European Commission Releases Formal Proposal on Data Protection Reform

By Robert Stankey and Adam Shoemaker

On Jan. 25, 2012, the European Commission released the final version of its proposed revisions to the European Union’s data protection framework. The package of changes represents a comprehensive reform of the EU’s 1995 data protection rules.

Significant changes include:

  • A “right to be forgotten,” which would give individuals a right to demand that user data be permanently deleted from websites;
  • A requirement that websites obtain explicit consent from users to permit the storage and use of their personal data (and allow for revocation of consent);
  • A requirement to provide notifications about data breaches to data protection authorities and individuals within 24 hours of discovery; and
  • A right for individuals to request that their personal data (such as posts, contacts, and pictures on a social network) be moved from one online service to another.

Fines for violation of the new regulation can be as high as two percent of a company’s worldwide gross income.

The proposals on breach notification are intended to catch Europe up with requirements in the U.S. Mandatory breach notification requirements are not common in Europe and fines for security breaches have been modest at best. Regulatory penalties are the primary enforcement mechanisms in the EU as there is no class action litigation.

To address criticism of the lack of consistency in the implementation of data privacy rules across Europe, the Commission has proposed that the data protection rules take the form of a new Regulation, rather than a revised Directive as was done in 1995. This means that there will be a single set of rules that will apply across Europe, replacing separate data protection laws in each of the more than 30 countries that have adopted the European framework. A European Regulation has direct effect in EU countries. Consequently, companies that relied on countries with more business-friendly data protection regulators and judicial interpretations of the law will find less room to maneuver under the new framework as continental European interpretations take greater hold.

While several of the changes have already attracted the attention of the media due to their potentially wide-ranging impact on the Internet, the proposal also includes significant changes to:

  • Make more non-EU websites subject to the rules (by merely offering goods and services to Europeans);
  • Clarify which national privacy rules are applicable within the EU (based on the location of an organization’s “main establishment”);
  • Eliminate some bureaucratic compliance obligations (e.g. registration and other filings with national data protection authorities); and
  • Require more organizations to have data protection officers.

The intense lobbying that began last year on the revision of the framework will continue this year, but the Commission’s formal proposal is significant as it frames the boundaries of the likely results of the policy debate.

The Commission’s data protection proposal will now be passed on to the European Parliament and EU member states for discussion and negotiation, and will not take effect until two years after full adoption.

The final draft can be read here.

Detailed information about the proposal and supporting materials is available here.