European Data Protection Regulation Overhaul Proposed by European Commission

To help individuals enjoy effective control over their personal information, an extensive January 2012 proposal by the European Commission for a new General Data Protection Regulation aims to strengthen and bring into harmony data protection law across Europe. A Communication from the Commission, ‘Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st Century,’ is at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0009:FIN:EN:PDF. According to Communication COM (2012) 9, data protection is a fundamental right in Europe protected by Article 8 of the Charter of Fundamental Rights of the European Union (EU) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU). The new regulation would significantly increase data protection across Europe. The European Commission proposes that the new legal framework should consist of:

A Regulation (replacing Directive 95/46/EC) setting out a general EU framework for data protection.
A Directive (replacing Framework Decision 2008/977/JHA16) setting out rules on the protection of personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

The main elements of the reform of the EU framework for data protection include: “Right to be forgotten” which includes:

An explicit requirement that obliges online social networking services (and all other data controllers) to minimize the volume of users’ personal data that they collect and process.
A requirement that the default settings ensure that data is not made public.
An explicit obligation for data controllers to delete an individual’s personal data if that person explicitly requests deletion and where there is no other legitimate reason to retain it.

Data breach notifications will oblige companies:

To strengthen their security measures to prevent and avoid breaches.
To notify data breaches to both the national data protection authority – within 24 hour of the breach being discovered, where feasible – and the individuals concerned without undue delay.

Improve individuals’ ability to control their data by:

Ensuring that, when their consent is required, it is given explicitly, meaning that it is based either on a statement or on a clear affirmative action by the person concerned and is freely given.
Equipping internet users with an effective right to be forgotten in the online environment: the right to have their data deleted if they withdraw their consent and if there are no other legitimate grounds for retaining the data.
Guaranteeing easy access to one’s own data and a right to data portability: a right to obtain a copy of the stored data from the controller and the freedom to move it from one service provider to another, without hindrance.
Reinforcing the right to information so that individuals fully understand how their personal data is handled, particularly when the processing activities concern children.

Improve the means for individuals to exercise their rights by:

Strengthening national data protection authorities’ independence and powers, so that they are properly equipped to deal effectively with complaints, with powers to carry out effective investigations, take binding decisions and impose effective and dissuasive sanctions.
Enhancing administrative and judicial remedies when data protection rights are violated. In particular, qualified associations will be able to bring actions to court on behalf of the individual.

Reinforce data security by:

Encouraging the use of privacy-enhancing technologies (technologies which protect the privacy of information by minimizing the storage of personal data), privacy-friendly default settings and privacy certification schemes.
Introducing a general obligation for data controllers to notify data breaches without undue delay to both data protection authorities (which, where feasible, should be within 24 hours) and the individuals concerned.

Enhance the accountability of those processing data by:

Requiring data controllers to designate a Data Protection Officer in companies with more than 250 employees and in firms which are involved in processing operations which, by virtue of their nature, their scope or their purposes, present specific risks to the rights and freedoms of individuals (“risky processing”).
Introducing the “Privacy by Design” principle to make sure that data protection safeguards are taken into account at the planning stage of procedures and systems.
Introducing the obligation to carry out Data Protection Impact Assessments for organizations involved in risky processing.

Consistent enforcement of data protection rules across Europe:

Data protection requirements and safeguards will be set out in an EU Regulation with direct application throughout the Union.
Only the data protection authority where the company has its main establishment will be responsible for deciding whether the company is acting within the law.
Prompt and effective coordination between national data protection authorities – given that the service is directed at individuals in several Member States – will help ensure that the new EU data protection rules will be applied and enforced consistently across all Member States.

