On November 4, 2010, the European Commission (“Commission”) released proposed revisions to the European Union’s (“EU”) Data Protection Directive. The purpose of the Commission’s proposed revisions is to “set out a strategy on how to protect individuals’ data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU.” Key recommendations include:
- Requiring entities that collect consumers’ personal information to inform consumers “in a clear and transparent way” about how their data will be used;
- Providing consumers the “right to be forgotten” by allowing consumers to fully delete digital information, such as social networking profiles, upon request or after there is no longer a legitimate purpose to retain the data;
- Ensuring consumers are guaranteed data portability, which would allow a consumer to transfer his or her personal data (e.g., e-mail lists, photos, documents) from one application or service to another application or service without hindrance from the data controllers;
- Requiring entities that experience a data breach affecting personal information to notify individuals whose information is compromised;
- Strengthening penalties for violations of the EU’s privacy rules, such as imposing criminal penalties for serious law breaches and allowing data protection authorities and civil society associations to bring an action for violations of data protection provisions before the national courts; and
- Expanding the role of the EU’s Article 29 Working Party—a committee comprised of data protection authorities from the EU’s 27 member states—to help ensure that EU privacy laws are applied consistently across member countries.
Businesses, privacy advocates, and other interested parties can submit comments regarding the Commission’s proposed privacy law changes until January 15, 2011. More information regarding the Commission’s proposed revisions can be found in the Commission’s press release announcing its changes.