EU Releases Final Data Protection Framework

The European Union has released a much-anticipated draft data protection regulation, which would replace the existing EU privacy framework, in place since 1996. Under the current framework, each member state has put into place its own implementing legislation under an EU directive. Under the proposal, there would be both a directive for national legislation, as well as an EU-level regulation on privacy. Key changes from the existing laws would include a requirement to notify local data protection authorities in the event of a data breach. Notice would need to occur as soon as possible (and the proposal indicates that where feasible, it should happen within 24 hours of when the company becomes aware of the breach). The new framework also offers stronger individual protections, like a "right to be forgotten," requiring companies to delete personal information if there are no legitimate reasons to keep it; and a need to get explicit consent if permission is needed for data to be processed. This last protection would impact the use of information for direct marketing or online behavioral advertising, and companies would need to get consent through a clear affirmative action by the individual. This might include an unchecked check-box, but does not include silence or inactivity. The final regulation will proceed to the EU member states for approval, and if approved by the member states would become enforceable two years after the regulation was adopted.

TIP: There is still time before this new EU framework goes into effect, and it may change several times over the next few years. Nevertheless, companies that are subject to EU requirements may want to examine their current practices to get a sense of what steps would need to be taken to come into compliance, in particular with the data breach and consent provisions.