• The first one is a proposal for a new Personal Data Regulation which will replace the current EU Data Protection Directive from 1995, implemented in Danish law through the Personal Data Protection Act. The regulation is primarily intended to ensure the harmonisation by the member states of the laws regulating the processing of personal data in the private and public sectors, for example in relation to digital and social media.

• The second proposal is a directive which aims to establish minimum standards for protecting personal data in police and judicial cooperation in criminal matters.

According to the EU Commission, the draft regulation will ease the administrative burden of existing legislation and ensure extended rights for the consumers.

One example of the relief of administrative burdens is that companies only need to contact one single national data protection authority in the EU country where they have their main establishment, and these authorities will have greater opportunity to enforce the rules in their respective country. In addition, companies do not have the same obligation as before to declare all forms of data protection activities. The Commission assumes that the incentives will result in savings for the business sector of approx. € 2.3 billion per year.

However, in the current form the draft regulation entails a new set of comprehensive obligations to companies and organisations. These new obligations include:

• New requirements for storage of personal data

• An expanded definition of personal data, which means that several additional types of data are covered by the protection rules

• A requirement that companies must notify the national regulatory authority of serious breaches of data privacy (e.g. loss of data) as soon as possible (preferably within 24 hours)

• A significantly increased level of fines for breaches of data protection rules which may result in penalties of up to € 1 million or up to 2% of the company’s total annual turnover

• A requirement that companies with more than 250 employees must have a selected data protection officer

• An expanded right for consumers to access their personal information, including the right to delete their personal information unless there are documented legitimate reasons for maintaining it.

• Any processing of personal data within the EU is subject to EU rules meaning that companies based outside the EU (e.g. Facebook) also become obligated by the EU rules.

The EU Commission's proposals will now be passed on to the EU Parliament and the EU Member States for discussion. The proposals will take effect two years after they have been adopted, thus in 2015 at the earliest.

The proposals have, however, already been heavily criticized for creating poor competition conditions for companies established within the EU. It is therefore expected that the interested parties will put in great effort to prevent the regulations from being adopted in their current form.

The EU Commission’s proposal for new legislation is available on the EU Commission's website: http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

For further information contact:
Partner: Rasmus Lund
Partner: Peter Gustav Olson
Associate: Rikke Bjerre-Nielsen Nybroe
Law student: Peter Christian Binau-Hansen