Data protection laws under review

The European Commission has drafted an update to the EU data protection law, their first overhaul since implementation in 1995. The changes would introduce a single set of rules on data protection, valid across the EU—a move the Commission says will save businesses some €2.3 billion a year in administrative costs. 

Among the changes, the reforms set out more stringent rules regarding data breaches; companies must notify the national supervisory authority of serious data breaches as soon as possible, and within 24 hours “if feasible”. Companies with more 250 employees, whose core business involves processing activities, will also be obliged to appoint a data protection officer. Should the new proposals come into force, companies that violate them could be fined up to 2 percent of their global annual turnover.

Other proposals include harmonisation of administration requirements; there will be one set of rules across the EU and organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Further, EU rules must apply if personal data is handled abroad by companies that are operationally active in the EU market.

In a significant update, individuals will be given more rights regarding the way their data is processed. They will also have a “right to be forgotten”, giving them powers to delete their data if there are “no legitimate grounds for retaining it”. This data can include anything from an individual’s name and email address, to bank details or even posts on social-networking websites.

As an individual’s consent has to be “given explicitly, rather than assumed” for his data to be processed, this is will have far reaching implications for marketers. “UK businesses need to be worried about the potential impact of the Data Protection Regulation on their ability to market their goods and services to consumers. Severe restrictions on the way in which they can use personal data for marketing purposes will be hugely damaging to sales,” said Chris Combemale, executive director of the UK’s Direct Marketing Association.

The DMA says it’s particularly concerned about the draft text regarding the right to be forgotten. The DMA says the current draft is unclear on the point that the use of suppression files, which are used to allow consumers to opt-out, will be exempt  from the “right to be forgotten”. Combermale added, “We fully appreciate the need for data protection rules to be in place to build consumer trust in sharing their information with companies, but getting this balance wrong will have terrible financial consequences to UK plc”.  

The proposals will now be discussed by the European Parliament and EU member states, and if adopted, will come into effect two years later.