As part of modern life, we can lose sight of how much we reveal about ourselves to the world (think social networking sites and store loyalty cards). For businesses and other organisations that make use of personal information, managing the use of the information lawfully can be a real headache, particularly for those with an international dimension to their business and multiple regimes to adhere to.
The European Commission has issued proposals to strengthen and simplify the existing data protection laws that apply across the European Union. The intention is to boost Europe’s digital economy by reviving consumer confidence in their online privacy rights. Introduction of a ‘one-stop shop’ for data protection is proposed to achieve that outcome by replacing the current fragmented and differing systems in each country.
As well as giving consumers greater uniformity of protection, the proposals will save business an estimated €2.3 billion a year in administrative costs. While business will certainly welcome a standard approach across the EU, there will also be a concern to ensure that the desire to boost consumer confidence in online privacy rights does not detract from the efficient use of personal information for legitimate purposes.
The key reforms proposed include:
- A uniform set of rules across the whole EU. Removing legal uncertainty and inconsistency across Member States, volumes of paperwork for businesses and overcoming a disincentive and cost to expanding businesses into new areas of the Single Market;
- Companies will deal with a single national Data Protection Authority (DPA) in the EU Member State where they have their principal place of business, the DPA’s decisions will be binding across the EU area;
- Serious breaches, such as theft or accidental release of data, should be reported to the DPA within 24 hours (if feasible) and to individuals without undue delay; and
- Individuals to give explicit consent to data processing or reuse and they will have greater rights in terms of transferring personal data between service providers and deleting data which is no longer required
However, these proposals are only as good as the enforcement they receive (if they become law). DPAs will have stronger investigative and sanctioning powers, including the ability to fine up to €1m or 20% of global turnover of the company for breaches.
For companies which operate branches outside the EU, but contract with individuals within the Single Market, or process their personal details outside the EU, it is proposed that Binding Corporate Rules are introduced to ensure uniformity of protection, regardless of organisations’ internal arrangements. BCR will be approved by one DPA only and considerably simplify the process.
As with any EC legislative proposal, it will be years rather than months before the proposals are consulted upon, amended, voted upon and implemented. However, the proposal does provide some hope that the regulatory burden on businesses trading across Europe may be eased somewhat in the future.
We will keep you updated with data protection developments, in the meantime if you would like professional advice about any of these matters please contact us at 01382 229222.Kelly Craig Solicitor – Corporate & Commercial