The European Commission’s proposal for a reform of the EU framework on data protection and the addition of new regulation is currently being debated by the Council of Ministers and the European Parliament.

The European Parliament is working on the proposed Data Protection Regulation as well as a directive regarding data processing in law enforcement. The proposed reforms will reform the 1995 Data Protection Directive which, due to uneven implementation in member states, has led to different levels of data protection across the EU.

The key changes are: the ‘right to be forgotten’ principle, ensuring personal data can be deleted if so desired by that person; the need for explicit, rather than assumed, consent; the right of data portability; the establishment of single national data protection authorities and an enhanced notification procedure (now within 24 hours of breach awareness).

The main impact for private operators comes in the area of sanctions, most importantly, that the new regulation takes a one-size-fits-all approach to sanctions, which do not discriminate between the type and severity of violations, therefore making no exceptions in the case of first or unintentional non-compliance. Furthermore, the proposals do not make provisions for a warning or reprimand system, or the consideration of mitigating factors in a case of non-compliance.

The notification procedure is also problematic as companies could be forced to provide more information than they need to, as without an adequate amount of time to investigate the data security breaches, it would be impossible to determine exactly who has been affected.

A particular burden for SMEs is the administrative and monetary cost of training and employing a data protection officer within a small business, particularly as these resources could be used to greater effect for the growth and expansion of the company. Those who see the proposals as being especially burdensome for SMEs are asking for the adoption of the original text presented by the European Commission, in which companies employing 250 people or less were exempted from designating a data protection officer for their company.

Voting on the Albrecht report has now been delayed twice in the European Parliament. The report would tighten the measures previously proposed by the Commission and, as a result, make the new Data Protection framework much more burdensome for companies. The vote was delayed due to the news of the PRISM programme and its effect on US-EU data-sharing relations. MEPs may still propose amendments and the vote is due to take place after the summer break.

For more information on EU business affairs, contact the Malta Business Bureau on info@mbb.org.mt or call 2125 1719.

Omar Cutajar is the Malta Business Bureau’s permanent delegate in Brussels.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.