CATCH

CATCH: Carbon-Aware Travel Choice

ISAC6+

ISAC6+: streamlined information for citizens

Privacy working group

Digital privacy and online identity

STORK

Secure electronic identity across Europe

26 January 2012

European Commission proposes data protection overhaul

The European Union's executive arm, the European Commission, has proposed an extensive revision of the bloc's data protection rules, saying that it will "future proof" the legislation.

The proposals would see data protection legislation from 1995 updated. The Commission said the modernisation was needed because "technological progress and globalisation have profoundly changed the way our data is collected".

Under the Commission's plans, the current framework EU law, which is implemented differently by the 27 EU member states, would be replaced by a uniform regulation that would take equal effect across the bloc. The Commission said that would reduce administrative burdens for companies and would save €2.3 billion annually.

Other changes would include greater rights for individuals to access and transfer data held on them, and a ‘right to be forgotten’, meaning a right for individuals to have online data about them deleted.

EU Justice Commissioner Viviene Reding said the overhaul of the legislation would build greater trust in online services.

"The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data," and reform will mean that "people will be better informed about their rights and in more control of their information," she said.

The new law must be approved jointly by the European Parliament and EU Council, which represents member states, before it is adopted.

Specific proposals

The specific plans outlined by the Commission include:

Instead of the current obligation for all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the proposal provides for increased responsibility and accountability for those processing personal data.
For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability).
A 'right to be forgotten' will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2 percent of the global annual turnover of a company.

For more information about the proposals, click here.

More in this category: « eID panel calls for expertise

About E-Forum

e-Forum is dedicated to analysing the future needs of eGovernment in Europe, and promoting excellence in defining solutions to those needs by bringing the private and public sectors together. For members it is a network for exchange of ideas, a gateway to the latest eGovernment information, and a showcase for the solutions that will shape eGovernment over the next ten to fifteen years.