The EU’s 1995 Data Protection Directive set a milestone in the history of personal data protection. Its basic principles, ensuring a functioning internal market and an effective protection of the fundamental right of individuals to data protection, are as valid today as they were 17 years ago. But differences in the way that each EU country implements the law have led to an uneven level of protection for personal data, depending on where an individual lives or buys goods and services.

The current rules also need to be modernised – they were introduced when the Internet was still in its infancy. Rapid technological developments and globalisation have brought new challenges for data protection. With social networking sites, cloud computing, location-based services and smart cards, we leave digital traces with every move we make. In this “brave new data world” we need a robust set of rules. The EU’s data protection reform will make sure our rules are future-proof and fit for the digital age.

 What will be the key changes?

  1. A ‘right to be forgotten’ will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted.
  2. Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed.
  3. Easier access to one’s own data and the right of data portability, i.e. easier transfer of personal data from one service provider to another.
  4. Companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24 hours
  5. A single set of rules on data protection, valid across the EU.
  6. Companies will only have to deal with a single national data protection authority – in the EU country where they have their main establishment.
  7. Individuals will have the right to refer all cases to their home national data protection authority, even when their personal data is processed outside their home country.
  8. EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behaviour of citizens.
  9. Increased responsibility and accountability for those processing personal data.
  10. Unnecessary administrative burdens such as notification requirements for companies processing personal data will be removed
  11. National data protection authorities will be strengthened so they can better enforce the EU rules at home.