Draft EU data protection amendments leaked

Updated January 2012

A draft of a new EU Regulation which will amend the data protection regime across Europe has been leaked. The leaked document gives an indication of the changes to the data protection regime that we can expect to see in the next couple of years. The Regulation includes significant amendments to the existing rules including increased obligations for data controllers in a number of areas, strengthening of individuals' rights and substantially increasing the sizes of fines that can be imposed by regulators.

Key proposals include:

• A statutory requirement to appoint a data protection officer for public sector bodies, private sector organisations with more than 250 employees and organisations that carry out regular and systematic monitoring of individuals;
• A new right of data portability with the objective of enabling individuals to easily move their data between service providers;
• Mandatory notification of data security breaches to the regulator and (in some cases) individuals for all sectors;
• An extension of the application of the data protection regime to organisations located outside the European Union when they deal with or monitor individuals within the European Union;
• A new 'right to be forgotten', which extends the existing rights of individuals to have their data deleted in circumstances where it is no longer needed or if the individual withdraws consent;
• A requirement to carry out a privacy impact assessment before undertaking certain data processing activities;
• An express obligation to have in place transparent and easily accessible policies on the processing of personal data and the exercise of individuals' rights;
• New rules on obtaining consent from individuals, which require consent to be 'explicit';
• Abolition of the requirement to notify regulators of data processing activities;
• Refinements to the rules on transferring personal data outside the European Economic Area, with new provisions relating to the use of binding corporate rules;
• Strengthened sanctions, including the ability to impose fines of up to 5% of annual worldwide turnover in certain circumstances.

The form of the European legislation is a Regulation, rather than a Directive, which will be directly applicable in each Member State. It is important to note that the leaked document is not the final form draft for consultation. The official release is expected on 25 January 2012. We will provide a further update next month following publication of the formal document.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at January 2012. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.