New Version of Draft Data Protection Directive and Regulation Unveiled in Brussels

Posted by fgilbert on January 25th, 2012

This morning, Mrs. Viviane Reding, Vice-President of the European Commission, unveiled the long awaited documents that are intended to frame the new data protection regime in the European Economic Area, after final approval. There are two principal documents, and a series of background papers:

The next step is for these documents to be discussed by the European Parliament and the EU Member States meeting in the Council of Ministers for discussion. The rules will take effect two years after they have been adopted.

A cursory comparison with the most recent draft of the Regulation – Draft 56, which had been leaked in late November 2011 – shows mostly technical changes resulting from careful proofreading. However, there are also significant changes. For example, the maximum level of penalties has been lowered from 5% of annual turnover to 2%. The security breach must be disclosed within 24 hours if feasible, and to the individuals ‘without undue delay’ (the prior draft included a 24 hour notice requirement).

Key aspects of the Draft Regulation include:

Data Subjects would have more rights:

  • Wherever consent is required for data to be processed, it would have to be given explicitly, rather than assumed.
  • Individuals would have a “right to data portability,” which would allow them to transfer personal data from one service provider to another more easily.
  • Individuals would have a “right to be forgotten” which would allow them to obtain the deletion of the data that they furnished online if there are no legitimate grounds for retaining it (with exceptions).
  • Individuals would be able to refer to the data protection authority in their country, even when their data is processed by a company based outside the EU.

Organizations would have more obligations and responsibilities:

  • Organizations would be required to conduct Privacy Impact Assessment, and to bake privacy into their developments and their product and services to fulfill their ‘Privacy by Design’ and ‘Privacy by Default’ obligations
  • Organizations would be required to notify the national supervisory authority of data security breaches if feasible within 24 hours; and if the breach would adversely affect the protection of the personal data or privacy of individuals, the controller would be required to communicate the personal data breach to the data subjects without undue delay.
  • Organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment.
  • Organizations would no longer have to notify their data protection practices to national data protection authorities, but would still have to obtain permission for some categories of processing.
  • Instead of notification, there would be increased responsibility and accountability for those processing personal data; including significant disclosure and record keeping requirements.

EU rules would apply after crossborder transfer of personal data:

  • EU rules would apply if personal data were handled abroad by companies that are active in the EU market and offer their services to EU citizens.

Enforcement would be strengthened:


  • Organizations would be exposed to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • The role of national Data Protection Authorities would be strengthened so they can better enforce the EU rules at home.

These documents will now be discussed by the European Parliament and EU Member States meeting in the Council of Ministers for discussion. Thus, it is likely that there will be more opportunities for discussion, changes, and modifications of the current provisions. However, given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that the final documents should be substantially similar to what was published on January 25, 2012, and that a final vote will take place sooner than later. Once adopted, the rules will take effect two years later. Thus, we can expect that by the end of 2014, Europe will be subject to a new, improved, but stricter data protection regime.

Similar Posts
Posted in Europe

Comments are closed.