors. In the absence of an adequacy decision, the controller or processor should take appropriate safeguards measures such as binding corporate rules, standard data protection clauses adopted by the Commission or by a supervisory authority.

The proposed Regulation implements a “one-stop-shop” approach to data protection compliance in the EU (article 51). The new competence as lead authority in case that a controller or processor is established in several Member States will ensure unity of application. The one-stop-shop will apply to organisations as well as to data subjects. Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. A data subject will be able to refer to the data protection authority in their country, even when their data is processed outside their home country.

The independence and the powers of supervisory authorities will be strengthened as regards investigative powers and sanctions. They will be able to impose fines of up to 1 Million Euro or 2% of global annual turnover of a company for violation of data protection rules. They will furthermore receive enhanced funding.

Cooperation between DPAs will also be strengthened in the context of a European Data Protection Board (which is to replace the current "article 29 Working Party"). The Board will consist of a head of a supervisory authority of each Member State and of the European Data Protection Supervisor.