A leaked copy of planned EU data protection legislation has given the online and business communities a glimpse of some new concepts that could prove highly significant, says lawyer Cameron Craig.

The long awaited draft of the new EU data protection law has been revealed. Although the draft was not due to be formally released until early this year, a copy of the draft was leaked onto the internet in December.

The new law has been met with a mixed reaction. It is intended to increase harmonisation between the national laws of EU member states and reduce some of the formalities of compliance, such as registrations and approvals for international data transfers.

Europe is aiming for consistency across member states and cutting the burden of complying with existing data protection laws

Europe wants consistency across member states and a cut in the burden of complying with data protection lawPhoto: Shutterstock

This change will be welcomed by the business world because in some EU member states these formalities have proved to be a significant compliance burden.

However, the draft new law would also require businesses to take greater steps to demonstrate compliance and the penalties for non-compliance will become much more severe than is currently the case with potential fines of up to five per cent of annual turnover.

The new draft law has also introduced some new concepts that are of particular significance to the online and service provider community. Here are some of the key changes.

1. The right to be forgotten

Individuals will be entitled to require service providers, such as social media sites, to erase their personal information where individuals have withdrawn consent for processing or where they object to the processing of personal data concerning them.

The draft law stresses that this new right is particularly relevant to data provided by children and includes the right to have erased any internet links to copies of the personal information.

2. Privacy impact assessment

There is a mandatory requirement for businesses and service providers to carry out privacy impact assessments before carrying out any processing that is likely to present specific risks.

3. Privacy by design and by default

The new law contains a mandatory requirement for privacy by design and privacy by default. This measure would require service providers to ensure they only process the minimum personal information necessary for each specific purpose.

Providers would also have to ensure that the individuals’ personal information is not made accessible to “an indefinite number of individuals” – presumably a reference to the privacy settings options available to individuals.

4. Data portability

Individuals would be given a new right to obtain a copy of their data in a “structured format which is commonly used” and the right to transfer data from one automated processing system – for instance, a social network – to another, without being prevented from doing so by the provider of the system.

5. Jurisdictional reach

The new draft law contains significant changes to the rules governing the jurisdictional reach of EU data protection law. For example, under the new law US-based websites are more likely to become subject to…

…EU data protection law when “directing” their website activity towards EU citizens.

6. Harmonisation

As had been widely speculated, the European Commission has chosen to implement the new rules through a regulation rather than a directive, which means the law will have direct effect on EU member states without the need for the member state to implement a national law.

This approach is intended to provide greater harmonisation but also removes the flexibility for member states to interpret the laws.

7. More stringent consent requirements

One area where the new law attempts to harmonise is in the requirement for individuals’ consents. There are currently differences among EU member state laws over whether consent must be implicit or explicit.

The new law requires consent to be explicit. The new law also states that consent from employees cannot provide a legal basis for employers to process their personal information.

8. Data protection officer

An independent data protection officer must be appointed for processing activities carried out by the public sector, or by private businesses with more than 250 employees.

The role of the data protection officer is to monitor whether the processing activities are carried out in compliance with the data protection policy and the new law.

9. Security breach notification

There is a new mandatory requirement to notify data protection authorities and individuals within 24 hours of a data security breach. However, the requirement to notify individuals does not apply where the data was encrypted.

The draft new law is expected to be formally published this year, at which point it will be subject to a further consultation period before being put before the EU parliament for approval. It is likely to be two to three years before it comes into force.

In the meantime, the wide-ranging changes contained in the draft law mean that it is likely to attract the attention of business groups when it is formally released this year.

Cameron Craig is partner and head of the EU Information Law Team at law firm DLA Piper.