The European Commission, European Parliament and the Council and ministers of the European Community has presented a proposal on a new data protection law. The reform consists of two instruments, a General Data Protection Regulation and a Data Protection Directive. The Directive will harmonize laws and also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively. The Regulation should strengthen individual´s already existing rights and will enable people to better control their personal data. The reform includes, inter alia, the following suggestions:
- Harmonized law: The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU. Companies based outside of Europe will have to apply the same rules when offering services in the EU. This will give individuals protection of personal data, regardless of where the data is processed.
- Easier access to your own data: individuals will have more information on how their data is processed. Companies should make information available in a clear and understandable way. Situations where individuals are able to object that their personal data is processed by companies or authorities will be extended.
- A right to data portability: It will be easier to transfer personal data between service providers. If a registered have entered information about himself on an internet service, the individual shall upon request be entitled to have their data transferred to another service provider.
- A clarified right to be forgotten: Companies will have to take stricter measures to ensure an approval from the individuals. When an individual no longer want the personal data to be processed, and provided that there are no legitimate grounds for retaining it, the data must be deleted.
- Measures at hacking: If a company or organisation have a serious data breach or other incidents where the control over personal data information is lost, they as soon as possible must notify the national supervisory authority and take appropriate measures. The individual that the personal data information relate to, must also be notified. A data breach or incident can be serious if the information leaked may lead to people facing discrimination, identity theft, fraud or financial losses. Notification should be done to the individual and the national supervisory authority within 24 hours.
- Impact assessment: If a company intends to handle personal information in a way that can bring substantial privacy risks, the company must first conduct an impact assessment, a so-called Data Protection Impact Assessment. Critical processing of personal could be, for example, large-scale registers containing genetic or biometric data, data on children or large-scale video surveillance in public places. Should the analysis result in a high risk, the company or organisation must contact the national supervisory authority, who shall make a preliminary assessment to ensure that the way to collect and processing personal data are legal.
- Data Protection Officer: There is no mandatory requirement to have a Data Protection Officer, but each country should be able to impose their own requirements on this. The officers role should be to ensure that regulations are adhered regarding how personal data is processed. The Data Protection Officers shold be given adequate resources and transparency and should be enable to perform their duties in an independent and impartial manner.
Following political agreement reached in trilogue, the final texts will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter. Even if there will be one law on data protection within EU, the Regulation gives some room for some specific national regulations.
In February, the European Commission also reached an agreement meaning that personal data can be transferred between the EU and the US. To enable this it is necessary to have a regulatory framework for the handling of the transfer of personal data, taking into account the personal integrity. For the new rules to be applied remains for the European Commission to make decisions according to the agreement. In this process, the Member States are involved to ensure a uniform application of the new rules.