European draft data law announced: What you need to know

The European Commission has announced the Data Protection Regulation, which will govern the data and privacy laws of Europe's 27 member states. Here's what you need to know.
Written by Zack Whittaker, Contributor
The European Commission has put forward a series of suggestions in draft form for the next version of Europe's data protection law.

Many of these were in the draft documents seen by ZDNet late last year. Since then, while the vast majority of new rules in the framework still exist, these proposed rules have been revised and tightened to make way for the best interests of European users and consumers.

It is clear that the Regulation in its present, released and draft form today, has been considerably watered down since the leaked November version.

One regulation, less fragmentation

The current Data Protection Directive had to be implemented into the legal system of Europe's 27 member states. This led to all countries having the same framework, but some legal systems having stronger and more protective rules than others. Germany's data protection laws have the same elements as every other European country, but are far stricter than the 'lenient' UK's laws, as an example.

The new Data Protection Regulation is a 'one-size-fits-all' legal instrument, and removes the need for member states to interpret the laws. It also makes way for better cross-border data transfers between European countries, and will save around €2.3 billion ($3.1bn) each year in 'administrative' costs.

The new Criminal Justice Directive will cover all matters pertaining to law enforcement, investigation, detection, or prosecution of criminal offences.

Right to be forgotten

This one is a tricky one, and details are still yet to be finalised. This 'pet project' of the European Justice Commissioner, Viviane Reding, will in effect allow European users to wipe their online slate clean. It will allow users to have their photos, details, and other data removed from websites, social networks, and search engines.

Users will have the right to demand that data held on them be deleted if there are "no legitimate grounds" for it to be kept. This includes if a user leaves a service or social network, like Google or Facebook, the company will have to permanently delete any data that it retains.

Search engines will also have to comply with this rule. The practicalities of search giants like Google complying, which has already warned that this may harm innovation, remains unclear.

Data protection agency is where your European headquarters is

Each European member state has its own data protection agency that enforces that country's law. Because there will be only one Regulation, and therefore only one law to comply with, this eases the burden on companies that operate across the 27 member states of Europe.

One of the proposals in the draft legislation allows for the assignment of a local data protection agency based on where a company's European headquarters is. For Microsoft and Twitter, for example, this would be the UK's data protection agency, the Information Commissioner's Office.

Exporting data will be easier

European Web users will be able to access their data, either in a structured format, or in raw data. It is likely that most companies will adopt a similar scheme to Google's Dashboard, which displays all relevant data attached to a particular service.

'Offline' companies, along with Web services, in particular social networks, will also have to implement data exporting tools to allow users to download their data to take it elsewhere. Facebook already has a download tool, allowing users to upload their photos and other uploaded content to other social networks.

Data protection officers for firms with 250+ employees

Any company with more than 250 employees, a data protection officer would be appointed to ensure that the Regulation's rules are being enforced appropriately. It is thought, though yet still unclear, that this appointed person would be a 'liaison officer' to the local data protection agency, and would be responsible for reporting data breaches or losses.

Data breach reporting within 24 hours of discovery

To avoid such a disaster that the Sony PlayStation Network breach was --- where over 100 million users' details were accessed, and users were told nearly a week after the breach occurred --- the new Regulation will dictate that a data breach or loss should be reported "if feasible, within 24 hours" of it occurring.

It's not clear whether the public will be informed by the company which suffered the breach, or whether a formal notification will be sent from the relevant data protection agency.

Screw up, cough up: €1 million, or 2 percent turnover penalties

Just as the European Commission can fine companies that breach its antitrust and competition laws up to 10 percent of its annual global turnover, Europe's executive body believes this should be extended and offered as an "investment incentive".

The draft rules dictate that serious violations, such as processing sensitive data without the individual's consent, can be punished by a fine up to €1 million ($1.3 million), or even up to 2 percent of their global annual turnover.

Reding suggested that companies that charged a user for a data request be fined up to 0.5 percent of their global annual turnover, while the fine should double if a company refused to turn over data or failed to correct misinformed or incorrect information.

By investing in increased security practices and better data protection controls, European regulators are less likely to press for the fullest of penalties should data be lost, leaked or simply go-walkabout.

Editorial standards