European Commission publishes stronger data protection proposals

People will have the ‘right to be forgotten' under new data protection rules proposed by the European Commission.

This means they can request that any personal data held by a company or organisation is deleted unless the authorities say there is a "legitimate reason" for retaining the information.

Companies must also get express consent from parents or guardians before they process the data of children under the age of 13.

EC Justice Commissioner Viviane Reding said that privacy and data protection was a "fundamental right" for all EU citizens; and updating the 1995 data protection rules now was "increasingly important as we leave digital traces with every move we make".

Other proposals put forward by the Commission would introduce new regulations that protect the storage and retention of people's personal data used in judicial activities; such as the prevention and investigation of criminal offences.

Because the new rules are designed to protect people's privacy they will also apply to companies based outside the EU if they market and offer their services to EU citizens.

There will also be a requirement for companies and organisations that handle people's data to inform the authorities of any data breach as soon as possible; and within 24 hours if this is feasible. Serious violations could result in companies being fined up to two per cent of their turnover; with a cap of 1m euros for other bodies.

Reaction to the proposals has been mixed.

Peter Hustinix of the European Data Protection Supervisor's office said the proposals were a "huge step forward for data protection in Europe" but there was still a need for further improvements.

The Information Commissioner's Office said it "welcomed" many of the proposals but had "reservations" about others. However the UK privacy watchdog said it would need to examine the proposals further before it could give specific comment on how individual proposals may affect people and companies within the UK.

Civil rights and privacy organisations are also generally happy because it gives consumers more control over their data. Peter Bradwell of the Open Rights Group told us it was a step in the right direction but the organisation still had concerns.

"Overall it's really good news that Europe is looking at better privacy controls. That said we are concerned that with companies saying the burden placed on them will be onerous, some of the proposals giving citizens control over their data may be watered down."

Businesses have greeted the proposals with far less enthusiasm. Overall the response is one of criticism with concerns that the proposals will place an ‘onerous' burden on companies; for example forcing firms with 250 employees or more to appoint a data protection officer.

Ross Brewer of Logrhythm argued that the data breach disclosure rules could cause companies to "overstate the severity of the incident. He pointed out this had happened in the US with its similar laws which have sometimes caused more harm than good.

Marc Dautlich, lawyer with Pinsent Masons gave us an overall view and said: "There are good and bad aspects for both consumers and businesses. For consumers having more control over their data is welcome but many may not know what they should do if they are informed of a breach of their data.

"I hope the Commission gives details of what data controllers must do when notifying consumers whose data they have lost, by taking a leaf out of the product recall rules. Consumers who receive a product recall notice know what the dangers are and what to do.

"The good news for companies is the harmonisation of data protection laws across Europe. But overall the proposals for businesses will be onerous; especially small and medium firms."

The rules need to be approved by the EU's member states and ratified by the European Parliament which could take up to two years.