The new proposals aim to update and harmonise the current EU data protection regime including strengthening individuals’ rights. The proposed legislation is in two parts comprising a Regulation and a Directive which will replace the current Data Protection Directive (Directive 95/46/EC).
The most directly relevant part for colleges and universities will be the Regulation where the main law is to be found and which when it becomes law will directly apply to the UK and other EU member states. The drafts have still to go through and discussion, amendment lobbying phase before finally becoming law.
Some initials proposals to highlight in the Regulation which are of relevance to colleges and universities are:
- Clarification of explicit consent as a condition for lawful processing of personal data (where consent is needed). Silence or inactivity is not to be taken as consent. The burden of proof of consent will rest with the data controller
- Data subjects right to be forgotten and to erasure of personal data. Where you no longer want your data to be processed and there is no legitimate reason for processing, the data should be removed from the relevant systems
- Introduction of a data subject’s right to data portability and right to obtain their data in a structured commonly used electronic format
- Introduction of the principles of privacy by default and privacy by design
- Obligation to notify personal data breaches within 24 hours if feasible but otherwise without undue delay
- Obligation to carry out a DP impact assessment prior to some processing
- Mandatory to appoint a DP officer for a public authority/ body or for organisations with over 250 employees
- Mandatory obligations re transfer of personal data to third countries
- Specific protection for children (under 18) and no processing of personal data without parental/guardian consent if under 13
- Simplification of the processes needed to transfer data particularly in regard to binding corporate rules and including clarification on when EU law applies to data controllers beyond the EU (i.e. mainly when goods or services are being offered to EU individuals)
- Clarification on processing of personal data for the purposes of historical, statistical or scientific research
Unlike the Directive, the Regulation when finalised will apply directly to each member state without the need for further legislation in each EU country to implement it. The stated aim of this is to ensure a consistency in protection for individuals and application across the EU i.e. one law on data processing across the EU and to simplify international transfer of data beyond the EU in recognition of the increasing prevalence of cloud computing and social networking.
The proposed Directive relates to processing (including cooperation with law enforcement authorities in other countries) by police and judicial authorities for prevention, investigation etc of crime. It has been recognised that the existing laws in this area in individual member states are complex and as a Directive needs to be followed up by individual national laws to implement it, it was felt this would give the necessary flexibility. It was also felt it would provide the best way of ensuring that the EU level rules encourage cooperation between the law enforcement authorities with the aim of processing and exchanging information more quickly to aid in the prevention of transnational crime and terrorism.
The proposals and the background materials are available on the EU website at http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
The ICO has made some initial comments on the proposals http://www.ico.gov.uk/news/latest_news/2012/statement-initial-response-new-data-protection-regulation-proposals-25012012.aspx
The Regulation and the Directive have a long process to complete before becoming law and JISC Legal will provide updates on progress at http://www.jisclegal.ac.uk/