Single Market dimension of data protection in order to:

Lay down data protection rules at EU level through a Regulation directly applicable in all Member States which will put an end to the cumulative and simultaneous application of different national data protection laws. This will lead to a net saving for companies of about € 2.3 billion a year in terms of administrative burdens alone.
Simplify the regulatory environment by drastically cutting red tape and doing away with formalities such as general notification requirements (leading to net savings of € 130 million a year in terms of administrative burdens alone). Given their importance for the competitiveness of the European economy, special attention is given to the specific needs of micro, small and medium sized enterprises.
Further enhance the independence and powers of national data protection authorities (DPAs) to enable them to carry out investigations, take binding decisions and impose effective and dissuasive sanctions, and oblige Member States to provide them with sufficient resources to do so.
Set up a ‘one-stop-shop’ system for data protection in the EU: data controllers in the EU will only have to deal with a single DPA, namely the DPA of the Member State where the company’s main establishment is located.
Create the conditions for swift and efficient cooperation between DPAs, including the obligation for one DPA to carry out investigations and inspections upon request from another, and to mutually recognize each other’s decisions.
Set up a consistency mechanism at EU level, to ensure that DPA decisions that have a wider European impact take full account of the views of other DPAs concerned, and are fully in compliance with EU law.
Upgrade the Article 29 Working Party to an independent European Data Protection Board to improve its contribution to consistent application of data protection law and to provide a strong basis for cooperation among data protection authorities, including the European Data Protection Supervisor; and to enhance synergies and effectiveness by foreseeing that the secretariat of the European Data Protection Board will be provided by the European Data Protection Supervisor.

Since the new rules will apply to businesses based in Europe as well as to businesses based outside the European Union that process the personal data of European citizens for the sale of goods or services or the monitoring of their behavior, the new rules will affect many U.S. businesses. The penalties for noncompliance will be significant, with businesses facing proposed fines of up to €1 million or up to two percent of their annual worldwide turnover depending on whether the organization is an ‘enterprise.’ The changes for the proposed General Data Protection Regulation will be considered by the European Parliament and the Council of the European Union, and the Proposal will be subject to amendment. Once the final Regulation is approved, it will probably not be fully implemented for another two years. For more information, visit: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf. Employment Screening Resources (ESR) was just the third background screening firm in the United States to achieve “Safe Harbor” certification, which bridges the gap between privacy concerns of the EU and the U.S. To learn more, visit Employment Screening Resources (ESR) – ‘The Background Check Authority^SM’ and nationwide background screening company accredited by The National Association of Professional Background Screeners (NAPBS®) – at https://www.esrcheck.com/ or call ESR at 415-898-0044. Sources: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0009:FIN:EN:PDF. About Employment Screening Resources (ESR): Employment Screening Resources (ESR) – ‘The Background Check Authority^SM’– provides accurate and actionable information, empowering employers to make informed safe hiring decisions for the benefit for our clients, their employees, and the public. ESR literally wrote the book on background screening with “The Safe Hiring Manual” by Founder and CEO Lester Rosen. ESR is accredited by The National Association of Professional Background Screeners (NAPBS), a distinction held by less than two percent of all screening firms. By choosing an accredited screening firm like ESR, employers know they have selected an agency that meets the highest industry standards. For more information about Employment Screening Resources (ESR), visit https://www.esrcheck.com/ or call 415.898.0044. About ESR News: The Employment Screening Resources (ESR) News blog – ESR News – provides employment screening information for employers, recruiters, and jobseekers on a variety of topics including credit reports, criminal records, data privacy, discrimination, E-Verify, jobs reports, legal updates, negligent hiring, workplace violence, and use of search engines and social network sites for background checks. For more information about ESR News or to send comments or questions, please email ESR News Editor Thomas Ahearn at [email protected].]]>

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_parsely_session	30 minutes	This cookie is used to track the behavior of a user within the current session.
_parsely_visitor	1 year 1 month	This cookie store anonymous user idnetifier to determine whether a visitor had visited before, or if its a new visit.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
cookies.js_dtest	session	No description
test	session	No description available.

Common Ways Prospective or Current Employees Sue Employers Under the FCRA

Critical Steps for Ex-Offenders to Get Back Into the Workforce

Common Ways Prospective or Current Employees Sue Employers Under the FCRA

Critical Steps for Ex-Offenders to Get Back Into the Workforce

2 Comments