EU

Data protection: Nine things you should know about the new EU draft law

Legal Eye: Proposed law contains wide-ranging changes...

...EU data protection law when "directing" their website activity towards EU citizens.

6. Harmonisation

As had been widely speculated, the European Commission has chosen to implement the new rules through a regulation rather than a directive, which means the law will have direct effect on EU member states without the need for the member state to implement a national law.

This approach is intended to provide greater harmonisation but also removes the flexibility for member states to interpret the laws.

7. More stringent consent requirements

One area where the new law attempts to harmonise is in the requirement for individuals' consents. There are currently differences among EU member state laws over whether consent must be implicit or explicit.

The new law requires consent to be explicit. The new law also states that consent from employees cannot provide a legal basis for employers to process their personal information.

8. Data protection officer

An independent data protection officer must be appointed for processing activities carried out by the public sector, or by private businesses with more than 250 employees.

The role of the data protection officer is to monitor whether the processing activities are carried out in compliance with the data protection policy and the new law.

9. Security breach notification

There is a new mandatory requirement to notify data protection authorities and individuals within 24 hours of a data security breach. However, the requirement to notify individuals does not apply where the data was encrypted.

The draft new law is expected to be formally published this year, at which point it will be subject to a further consultation period before being put before the EU parliament for approval. It is likely to be two to three years before it comes into force.

In the meantime, the wide-ranging changes contained in the draft law mean that it is likely to attract the attention of business groups when it is formally released this year.

Cameron Craig is partner and head of the EU Information Law Team at law firm DLA Piper.