Uniform data protection law planned for the EU
The uniform data protection law planned by the EU Commission will create savings for businesses of 2.3 billion euro annually whilst ensuring the protection of citizens' data and strengthening consumer rights. In Brussels on January 25th 2012, Viviane Reding, vice-president of the EU Commission and Commissioner for Justice, put forward the Commission's proposal for a specific directive on the protection of personal data and a regulation setting out the general EU framework for data protection.
Due to its differing implementation among the 27 member states, the current Data Protection Directive, which dates from 1995, has led to a fragmented law on data protection. The new, unified law will make business activity more straightforward and less expensive, not just as a result of the uniform legal domain, but also in terms of its formulation. The proposals also include the simplification of notification obligations. Cross-border trade will also be supported, leading to an increase in consumer trust in online services.
The protection of personal data poses an urgent problem. Said Reding: "The protection of personal data is a basic right of all Europeans, but EU citizens have not always felt that they have complete control over their personal data." These new rules will mean every citizen has the right to delete their own data, where there are no longer any legitimate grounds for retaining it. There will also be a right to transfer data when changing service provider, providing a right to data portability. In addition, the EU rules will apply to companies that are based outside the EU but active in the EU. The national authorities will remain the point of contact for citizens, including in relation to companies outside the EU.
The national data protection authorities will remain in existence with strengthened powers, notwithstanding the unified law. They must be informed immediately – if possible, within 24 hours – if there is a serious breach in the handling of personal data. They are also the sole point of contact in each EU country for organizations with their headquarters in that country.
So that the new law can be implemented effectively, national data protection authorities will be empowered to impose fines on companies who breach the data protection rules of the EU. The level of the fine may be up to one million euro or two per cent of the annual turnover of a company.
Once they have been approved by the European parliament and the EU Council of Ministers, the new data protection rules will come into effect in two years.