The European Commission has published proposals for a comprehensive reform of the 1995 EU Data Protection Directive.
The main aim is to remove inconsistencies created by the 27 EU member states having implemented the Directive in divergent ways and the consequent burdens for business. The proposals also attempt to reflect the rapid advances in technology since the Directive first came into effect.
The changes include a mandatory obligation to report data security breaches promptly and, where feasible, within 24 hours. At present, very few member states have compulsory rules requiring infringements to be notified. In addition, substantial powers to levy fines are proposed - between 0.5 and 2% of an organisation's global annual turnover.
Bureaucracy for businesses, however, is to be reduced. They would need to engage only with a single national data protection authority, in the EU country in which they have their main establishment. At present, they must deal with a patchwork of authorities across each of the territories in which they operate. Businesses with over 250 employees would have to appoint a data protection officer.
Another important change would be a requirement for employers to obtain individuals' explicit consent for their personal data to be processed, rather than being able to rely on assumed or implied consent.
Outside the sphere of employment, there would be increased protection for online privacy rights, purported easier access to personal data and rules about data portability between service providers.
These proposals will need to be approved by the EU member states and ratified by the European Parliament before they can come into effect. This process may take two years, possibly more, and the proposals could be watered down or rejected during that time. If the proposed amendments do make it through those hoops, there will be a further period of time for member states to implement them into their national legal systems. So there's no need for employers to panic or amend their policies just yet.
For further details of the European Commission's proposals, click here.