The current EU Directive 95/46/EC on data protection dates back to 1995. Each EU Member State has implemented and interpreted the EU 1995 Data Protection Directive differently into its national laws which has resulted in a patchwork of legislation across the EU as well as different administrative procedures and enforcement approaches being adopted by local regulators.
With the advancement of technology and data used online and the problems faced by businesses that operate in numerous Member States, it is not surprising that on 25 January 2012, the European Commission proposed a comprehensive reform of the EU Data Protection Directive and published the first version of the proposed Data Protection Regulation to replace the 1995 Directive.
Whilst there have been many meetings, amendments and discussions as to the proposed Regulation, the exact wording of the Regulation has yet to be agreed. Whilst there is no set deadline, it is generally expected that the Regulation will be agreed by 2015 and will come into force in 2017 and will be applicable in all EU Member States. However what is clear is that the message the European Parliament is sending out is that the reform is a necessity and is now irreversible.
How will the reform affect economic growth?
The Regulation will have a direct effect on each of the EU Member States and will replace the current patchwork of national laws. This means that companies will only have to deal with one law and not 28.
In addition, the proposal is that there is will be a ‘one stop shop’ in that companies which operate in several Member States will only have to deal with one regulator rather than regulators in each state in which they operate. This should make it easier and cheaper for businesses to run and trade internationally.
Another proposal is the principle that the same rules will apply for all companies regardless of their establishment. At the moment European companies are subject to stricter standards relating to data use than those companies established outside of the EU but trade within the EU. The reform proposals will lead to companies based outside of the EU having to comply with the same rules. This will create a more level playing field. The reform will also enable data protection authorities to fine companies which do not comply with EU rules. The exact penalty has not been set although the European Commission previously proposed fines of up to 2 percent of the company’s global annual turnover whilst the European Parliament has increased this to €100m or 5 percent of the company’s global annual turnover, whichever is higher.
How will the reform affect small and medium sized enterprises (SMEs)?
The current EU Data Protection Directive applies to all EU companies irrespective of their size. However there has been a proposal that some provisions of the Regulation will be exempt for SMEs, for example the obligation to appoint a data protection officer where data processing is not a core business activity.
There are also proposals for obligations on data controllers and processors to vary according to the size of the business in question and the nature of the data being processed. This will mean that SMEs will not necessarily be subject to the same obligations as large multinational companies.
SMEs will also be able to charge a fee for excessive or repetitive requests to access data and SMEs will not have an obligation to carry out an impact assessment unless there is a specific risk.
How will the reform affect EU citizens?
One of the proposals for the reform will be the clarification of the ‘right to be forgotten’ principle. The current EU Directive already includes such a principle whereby an individual can ask for their personal data to be deleted where the data is for example incomplete or inaccurate.
Following a recent Court of Justice of the European Union ruling earlier this year, the Court held that in certain circumstances a search engine (in this case Google) will be obliged to remove from their search results links to webpages which contain “inadequate, irrelevant or no longer relevant or excessive” information about individuals. The Court did, however, point out that this ‘right to be forgotten’ is not absolute and must still be balanced against other fundamental rights, such as the freedom of expression.
The proposed Regulation will modernise the current EU Directive though, in that non-EU companies offering services to EU customers must still comply with the Regulation. The European Commission has also proposed to reverse the burden of proof in that it will be the company, and not the individual, to prove that the data cannot be deleted because it is still relevant.
The reform proposals also aim to provide EU citizens with more control over their data so that where consent is required to process that individual’s data, they must give it explicitly. So, not giving a response will not equate to an affirmative answer.
It is clear that the current EU Data Protection Directive has not kept up with the changing pace of the current digital age and is in need of modernisation. However, there are concerns that the direct applicability of the Regulation could lower data protection standards in some Member States. With the conflicting interests of each Member State it will be interesting to see how the final agreed Regulation will compare to the original published version in 2012.
Simon Miles is a partner and Head of Intellectual Property, and Karen Lee is an associate, at Edwin Coe LLP. Mr Miles can be contacted on +44 (0)20 7691 4000 or by email: firstname.lastname@example.org. Ms Lee can be contacted on +44 (0)20 7691 4000 or by email: email@example.com.
© Financier Worldwide
Simon Miles and Karen Lee
Edwin Coe LLP