The basis of EU data protection law is the 1995 Data Protection Directive (95/46/EC), which was implemented into UK law by the Data Protection Act 1998. Since 1995 technological progress and globalisation have profoundly changed the way data is collected, accessed and used. In addition, EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. The European Commission has therefore proposed a comprehensive reform of the 1995 rules to strengthen online privacy rights and boost Europe’s digital economy. Under the new proposals, companies across Europe would only have to deal with one set of data protection rules and be answerable to a single data protection authority – the national authority in the EU country where they have their main base.
The proposals take the form of a draft Regulation and a draft Directive. Several elements of the draft Regulation have proved controversial – for example, a new definition of consent that requires that consent to the processing of personal data be given explicitly; and a right for data subjects to be “forgotten”, including the right to obtain erasure of personal data available publicly online.
The Commission’s impact assessment estimates that the new regime would bring an administrative saving to the EU, totalling €2.3 billion each year. The UK Government has indicated that it disagrees with this assessment and believes that “the burdens the proposed regulation would impose far outweigh the net benefit estimated by the Commission”.
Negotiations between the European Council, the European Commission and the European Parliament are ongoing. Assuming that these are concluded satisfactorily, the Regulation is expected to be adopted in 2014, with implementation two years later, in 2016.