EU Data Protection Reform: Discussion

The European Commissioner put forth a draft of the EU's 17-year-old data protection law. Back in December, we discussed some of the desired reforms that were being called for with development of the Unified EU Data Protection Rules. Primarily, the focus was on updating the rules to meet with the current technological environment and to standardize both implementation and enforcement across the 27 EU Member States.

The data protection reform is being advertised as a way to "take control of your personal data", as you can see in this video:

The final version of its proposed revision includes:

• A single set of data protection rules across the EU
• A "right to be forgotten" - give individuals a right to demand that their data be permanently deleted from websites
• A requirement that websites obtain explicit consent from users to permit the storage and use of their personal data
• A requirement to provide notifications about data breaches to data protection authorities and individuals within 24 hours of discovery
• A right for individuals to request that their personal data be moved from one online service to another
• A company in violation of the proposed law can be charged up to 2% of their global annual turnover, or up to €1m

The proposed changes, including some of the more criticized areas such as the 'right to be forgotten', have drawn some criticism. Some argue that rules are unenforceable; others argue that the focus is too much on fines for transgressions rather than promoting proactive security improvements.

The draft bill will be reviewed by European Parliament as well as by the Council of Ministers. It's unclear, at this point, if the bill will pass, be scrapped, or be revised to any extent. A microsite has been established for those who want more on the proposed data protection rules or wish to discuss the changes online.