Data protection: Nine things you should know about the new EU draft law

Legal Eye: Proposed law contains wide-ranging changes...

A leaked copy of planned EU data protection legislation has given the online and business communities a glimpse of some new concepts that could prove highly significant, says lawyer Cameron Craig.

The long awaited draft of the new EU data protection law has been revealed. Although the draft was not due to be formally released until early this year, a copy of the draft was leaked onto the internet in December.

The new law has been met with a mixed reaction. It is intended to increase harmonisation between the national laws of EU member states and reduce some of the formalities of compliance, such as registrations and approvals for international data transfers.

Europe is aiming for consistency across member states and cutting the burden of complying with existing data protection laws

Europe wants consistency across member states and a cut in the burden of complying with data protection lawPhoto: Shutterstock

This change will be welcomed by the business world because in some EU member states these formalities have proved to be a significant compliance burden.

However, the draft new law would also require businesses to take greater steps to demonstrate compliance and the penalties for non-compliance will become much more severe than is currently the case with potential fines of up to five per cent of annual turnover.

The new draft law has also introduced some new concepts that are of particular significance to the online and service provider community. Here are some of the key changes.

1. The right to be forgotten

Individuals will be entitled to require service providers, such as social media sites, to erase their personal information where individuals have withdrawn consent for processing or where they object to the processing of personal data concerning them.

The draft law stresses that this new right is particularly relevant to data provided by children and includes the right to have erased any internet links to copies of the personal information.

2. Privacy impact assessment

There is a mandatory requirement for businesses and service providers to carry out privacy impact assessments before carrying out any processing that is likely to present specific risks.

3. Privacy by design and by default

The new law contains a mandatory requirement for privacy by design and privacy by default. This measure would require service providers to ensure they only process the minimum personal information necessary for each specific purpose.

Providers would also have to ensure that the individuals' personal information is not made accessible to "an indefinite number of individuals" - presumably a reference to the privacy settings options available to individuals.

4. Data portability

Individuals would be given a new right to obtain a copy of their data in a "structured format which is commonly used" and the right to transfer data from one automated processing system - for instance, a social network - to another, without being prevented from doing so by the provider of the system.

5. Jurisdictional reach

The new draft law contains significant changes to the rules governing the jurisdictional reach of EU data protection law. For example, under the new law US-based websites are more likely to become subject to...