EU Data Protection Reform

The EU Data Protection Regulation is a proposed reform to Directive 95/46/EC. Originally passed in 1995, Directive 95/46/EC, or the EU Data Protection Directive, is a European Union law focused “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.”

In a nutshell, it prevents the personal data of anyone in the European Union from being shared with anyone else without express consent of the person the data is about. Though, it should be mentioned that this legislation was passed before the advent of the Internet, so there is little to no way to regulate the sharing of personal data on the Internet at this moment all throughout the Union; however, some of the member states have their own data sharing regulations, which companies must follow if they do business in each of the individual states–something that is both a tedious and expensive process currently. For this and many other reasons, on the 25th of January 2012 the European Commission stated their desire to ameliorate Directive 95/46/EC.

The original legislation Directive 95/46/EC, went into effect on the 24th of October 1995. However, it too is actually a continuation of Convention 108, which focused on protecting individuals in relation to “automatic processing of personal data” and passed on the 28th of January 1981. The proposal to reform the Data Protection Directive was submitted on the 25th of January 2012. The data protection reform should be done by 2014, and should go into effect sometime in 2016.

The EU Data Protection Regulation’s main purpose is to extend the EU Data Protection Directive 95/46/EC to cover the massive changes in technology and the increase in globalization that have happened since 1995. Due to these changes, some of the countries in the EU have added individual personal data sharing regulations to their own laws. The new EU data protection reform will make the laws consistent across the Union–as well as have provisions for outside countries who wish to do business within the Union. Those who disobey the laws may incur hefty fines of up to 1 000 000 EUR.

And it will update the complimentary Framework Decision 2008/977/JHA which regulates the protection and interoffice sharing of personal data in police matters. In other words, while this privacy regulation would not interfere with the government’s right to supersede these policies if it is reasonably justified and in the best interest of the state as a whole such as to stop a terrorist attack.

However, the major concern of the EU is about individual security and safety while using online commerce. The policy aims to make data sharing simpler, more transparent, optional, and safer so that more consumers feel safe in the digital market. Which is why they write in the proposal for the Data Protection Reform, “Building trust in the online environment is key to economic development. Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe, and more generally in the Europe 2020 Strategy.”

Though, some people, including certain US-based companies feel that these regulations go too far. Two major issues are that any data breaches must be reported within 24-hours and “the right to be forgotten”. The former is an issue because many companies do not like to divulge that their security systems have failed because they see it as a brand malfunction. And the latter is problematic to many companies because it means that the consumer will now have access to their “profile”, be able to delete or move it to a competitor at any time, and be able to completely opt out of that sort of data collection altogether, which will they see as a potential threat to internet direct marketing.

Posted in Data Protection Regulation, EU Commission.