As you may know, the proposal for a “General Data Protection Regulation” has been released on 25 January by the European Commission. This proposal is accompanied by a proposal for a specific Directive regarding the area of police and justice, and an explanatory Communication regarding both proposals.
The proposed Directive covers more specifically the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. It shall replace Framework Decision 2008/977/JHA adopted under the ex-“third pillar”.
The general Regulation shall replace the existing “Data Protection Directive” (Directive 95/46/EC), implemented in Belgian law by the Data Protection Act of 8 December 1992 (as modified by the law of 11 December 1998). A brief overview of this latter draft instrument is provided hereunder.
The proposed Regulation aims at:
- establishing an equivalent level of protection in all Member States ;
- modernising, completing and clarifying existing rules.
The main changes brought forward by the proposed Regulation may be outlined as follows:
1°) As a Regulation (as opposed to a Directive), the proposed instrument would be directly applicable in all Member States, without any transposition, two years after the publication of the future Regulation in the Official Journal.
2°) The scope of application would extend to data controllers established outside the EU, provided that they offer goods/services to, or monitor activities of data subjects in the EU.
3°) The general obligation to notify data processing to the national data protection authority would be abolished.
4°) Many provisions aim at reinforcing accountability and data security. These provisions would establish, among others:
- New rights for the data subject (right to be forgotten and to erasure, right to data portability, …)
- New conditions for data processing based on consent (explicit consent, burden of proof borne by the data controller, distinct presentation, …)
- An obligation to notify security breaches
- An obligation to conduct a data protection impact assessment
- An obligation to designate a data protection officer
- A “Privacy by Design” principle
5°) Data protection authorities (DPAs) would gain further independence and powers (e.g. DPAs would be allowed to provide binding decisions and to impose sanctions). Their respective competence would be clarified in order to offer a “one-stop-shop” for data controllers: the DPA from the Member State of the main establishment shall be competent. In addition, a “consistency mechanism” for DPAs’ decisions would ensure a coherent approach within the EU.
6°) The “European Data Protection Board” would replace the “Article 29 Working Party”, and would be granted with increased powers.
7°) A new exceptional derogation would be created for transfer to third countries where it is necessary for the purposes of the legitimate interests pursued by the data controller or processor, provided that an assessment of the situation has been carried out, and necessary safeguards have been taken.
8°) Finally, some specific provisions have been added relating to “specific data processing situations”, where a balance shall be struck between conflicting interests (e.g. freedom of expression, health sector, employment context, obligation of secrecy, ...).
The texts of the proposals, as well as their impact assessment, are available under the following link:
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm