Planned EU Data Protection Reform

On 25 January 2012, the European Commission brought forward a proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as the “Regulation”). 

 The need to reform the EU personal data protection rules has arisen from rapid technological development and an ever-increasing influence of the digital environment on our lives. It has also been caused by the necessity to guarantee the rights established in Article 8(1) of the EU’s Charter of Fundamental Rights and Article 16(1) of Treaty on the Functioning of the EU, to ensure equal protection of such rights throughout the EU, to remove differences precluding free movement of personal data on the internal market, and to stimulate the digital economy growth.

 The centrepiece of current EU legislation on personal data protection is Directive 95/46/EC of the European Parliament and of the Council as of 24 October 1995, governing protection of individuals with regard to processing of personal data and on the free movement of such data (hereinafter referred to as the “Directive”).  Once adopted, the Regulation will repeal the Directive.   

The Regulation proposes major changes to the legal framework for the protection of personal data that will significantly affect legal or natural persons engaged in personal data processing activities and will be of paramount importance to the rights and duties of natural persons in their capacity as data subjects. Once adopted, the Regulation will apply to all 27 EU Member States. This will result in unification of the currently effective legal frameworks of the Member States, which currently vary in applying and implementing the Directive. Before the Regulation takes effect and becomes applicable in all 27 Member States, it is necessary to familiarise with, and prepare for, the major changes to be introduced by the Regulation.

Expanded regulatory scope: The Regulation will apply to data controllers/processors established in EU Member States and engaged in personal data processing activities. It will also apply to controllers (but not processors) established outside the EU where the processing activities are related to the offering of goods or services to data subjects residing in the EU or to the monitoring of their behaviour.

Expanded definition of sensitive personal data: Deemed as sensitive personal data by the Directive is data revealing race or ethnic origin, political opinions, religion, philosophical or other beliefs, trade-union membership, or data concerning health or sexual life. The Regulation proposes genetic data, biometric data and data concerning criminal conviction or related security measures to be added to the list of such sensitive data.

New principles relating to personal data processing: No changes will be made to the basic principles established in the Directive, but the Regulation introduces new principles, such as the principle of adequacy and minimality (i.e. personal data must be limited to the minimum necessary in relation to the purposes for which it is processed; data will only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data), the principle of transparency (i.e. the data subject must be explicitly informed about the purpose for which personal data is being collected), and the principle of broad responsibility and liability of the controller (i.e. the controller must ensure and demonstrate for each processing operation the compliance with the provisions of the Regulation).

Explicit consent: The data subject’s consent to the processing of his or her personal data may be neither implied nor ambiguous, which is a recurrent situation in the current practice. Therefore, the definition of the data subject’s consent in the Regulation encompasses any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Based on such definition, the data subject’s non-objection to the processing of personal data will not constitute his or her consent. Such consent must be demonstrated by clear affirmative actions or statements by the data subject evidencing that he or she is aware that he or she is giving consent and also to what he or she is consenting to. The burden of proving the data subject’s consent to the processing of his or her personal data will be borne by the controller.

Requisite notification of a personal data breach: The Regulation requires that in the case of a personal data breach, the controller must without undue delay and, where feasible, not later than in 24 hours after having become aware of it, give notices of such personal data breach to the supervisory authority. Accordingly, the processor must alert and inform the controller immediately after the establishment of a personal data breach. When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller will be required to communicate the personal data breach to the data subject without undue delay.

Right to be forgotten: The reform is aimed at granting the data subject the right to be forgotten. This means that if (i) the data subject withdraws consent on which the processing is based, or (ii) the storage period consented to expires, or (iii) such processing does not comply with the Regulation, the data subject will have the right to obtain from the controller assurance regarding the erasure of personal data and the abstention from further dissemination of such data.

More obligations imposed on data processors: No requirements other than the obligation to follow the data controller’s instructions are presently imposed on the data processor by the Directive which makes reference to the national law and obliges each Member State to provide in its law for the processor’s obligation to ensure data safety, i.e. to implement the necessary technical and physical measures.

The above requirement will continue to be binding on the processor though several new requirements will also be imposed, namely (i) the processor will not process personal data except on instructions from the controller unless required to do so by law; (ii) the processor will be obliged to maintain documentation of all processing operations under its responsibility; and (iii) the processor will be allowed to enlist another processor only with the prior permission of the controller, etc. Failing to comply with the controller’s instructions the processor will be considered to be a controller. The processor will then be considered as the controller and will be held directly liable for breaches and will be subject to sanctions imposable under the Regulation (see Table below).

