Launched by the Commission in 2012, the Data Protection Reform (the ‘Reform’)1 is a package aiming to update the rules of the 1995 Data Protection Directive2 on one hand and the 2008 framework decision on data protection in judicial cooperation in criminal matters and police cooperation on the other3.
The Reform concerns the following two legislative instruments.
- The General Data Protection Regulation: Intended to replace directive 95/46/EC, this instrument aims to enable people to better control their personal data and increase business opportunities in the Digital Single Market, including through reduced administrative burden.
- The Data Protection Directive in the area of law enforcement: Intended to replace the 2008 data protection framework decision, this instrument aims to protect personal data processed for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.
Under the Luxembourg Presidency of the Council, an agreement was reached between the representative of the Council, the European Parliament and the European Commission on 15 December 2015 following final negotiations between the three institutions in ‘trilogue’ meetings. In an extraordinary meeting on 17 December 2015, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee expressed its position on the texts agreed upon. Finally, on 18 December 2015, the Permanent Representatives Committee (Coreper) confirmed the compromise texts. Following this, on 8 April 2016 the Council adopted its position at first reading on the Reform.
On 14 April 2016 in a plenary vote supporting the Reform, the European Parliament adopted the draft text of the Reform package. This vote completed the legislative process for adopting the Reform. On 4 May 2016, the General Data Protection Regulation and the Data Protection Directive were published in the Official Journal of the European Union in all official languages.
Twenty days after its publication, that is on 24 May 2016, the General Data Protection Regulation came into force. There will be a two-year grace period, after which its provisions will be directly applicable and will become enforceable in all Member States, that is on 25 May 2018.
The Data Protection Directive came into force on 5 May 2016. The Members States now have a two-year transition period to transpose its provisions into national law; the transposition deadline will be on 6 May 2018. Concerning the United Kingdom and Ireland, the provisions of the Data Protection Directive will only apply to a limited extent due to their special status regarding justice and home affairs legislation. In addition, Denmark will have the opportunity to decide within six months after the final adoption of the Data Protection Directive whether it is willing to implement it in its national law.
KEY POINTS OF THE REFORM
Briefly, the General Data Protection Regulation focuses on reinforcing individuals’ rights and strengthening the European Union internal market. With these aims, the General Data Protection Regulation provides tools for individuals to allow them to control their personal data. Among these tools are the following.
- The right to be forgotten and the right to erasure, keeping in mind the two objectives of the safeguard of the freedom of expression on one hand and historical and scientific research on the other.
- A higher level of data protection: More specific rules are set allowing data controllers to process personal data, for example, the requirement for the consent of the individuals concerned4.
- A specific protection for children: Parental consent for processing the data of children must be obtained.
- Easier access to one’s data with a right to data portability: More information will be provided to the individuals in a clear and understandable way regarding the processing of their personal data. The transfer of personal data from one electronic processing system to and into another will be easier.
- The right to know when one’s data has been hacked: In case of data breaches, companies and organisations will have to notify the national data protection authority, in most cases within 72 hours. In certain situations, breaches will also have to be communicated to the individuals affected.
- Anonymisation, pseudonymisation and encryption: Introduction of the concept of ‘pseudonymisation5’ and promotion of techniques such as anonymisation and encryption.
- ‘Data protection by design and by default’: Appropriate technical and organisational measures have to be taken by the controller, both at the time of the design of the processing and at the time of the processing itself, to ensure the protection of the rights of the individuals. By default, only personal data necessary for each specific purpose of the processing will be processed. Such data will not be collected or retained beyond the minimum necessary for the specific purpose, both in terms of the amount of data and the duration of storage.
- A stronger enforcement of the rules: In case of violations of the new rules, the national supervisory authority is allowed to impose an administrative fine. In each individual case, the fine will be fixed proportionally to the specific situation, with particular regard to the nature, gravity and duration of the breach. For a legal entity, the fine could be up to 4% of its annual worldwide turnover.
The General Data Protection Regulation provides clarity and consistency of the rules to be applied. Indeed, a single law for data protection will replace the current different national laws. As a consequence, companies and organisations will only have to deal with one single supervisory authority (their national data protection authority), and the same rules will apply for all companies regardless of the State within which they are established.
Finally, in accordance with the provisions foreseen by the Data Protection Directive in the area of law enforcement:
- Law enforcement authorities will be able to exchange data more efficiently and effectively;
- Criminal law enforcement authorities will no longer have to apply different sets of data protection rules according to the origin of the personal data; and
- The European Union’s area of freedom, security and justice still continues to be developed.
1. Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM-2012-011 , 25.01.2012, and Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and the free movement of such data, COM-2012-010, 25.01.2012.
2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 , 23.11.1995, p. 31–50.
3. Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed within the framework of police and judicial cooperation in criminal matters, OJ L 350, 30.12.2008, p. 60–71.
4. Note that ‘the data subject’s consent means any freely given, specific and informed indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed’, Article 4 (8) of the General Data Protection Regulation.
5. This ‘means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person’, Article 4 (3b) of the General Data Protection Regulation.