To help individuals enjoy effective control over their personal information, an extensive January 2012 proposal by the European Commission for a new General Data Protection Regulation aims to strengthen and bring into harmony data protection law across Europe. A Communication from the Commission, ‘Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st Century,’ is at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0009:FIN:EN:PDF.
According to Communication COM (2012) 9, data protection is a fundamental right in Europe protected by Article 8 of the Charter of Fundamental Rights of the European Union (EU) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU). The new regulation would significantly increase data protection across Europe. The European Commission proposes that the new legal framework should consist of:
- A Regulation (replacing Directive 95/46/EC) setting out a general EU framework for data protection.
- A Directive (replacing Framework Decision 2008/977/JHA16) setting out rules on the protection of personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
The main elements of the reform of the EU framework for data protection include:
“Right to be forgotten” which includes:
- An explicit requirement that obliges online social networking services (and all other data controllers) to minimize the volume of users’ personal data that they collect and process.
- A requirement that the default settings ensure that data is not made public.
- An explicit obligation for data controllers to delete an individual’s personal data if that person explicitly requests deletion and where there is no other legitimate reason to retain it.
Data breach notifications will oblige companies:
- To strengthen their security measures to prevent and avoid breaches.
- To notify data breaches to both the national data protection authority – within 24 hour of the breach being discovered, where feasible – and the individuals concerned without undue delay.
Improve individuals’ ability to control their data by:
- Ensuring that, when their consent is required, it is given explicitly, meaning that it is based either on a statement or on a clear affirmative action by the person concerned and is freely given.
- Equipping internet users with an effective right to be forgotten in the online environment: the right to have their data deleted if they withdraw their consent and if there are no other legitimate grounds for retaining the data.
- Guaranteeing easy access to one’s own data and a right to data portability: a right to obtain a copy of the stored data from the controller and the freedom to move it from one service provider to another, without hindrance.
- Reinforcing the right to information so that individuals fully understand how their personal data is handled, particularly when the processing activities concern children.
Improve the means for individuals to exercise their rights by:
- Strengthening national data protection authorities’ independence and powers, so that they are properly equipped to deal effectively with complaints, with powers to carry out effective investigations, take binding decisions and impose effective and dissuasive sanctions.
- Enhancing administrative and judicial remedies when data protection rights are violated. In particular, qualified associations will be able to bring actions to court on behalf of the individual.
Reinforce data security by:
- Encouraging the use of privacy-enhancing technologies (technologies which protect the privacy of information by minimizing the storage of personal data), privacy-friendly default settings and privacy certification schemes.
- Introducing a general obligation for data controllers to notify data breaches without undue delay to both data protection authorities (which, where feasible, should be within 24 hours) and the individuals concerned.
Enhance the accountability of those processing data by:
- Requiring data controllers to designate a Data Protection Officer in companies with more than 250 employees and in firms which are involved in processing operations which, by virtue of their nature, their scope or their purposes, present specific risks to the rights and freedoms of individuals (“risky processing”).
- Introducing the “Privacy by Design” principle to make sure that data protection safeguards are taken into account at the planning stage of procedures and systems.
- Introducing the obligation to carry out Data Protection Impact Assessments for organizations involved in risky processing.
Consistent enforcement of data protection rules across Europe:
- Data protection requirements and safeguards will be set out in an EU Regulation with direct application throughout the Union.
- Only the data protection authority where the company has its main establishment will be responsible for deciding whether the company is acting within the law.
- Prompt and effective coordination between national data protection authorities – given that the service is directed at individuals in several Member States – will help ensure that the new EU data protection rules will be applied and enforced consistently across all Member States.
Single Market dimension of data protection in order to:
- Lay down data protection rules at EU level through a Regulation directly applicable in all Member States which will put an end to the cumulative and simultaneous application of different national data protection laws. This will lead to a net saving for companies of about € 2.3 billion a year in terms of administrative burdens alone.
- Simplify the regulatory environment by drastically cutting red tape and doing away with formalities such as general notification requirements (leading to net savings of € 130 million a year in terms of administrative burdens alone). Given their importance for the competitiveness of the European economy, special attention is given to the specific needs of micro, small and medium sized enterprises.
- Further enhance the independence and powers of national data protection authorities (DPAs) to enable them to carry out investigations, take binding decisions and impose effective and dissuasive sanctions, and oblige Member States to provide them with sufficient resources to do so.
- Set up a ‘one-stop-shop’ system for data protection in the EU: data controllers in the EU will only have to deal with a single DPA, namely the DPA of the Member State where the company’s main establishment is located.
- Create the conditions for swift and efficient cooperation between DPAs, including the obligation for one DPA to carry out investigations and inspections upon request from another, and to mutually recognize each other’s decisions.
- Set up a consistency mechanism at EU level, to ensure that DPA decisions that have a wider European impact take full account of the views of other DPAs concerned, and are fully in compliance with EU law.
- Upgrade the Article 29 Working Party to an independent European Data Protection Board to improve its contribution to consistent application of data protection law and to provide a strong basis for cooperation among data protection authorities, including the European Data Protection Supervisor; and to enhance synergies and effectiveness by foreseeing that the secretariat of the European Data Protection Board will be provided by the European Data Protection Supervisor.
Since the new rules will apply to businesses based in Europe as well as to businesses based outside the European Union that process the personal data of European citizens for the sale of goods or services or the monitoring of their behavior, the new rules will affect many U.S. businesses. The penalties for noncompliance will be significant, with businesses facing proposed fines of up to €1 million or up to two percent of their annual worldwide turnover depending on whether the organization is an ‘enterprise.’
The changes for the proposed General Data Protection Regulation will be considered by the European Parliament and the Council of the European Union, and the Proposal will be subject to amendment. Once the final Regulation is approved, it will probably not be fully implemented for another two years. For more information, visit:
Employment Screening Resources (ESR) was just the third background screening firm in the United States to achieve “Safe Harbor” certification, which bridges the gap between privacy concerns of the EU and the U.S. To learn more, visit Employment Screening Resources (ESR) – ‘The Background Check AuthoritySM’ and nationwide background screening company accredited by The National Association of Professional Background Screeners (NAPBS®) – at http://www.esrcheck.com/ or call ESR at 415-898-0044.
About Employment Screening Resources (ESR):
Employment Screening Resources (ESR) – ‘The Background Check AuthoritySM’ – provides accurate and actionable information, empowering employers to make informed safe hiring decisions for the benefit for our clients, their employees, and the public. ESR literally wrote the book on background screening with “The Safe Hiring Manual” by Founder and CEO Lester Rosen. ESR is accredited by The National Association of Professional Background Screeners (NAPBS), a distinction held by less than two percent of all screening firms. By choosing an accredited screening firm like ESR, employers know they have selected an agency that meets the highest industry standards. For more information about Employment Screening Resources (ESR), visit http://www.esrcheck.com/ or call 415.898.0044.
About ESR News:
The Employment Screening Resources (ESR) News blog – ESR News – provides employment screening information for employers, recruiters, and jobseekers on a variety of topics including credit reports, criminal records, data privacy, discrimination, E-Verify, jobs reports, legal updates, negligent hiring, workplace violence, and use of search engines and social network sites for background checks. For more information about ESR News or to send comments or questions, please email ESR News Editor Thomas Ahearn at firstname.lastname@example.org.