Preparation needed for new EU data protection law
The European Union is one step closer to adopting a new regulation that requires businesses to take newfound precautions in processing personal data.
A new EU regulation is anticipated in the next few years that will require businesses to take stringent precautions to protect customer telephone numbers, email addresses, identification numbers and potentially even photos.
A substantial portion of the Finnish data protection law will not change as a result of this new EU regulation. However, stricter fines are in store for noncompliance.
The time is now to make sure you have solid procedures to process and protect personal data. You may also need to designate a data protection officer.
While the regulation is still in the proposal stages, the EU Commission is moving forward on several fronts. If all goes according to the current plan, look for the new regulation to come into force some time in 2015–2016.
Below are highlights of key changes the European Parliament is proposing.
Background of new regulation
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs has presented its draft report on the European Commission’s proposal for a regulation on the protection of individuals with regard to the processing of personal data and on the free movement of this data, called the General Data Protection Regulation.
To enter into force, both the Council of the EU and the European Parliament need to accept the regulation.
The Parliament has now taken its first position on the proposal through the rapporteur Jan Philipp Albrecht (Greens/EFA).
He welcomes the fact that the Commission has proposed to replace Directive 95/46/EC, on which the Finnish Personal Data Act is based, with a directly applicable regulation, since this should reduce the fragmented approach to data protection among various EU member states.
The rapporteur of the Parliament is, however, proposing some amendments to the Commission’s draft.
Designate a data protection officer
The Parliament proposes that the threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise but rather on the relevance of data processing. So, if the processing is carried out by an enterprise employing 250 persons or more, a data protection officer should be designated if the processing is carried out by a legal person and relates to more than 500 data subjects per year.
Outsourcing data to other countries
Another of the proposals impact the ability of companies to outsource their information technology operations. It also impacts how companies can transfer data outside of the European Economic Area.
The current EU data protection law states that the Commission can designate certain countries to have adequate personal data protection. In the proposal, the Commission suggested that, in addition, it could designate certain business sectors within otherwise unapproved countries as adequate.
But the rapporteur rejected this sector proposal. Instead, his report strengthens the criteria for assessing the adequacy of a non-EU jurisdiction as a whole and emphasises that even if personal data are transferred to third countries without legally binding safeguards, this still must have a legal basis in the specific derogation provisions of the regulation.
Severe penalties in store
Finally, the rappourteur supports the strengthening of the supervisory authorities’ investigative powers and sanction capabilities. In case of a first and non-intentional breach of the regulation, a warning in writing could be given and no sanction imposed even for larger enterprises, but the proposed amounts of fines (0.5 to 2% of the annual worldwide turnover) are kept unchanged.
There is a new paragraph stating that the principle of ne bis in idem needs to be respected to prevent penalties being imposed twice for the same act.
Current timetable for enactment
The General Data Protection Regulation will next be on the agenda of the informal Justice Council taking place in Dublin on 18 January and the European Parliament plenary vote is expected sometime around April. According to the Commission, the concerned parties are trying to achieve a political agreement on the issue by the end of the first half of 2013.