Earlier this year, the European Commission proposed a comprehensive reform to the EU’s 1995 data protection rules, with the stated purposes of strengthening online privacy rights and boosting Europe’s “digital economy.”

Still rooted in the European concept that privacy in one’s personal data is a human right, the updated EU directive is intended to modernize the principles enshrined in the 1995 Directive to ensure privacy rights in the future.  The suggested reforms include legislative proposals, including a regulation setting out a general EU framework for data protection.

According to the press release announcing the reforms, key changes include:

  • A single set of rules on data protection, valid across the EU, with unnecessary administrative requirements, such as notification requirements for companies, removed;
  • A strengthening of independent national data protection authorities, including granting them the power to issue fines to companies that violate EU data protection rules, in order to improve enforcement of the EU rules;
  • Increased responsibility and accountability for those processing personal data, including almost immediate breach notification requirements to supervisory authorities for “serious” breaches;
  • Organizations will be required to deal with a single national data protection authority in the EU country where they have their main establishment;
  • Clarification that wherever consent is required for data to be processed, it must be explicit rather than assumed;
  • A right of data portability to make it easier to transfer personal data from one service provider to another;
  • A “right to be forgotten” that will allow people to delete their data if there are no legitimate grounds for retaining it; and
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.

While the Commission’s proposals will not have an immediate impact – they must be passed on to the European Parliament and EU Member States for discussion and will take effect two years after they have been adopted – there can be little doubt that privacy and online security will be a hot topic in 2012 and beyond. The full proposed Directive may be seen here.