In this context, it is important to make mention of cloud computing service providers who are data processors within the meaning of the Directive, whereas cloud computing service users/clients are deemed to be data controllers. As already noted, these service providers in their capacity as data processors are now only required to ensure data safety but will have far more obligations once the Regulation is adopted. Such obligations originating from the Regulation and the service provider’s anticipated liability for breach will be of great importance in cases when small and medium-sized businesses or natural persons, who usually have no possibility of haggling over the standard contract terms proposed by cloud computing giants, are involved.

Severe financial sanctions: The Directive presently gives EU Member States freedom to determine sanctions for breach of the data protection rules. The sanctions to be imposed by the Regulation in the form of fines will be more than several or even ten times larger than the amounts of fines envisaged in national laws of EU Member States (see Table below). As a matter of fact, the Regulation will also make it possible to give a warning if the breach is other than a “serious breach” though that will most likely be the exception rather than the rule.

“One-stop shop”: In order to simplify the process of supervision, the Regulation provides that if the controller/processor is operating in more than one Member State, the supervisory authority of the main establishment of such controller/processor will have full competence to supervise the processing activities of the controller or the processor in all Member States. According to the Directive, each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it. Thus, for example, the controller/processor operating in five Member States is supervised by the supervisory authorities of those five Member States. The “one-stop shop” principle is expected to help supervisory authorities to reduce the costs associated with the exercise of such supervision, as well as the costs of the data controllers/processors.

Data protection officer: A data protection officer will be designated if the processing is carried out (i) by a public authority or body, (ii) by an enterprise employing 250 persons or more, or (iii) if the core activities of the controller/processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. The data protection officer will be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. The necessary level of expert knowledge will be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor. The data protection officer will be designated for a period of at least two years and will be eligible for reappointment for further terms. During his or her term of office, the data protection officer may only be dismissed if he or she no longer fulfils the conditions required for the performance of their duties. The name and contact details of the data protection officer will be communicated to the supervisory authority of the Member State and to the public.

No requisite registration with the supervisory authority: Each data processing body/organization is presently required (with certain exemptions) to obtain registration as a controller/processor with the supervisory authority of that Member State in which it operates. This requirement will be revoked in the Regulation except in cases when the supervisory authority deems such registration and prior consultation necessary because processing operations may by virtue of their nature, scope, or purposes present specific risks to the rights and freedoms of the data subject.

European Data Protection Board: According to the Regulation, there will be a new independent authority composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor set up to ensure consistent application of this Regulation.

* * * *

As far as the legislative process in the European Union is concerned, the Regulation could presumably be adopted in 1 or 2 years, whereupon a 2-year transitional period will apply. Consequently, the Regulation will not take effect until spring 2015 at the earliest. This notwithstanding, data processing bodies/organizations operating in the European Union should make prior arrangements for such new rules to be introduced by the Regulation so as to avoid or mitigate possible adverse effects that their application may produce on the data processing bodies/organizations or data subjects.

Table of Sanctions


Legal Basis

Event of Breach


Article 79(3) of the Regulation

In case of a first and non-intentional non-compliance with this Regulation, where: (i) a natural person is processing personal data without a commercial interest, or (ii) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities

A warning in writing

Article 79(4) of the Regulation

Anyone who intentionally or negligently: (i) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects, or (ii) charges a fee for the information or for responses to the requests of data subjects.


A fine up to EUR 250 000 or in case of an enterprise – up to 0.5 % of its annual worldwide turnover

Article 79(5) of the Regulation

Anyone who intentionally or negligently: (i) does not provide the information or does provide incomplete information to the data subject, or (ii) does not provide access for the data subject or does not rectify personal data or does not communicate the relevant information to a recipient, or (iii) does not comply with the right to be forgotten or to erasure, or (iv) does not or not sufficiently maintain the documentation, etc.


A fine up to EUR 500 000  or in case of an enterprise – up to 1 % of its annual worldwide turnover

Article 79(6) of the Regulation

Anyone who intentionally or negligently: (i) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent, or (ii) processes special categories of data in violation of the Regulation, or (iii) does not comply with an objection expressed by the data subject, or (iv) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject, or (v) does not designate a data protection officer, or (vi) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority, etc.

A fine up to EUR 1 000 000 or in case of an enterprise – up to 2 % of its annual worldwide turnover


Autorė: GLIMSTEDT teisininkė Kornelija Bogniukaitė

Straipsnis publikuotas TerraLex

Užsisakykite svarbiausias naujienas

Glimstedt dokas

Verslo poreikiams pritaikyti, patyrusių advokatų parengti, aukštos kokybės dokumentai greitai ir už prieinamą kainą. Be įsipareigojimų ar registracijų.

Glimstedt dokas