22 February 2012 by Matthew Miller

Hot Data

Last month, the European Commission published long-awaited proposals to modernise and harmonise data protection laws throughout the European Union (EU), which will ultimately see the introduction of regulations to replace Directive 95/46/EC – implemented in the UK as the Data Protection Act 1998 – with a view to vastly reducing the number of different interpretations adopted by the individual EU Member States in applying data protection law.

The new regulations will also be supplemented by a Directive governing the processing of personal data by public authorities in relation to the prevention, detection, investigation and/or prosecution of criminal offences and the enforcement of criminal penalties.

The rationale for the proposals is that the period since the adoption of the current legislation, back in 1995, has seen huge advances in technology and the way it is used. Mass information sharing and online storage of personal data within the EU are seen as two prominent reasons for needing an up-to-date and integrated data protection regime.

Some of the key proposals are as follows:

  • Any private company with more than 250 employees will need to have a designated data protection officer, appointed for a minimum of two years. The duties of this role will include carrying out mandatory data protection impact assessments, the compulsory documentation of various processes, implementing training and general oversight.
  •  If personal data laws are breached, the relevant data controller must notify its supervising authority without undue delay and, if feasible, within 24 hours of becoming aware of the breach. If the supervising authority is not notified within 24 hours, a reasoned justification for this must accompany the notification.
  • Any data subject will have the right to request, from the relevant data controller, a copy of the personal data being processed by that controller, in an electronic, structured and ‘portable’ format, to allow the further use/re-use of that data by the data subject.
  • A data subject will also have the right to request that a data controller erases any personal data relating to them unless the controller can demonstrate compelling and legitimate grounds for retention. This is the so-called ‘right to be forgotten’.
  • A single independent European Data Protection Board will be set up, comprising the head of the supervisory authority in each Member State, with the power to ensure that the new regulations are consistently applied within the EU. The chance for businesses to deal with one pan-European regulator could save them money, but at the expense of the more flexible and pragmatic regulation currently practised at a national level.
  • A fine of up to 2% of annual global turnover could be imposed on any company who intentionally, or negligently, breaches EU data protection laws. Also, for the first time, data processors will have direct obligations under the proposed legislation.
  • Data controllers outside the EU will be subject to the new regime if their activities are aimed at individuals living in the EU. It is unclear how the regulations will be enforced outside the EU but their scope could extend to, for example, businesses in the US.

The proposals are now with the European Parliament and each Member State for further discussion. In the UK, the Ministry of Justice is currently consulting on the likely impact of the new rules: http://www.justice.gov.uk/consultations/data-protection-proposals-cfe.htm.

The proposed legislation will need to be approved by the Member States, and then ratified by the European Parliament, so it could be more than two years before the new regime takes effect. In the meantime, there will be intense lobbying of the European Commission by those businesses likely to be most affected. For example, the potential impact on social media networks and other online platforms could be very significant indeed. In any event, some of the proposed regulations are already widely regarded as impractical, unrealistic and administratively burdensome. So watch this space.

If you need further guidance on the new proposals, or advice on data protection issues generally, please contact Matthew Miller (020 7288 4739 or matthewmiller@boltburdon.co.uk)

27 January 2012 by

First Hector, now Moira

In January thoughts often turn to matters of tax as this is the last month in which you can submit an electronic tax return for the previous tax year. While many returns are submitted with tax paid months ago, January is still the busiest time of year for accountants and tax practitioners.

3 February 2012 by

Lay your cards on the table………

Litigating any dispute can be a long and costly process and, of course, there are no guarantees of success. As […]

Signup To Our Weekly e-News

"*" indicates required fields

We’ll never share your details with any third party in line with our privacy policy.