Strengthening personal data protection

The overall aim here is to modernise existing EU data protection legislation by adapting it to the challenges of globalisation and the use of new technologies (e.g. social media) whilst better protecting the rights of individuals.

ACT

Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [COM(2012)11 final - Not published in the Official Journal].

SUMMARY

The European Commission has made legal proposals to strengthen the protection of personal data across the EU. The aim is to replace an existing general law (Directive 95/46/EC) on data protection with a new general law and to replace another law (Framework Decision 2008/977/JHA) with a new law setting out data protection rules where data is used to tackle crime.

Personal data comprises all information relating to an identified or identifiable person, either directly or indirectly.

The EU's data protection reform proposals consist of two main laws. One proposed law (a Regulation) is to boost the protection of individuals' personal data and to increase their level of trust in the digital environment.

The other proposed law (a Directive) is to step up the level of protection of individuals' personal data when it is being used to tackle crime. The law also aims to boost trust among law enforcement authorities so that they can exchange personal data in order to tackle crime.

EXAMPLES OF KEY ELEMENTS OF THE REGULATION

Right to have personal data deleted, to move it and to understand how it is handled

The Regulation will improve individuals' ability to control their personal data by, among other things

• giving internet users the right to have their personal data deleted e.g. if they withdraw their consent and if there are no other legitimate grounds for retaining the data (the 'right to be forgotten');
• the freedom to move their data from one service provider to another without hindrance;
• reinforcing the right to information so that individuals better understand how their personal data is handled, particularly when the processing activities concern children.

Helping individuals to exercise their rights

The Regulation will also make it easier for individuals to exercise their rights by

• helping national data protection authorities so that they are properly equipped to deal effectively with complaints, with powers to carry out effective investigations, take binding decisions and impose effective and dissuasive sanctions;
• making it easier for individuals to take action (e.g. legal action via a court) when data protection rights are violated.

Reducingthe risk of data security breaches

The Regulation will boost data security by:

• encouraging the use of technologies which protect the privacy of information by minimising the storage of personal data;
• introducing a general obligation for data controllers (those private or public sector organisations who process individuals' data) to notify data breaches without undue delay (within 24 hours where feasible) to both data protection authorities and the individuals concerned.

It will also require that data controllers designate a Data Protection Officer in companies with more than 250 employees and in firms which are involved in processing data where there are risks to the rights and freedoms of individuals. These same organisations will also have to carry out Data Protection Impact Assessments.

RELATED ACTS

Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. [COM(2012)10 final - Not published in the Official Journal]

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Safeguarding Privacy in a Connected World - A European Data Protection Framework for the 21st Century. [COM(2012)9 final - Not published in the Official Journal]

Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions - A comprehensive approach on personal data protection in the European Union [COM(2010) 609 final - Not published in the Official Journal].

Last updated: 17.03.2014