.svg?rev=a492cc1069df46bdab38f8cb66573f1c&hash=2617C9FE8A7B0BD1C43269B5D5ED9AE2)
On Wednesday, January 25, 2012, the European Commission released a proposed data protection regulation to replace the current EU Data Protection Directive (95/46/EC). The proposed regulation would drastically alter the data protection landscape for companies operating in the EU or selling into EU member states. Furthermore, given the EU's leadership in this area, the proposed regulation may significantly influence legislative proposals in countries outside the EU, including the U.S. as Congress considers comprehensive data protection legislation.
Some key provisions of the proposed regulation include:
- Expanded Jurisdictional Reach – The regulation would apply not only to companies based inside the EU but also to any company based outside the EU that offers goods and services to EU residents, and consequently, processes the personal data of those residents. Any such company would have to appoint a representative in the EU unless it employs fewer than 250 individuals.
- Data Breach Notification Within 24 Hours – The regulation would require companies to notify the relevant national data protection authority of a data breach "without undue delay and, where feasible, not later than 24 hours after having become aware of it." Moreover, if notification is not made within 24 hours, notification would have to be accompanied by "a reasoned justification."
- Explicit Opt-In Consent – The regulation would require companies to obtain "specific, informed and explicit" consent from individuals before collecting or using those individuals' personal data.
- Larger Fines – Under the regulation, data protection authorities would have the authority to fine violators up to €1 million or, for companies, 2% of annual worldwide turnover.
- A Right To Be Forgotten – The regulation would require companies, in most cases, to erase individuals' personal data upon demand. Companies would have to remove any such personal data they published on the Internet and "inform third parties which are processing such data" to delete it.
The regulation makes several other significant changes in the EU data protection regime, including expanding the definition of personal data and setting forth new requirements for processing the data of children, complying with privacy-by-design principles, and conducting privacy impact assessments.
While the proposed regulation will not be adopted in a final form until at least 2014 by the European Parliament and Council, companies should become familiar with it now. This regulation provides a picture of how authorities, both in the EU and elsewhere around the world, may regulate personal data in the near future. Moreover, many of the provisions in the regulation would considerably alter how companies can deal with personal data. Companies should take note and prepare accordingly.