EC Proposal For New Data Protection Regulation


The European Commission (the “EC”) has announced its anticipated comprehensive reform of EU data protection rules, intended to strengthen online privacy rights and boost Europe's digital economy. The proposal is intended to update and modernize the principles enshrined in the 1995 Data Protection Directive. If approved, unlike the current rules which give each of the 27 member states of the EU (the “member states”) some flexibility as to how the 1995 Data Protection Directive is implemented in their jurisdiction, the new law would apply directly so that there would be an entirely uniform set of data protection standards across the EU.

Key changes include...

  • Extra-territorial reach: The rules would apply to any processing of personal data related to EU citizens and non-EU citizens living in the EU, even where the data controller is located in a country outside of the EU. Further, Binding Corporate Rules (which have, to date, been used to legitimize transfers among members of the same corporate group only) are also explicitly addressed in the proposed rules, lending them additional support as a mechanism to transfer personal data and simplifying the approval process.
  • Data Protection Regulator: Data controllers and data processors would be regulated by the data protection regulator in the EU country where they have their “main establishment,” creating a simplified “one-stop-shop” approach.
  • Data Protection Officers: Public authorities and private companies with more than 250 employees would have to appoint a data protection officer to ensure data protection compliance.
  • Reporting Obligations: The current obligation requiring companies to notify data protection supervisors of all data protection activities would be repealed. A company would however be required to notify its national data protection regulator of a personal data breach without undue delay and, where feasible, not later than 24 hours of becoming aware of it.
  • Right to Data Portability: Individuals would have easier access to their own data and be able to transfer personal data from one service provider to another more easily. This change is intended to improve competition among services.
  • Right to be Forgotten: Data controllers would be required to delete an individual’s personal data if that person explicitly requests deletion or otherwise when there is no other legitimate reason to retain it.
  • Powers of National Data Protection Authorities: The powers of national data protection authorities would be strengthened so they can better enforce the EU rules in their jurisdictions. They would be empowered to fine companies that violate certain EU data protection rules up to €1 million or up to 2% of the company’s global annual turnover.
  • Explicit Consent: Consent to process data would be required to be explicit (rather than merely assumed). Further, parental consent would be required to be obtained when processing personal information from children who are under 13 years old.
  • Obligations to Demonstrate Compliance: Companies would be required to adopt measures to document and demonstrate compliance with the new rules.

The EC’s proposals (including this Regulation Proposal and this Directive Proposal) have been passed from the EC to the European Parliament and EU member states for discussion. It is anticipated that the new rules will take effect two years after they have been adopted—hence they are unlikely to be effective prior to 2014.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:


Proskauer - Privacy & Data Security on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.