The long-awaited revised Data Protection legislation, which is due to be released in January 2012, was leaked in December 2011. Although this may not be the final version of the draft Regulation it gives a good idea of the changes that are being proposed to the current European data protection regime. Two new pieces of legislation are proposed: a Regulation (replacing Directive 95/46/EC) for a EU-wide framework for data protection a Directive setting out rules on the protection of personal data for the purposes of investigating and prosecuting criminal penalties (the Police and Criminal Justice Directive). The European Commission sees protecting an individual's personal data as vital for establishing trust in the online environment and crucial for stimulating economic growth through the establishment of a digital single market for Europe. It is a key action for its Digital Agenda for Europe and the Europe 2020 Strategy. By implementing many of the changes by means of a Regulation rather than a Directive, the Commission will ensure that there is a consistent Europe-wide data protection framework. This will replace the fragmented and sometimes inconsistent approach to data protection in the Member States. Key terms to note in the draft Data Protection Regulation are: the definition of "the data subject's consent" has been amended to refer to explicit consent which would affect many organisations' reliance on opt-out boxes or non-objections, and similar mechanisms to indicate consent. details of how and when personal data can be used for purposes other than that for which it was initially collected and the conditions for consent to be valid as a legal ground for lawful processing (Articles 4-7). Consent may not provide a legal basis for processing by public authorities or for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law. Consent by a child (ie those under 18) will only be valid if authorised by a parent or custodian. There is a general prohibition for processing special categories of personal data (ie sensitive data categories) and the exceptions from this prohibition (Article 8). the introduction of the widely debated "right to be forgotten". The draft legislation sets out the conditions of such right and exemptions to the complete deletion of a data subject's personal data ie rather than just removing someone from a mailing list, organisations would have to delete the data completely, unless there is a legitimate reason to retain it. Where the personal data has been made public (eg via social networking sites or other websites), this will include the erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service (Article 15). the introduction of direct obligations on data processors, which were notably absent from the EU Data Protection Directive 1995, Directive 95/46/EC, although these obligations are to be set out in the contract between the controller and processor. Under the draft Regulation, if the processor processes personal data other than as instructed by the controller, the processor will be considered a controller for that processing and will be subject to the rules on joint controllers. The result being that data subjects can enforce their rights against each controller (Article 23). the controller and the processor to implement appropriate measures for the security of processing, and the extension of that obligation to processors, irrespective of the contract with the controller. an obligation on data controllers to inform the supervisory body within 24 hours of any breach, and to inform data subjects of a security breach within 24 hours, if the breach endangers their personal data (Article 27 - 29). an obligation on data controllers to designate a data protection officer where the controller is a public authority or body, has 250 or more permanent employees, or has core activities which require regular and systematic monitoring of data subjects (Article 32). the imposition of administrative sanctions for non-compliance ranging from EUR100 to 5% of a business annual worldwide turnover (Article 79). A final point to note is that the draft legislation is intended to apply to data controllers established in third countries if these controllers direct activities to EU Member States. It is clear that the new Regulation is intended to provide more practical and unambiguous obligations on anyone involved with personal data processing and sets out the responsibilities and liabilities for such obligations. It is also clear that this new legislation is designed to be more prescriptive and is certainly more onerous than previous legislation in this area. There is time to prepare. The draft has not yet been released and much debate is expected before it is finalised. Even then it will not actually apply until two years after its publication in the Official Journal.
On your marks, get set...STOP! On 1 May local authority environmental health officers (EHOs) in Wales will be given new enforcement powers to stop food businesses operating or force restrictions on the way in which they operate. More >>
Long-awaited Retail Watchdog to become reality The Queens' Speech set out yesterday the proposal for a Groceries Adjudicator Bill which will aim to ensure that large retailers treat their suppliers fairly. More >>