There were a number of interesting developments from the European Parliament, last month. Not only did Parliament vote on amendments to the European Package Travel Directive, which will of course be of great interest to the travel industry; but there was also a further development, which may have sneaked under your radar. This development is the passing of a vote to approve a draft text of the proposed Data Protection Regulation.
This is a big step forward for Data Protection reform, as it sets in stone the European Parliament’s position. Parliament’s position now can not change, even if its composition changes following the forthcoming European elections in May.
With reform taking a significant step forward, what exactly do the proposed Regulations have in store? While the content of the final Regulation may still be subject to change, we have highlighted a few of the key proposals:
1. The new Regulation introduces the idea of a one stop shop, so that a business is regulated in its home state, but subject to a series of consistency measures in other member states.
2. There will be a higher standard for obtaining consent. The 1995 Directive required consent to be given “unambiguously”. In the new definition, the criterion “explicit” is added and consent is to be given “in the context of a written declaration”.
3. There are new and strengthened rights for data subjects. The new Regulation will expand the type of information that must be provided to individuals when a subject access request is made; and also removes the ability to charge a fee for subject access requests.
There are, however, concerns that the strengthened rights for data subjects may distort consumer behaviour. In the case of fee abolishment, for example, there are worries that this will lead to an increase in frivolous and/ or vexatious requests, putting strain on resources and budgets.
4. Controversially, there are also proposals for a ‘right to be forgotten’. This will involve an individual having the right to request that all personal data relating to themselves is erased. Further, there will be an obligation for a data controller, who has made the personal data public, to inform third parties of the request and to erase any links to or copies of that personal data.
This is widely considered to be over-ambitious and impractical. In an environment where data can be replicated and divulged in seconds, there are concerns that the concept of ‘erasure’ is misleading and places “unrealistic expectations” on data controllers
5. All private sector organisations with over 250 staff (and some smaller high risk data businesses) will be required to appoint a data protection officer, to be responsible for data protection compliance. There is also the suggestion that such individuals may benefit from enhanced employment protection.
6. The annual obligation to register with the Information Commissioner will be replaced with an obligation to keep internal documentation.
For the proposed Regulation to become law; it now needs to be adopted by the Council of Ministers. The European Parliament has stated that it is ready to negotiate the content of the Regulation with the Council of the EU, as soon as it has defined its position. The next meeting of the Justice Ministers to discuss this topic will take place in June 2014 – so expect further developments once this has taken place.
Once there are firm proposals in place, we will undoubtedly be in touch again. But, if you have any queries in the meantime, please do not hesitate to contact Luke Golding.