Reform of data protection rules

European citizens ought to shortly enjoy greater protection of their personal data. Similarly, the business community ought to be shortly rewarded with less bureaucracy when complying with data protection rules. These are the two objectives that the...

European citizens ought to shortly enjoy greater protection of their personal data. Similarly, the business community ought to be shortly rewarded with less bureaucracy when complying with data protection rules. These are the two objectives that the European Commission has claimed that it is striving to achieve by proposing an overhaul of the current legal regime regulating data protection.

70 per cent of European citizens are concerned that their personal data might be misused- Mariosa Vella Cardona

Personal data refers to any information relating to an individual, irrespective of whether it relates to his or her private, professional or public life. Anything from a name, a photo, an email address, bank details, posts on social networking websites or medical information can be termed as personal data. Many consider even location data or online identifiers, such as cookies, as personal data. In the course of our daily life, we continuously pass on such information to service providers such as banks or insurance companies as well as to social media sites and search engines. Indeed, technological progress has radically changed the way that data is collected and processed. With social networking sites, cloud computing, location-based services and smart cards, we leave digital traces with every move that we make.

The Commission’s recent proposals aim at revamping current EU data protection rules which date back to 1995, at a time when the full potential of the internet had not yet been fully exploited. To add insult to injury, these rules have not been implemented in a uniform manner by the 27 member states, giving rise to divergences in enforcement, to the detriment of cross-border traders who are required to comply with more than one set of rules.

The Commission has now published a single set of rules which shall be applied in a uniform manner across the EU. These rules consist of a regulation setting out a general EU framework for data protection and a directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

A number of reforms seek to empower citizens in the protection of their personal data whilst others seek to facilitate life for the business community. Thus, for example, in so far as individuals are concerned, a reinforced “right to be forgotten” will help people to better manage data protection risks online since individuals will have the right to delete that personal data which they would no longer like to share, if there are no legitimate reasons for retaining it. There will also be an expiry date for the use of such information by those holding the data.

The new rules now clearly lay down that whenever consent is required for data to be processed, such consent has to be given explicitly, rather than assumed. Citizens will also be granted easier access to their own data and be able to transfer personal data from one service provider to another more easily. People will be able to refer cases, where their data has been breached or rules on data protection violated, to the data protection authority in their country, even when their data is processed by an organisation based outside the EU. Indeed, EU rules will apply even if personal data is processed outside the EU but by companies that are active in the EU market.

On the other hand, the business community will get to enjoy greater legal certainty through the implementation of a single set of rules across Europe. These new legislative measures will bring about a shift in the obligations which currently devolve on all those companies which collect and process personal data. The current obligation of enterprises to notify all data protection activities to data protection supervisors has been replaced by a provision for increased responsibility and accountability for all those who process the personal data of individuals. All enterprises and organisations must notify the national supervisory authority of serious data breaches as soon as possible and ideally within 24 hours.

Currently, businesses are supervised by a different authority in each member state where they are established. This is set to change with the proposed legislative measures. In terms of the recently proposed rules, companies will only have to deal with a single national data protection authority in that EU country where they have their main establishment. This “one-stop-shop” approach is intended to simplify the way businesses and citizens interact with data protection laws and to give incentives to entrepreneurs to trade and invest cross-border within the EU’s internal market.

The new legislation will in turn empower independent national data protection authorities to fine those companies which violate EU data protection rules. Such penalties can amount to hefty sums of up to €1 million or up to two per cent of the global annual turnover of a company.

The Commission’s proposals will now be discussed within another two fora, namely, the European Parliament and the Council of Ministers. The regulation will be enforceable in all member states two years after its adoption and similarly member states will also have a two-year period within which to transpose the directive.

The proposed measures have received a mixed reaction from different stakeholders. Whilst on a general note it may be said that these measures have been applauded for creating greater legal certainty, eliminating certain bureaucratic requirements and ensuring a level playing field for all companies irrespective of the state wherein they are established, the digital industry at large is sceptical as to how these rules will operate in practice. On the other hand, it may be said, that generally speaking consumer associations have shown their approval of this radical reform embarked upon by the Commission.

Statistics show that 70 per cent of European citizens are concerned that their personal data might be misused. If and when adopted, the new legislative measures will go far in allaying such concerns as well as in seeking to boost consumer confidence in the use of online services. Whether all this will be achieved without a hitch in the smooth provision of such services, for the benefit of industry and consumer alike, is however highly debatable.

mariosa@vellacardona.com

Dr Vella Cardona is a practising lawyer and a freelance consultant in EU, intellectual property, consumer protection and competition law. She is the deputy chairman of the Malta Competition and Consumer Affairs Authority as well as a member of the National Commission for the Promotion of Equality.

Sign up to our free newsletters

Get the best updates straight to your inbox:

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.