EN
How will the EUs data protection reform benet European businesses?
A chain of shops has its head oce in France and franchised shops in 14 other EU countries. Each shop collects data relating to clients and transfers it to the head oce in France for further processing. Under current rules, the French data protection authority would be responsible for enforcing the law and would provide a point of contact in case of any problems. But the individual shops would still be required to process their customers personal data in accordance with the laws of the country where they were located which might dier from the rules applicable to their head oce in France. In addition, shops may have to observe guidelines and decisions taken by the national data protection authority which could dier from and even contradict those applicable to other parts of the same company.
What is the current situation and why does it need to change?
Currently, businesses in the EU have to deal with 27 dierent national data protection laws. This fragmentation of rules between EU countries is a costly administrative burden that makes it harder for many companies, particularly small and medium-sized businesses (SMEs), to access new markets. Businesses that fail to adequately protect individuals personal data risk losing their trust. This trust, particularly in the online environment, is essential to encourage people to use new products and services.
Attitudes towards data protection
n n
Authorities and institutions are more trusted by Europeans than companies (particularly online businesses). A majority believe that their personal data would be better protected in large companies if these companies were obliged to have a data protection ocer (88%). 70% of Europeans are concerned that their personal data held by companies may be used for a purpose other than that for which it was collected. Most Europeans think that companies breaching data protection rules should be ned (51%), banned from using such data in the future (40%), or compelled to compensate the victims (39%).
Special Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union, June 2011
Any questions? http://ec.europa.eu/justice/data-protection/index_en.htm Contact Europe Direct: 00 800 67 89 10 11 - http://europa.eu/europedirect/
�EN
What is the Commission proposing?
The aim of the EUs data protection reform is to modernise, simplify and strengthen the data protection framework, in order to unlock the full potential of the single market. This in turn will foster economic growth, innovation and job creation. The reform will drastically cut red tape, particularly for SMEs, including the current obligation to notify data processing, which costs businesses about 130million per year, or prior authorisation for international transfers of data based on binding corporate rules or standard contractual clauses. Instead, the rules will focus on requirements that oer legal certainty and real added value to Europeans. Under the new proposals, companies will only have to deal with one set of data protection rules and be answerable to a single data protection authority the national authority in the EU country where they have their main base. This onestop shop for data protection will greatly simplify the way businesses interact with data protection laws and give incentives to trade and invest cross-border in the internal market. In return, the reform will oblige companies to be more accountable for their data processing. Big companies (over 250 employees) and also companies systematically monitoring citizens will have to appoint an independent data protection ocer. Privacy by design and privacy by default are principles that will would need to be integrated into business processes. This means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-protecting default settings, for example in social networks, should be the norm.
How will this help?
One single law and one single authority will apply to a business based in the EU. Companies based outside the EU, oering goods or services in the EU or monitoring behaviour of citizens, will also have to apply EU data protection rules. Companies will be able to oer their customers assurances, backed up by a regulatory framework, that valuable personal data will be treated with the necessary care and diligence. Simpler, clearer and stronger rules will also help build individuals trust in emerging businesses, particularly online. Privacy-friendly European companies will have a competitive advantage on a global scale at a time when the issue is becoming increasingly sensitive. With the emerging global digital economy and the increasing popularity of cloud computing services, legislation which reinforces trust in the market will be a key driver for business growth. This is in turn expected to attract more investment and make the EU a more attractive place to do business, taking full advantage of the single markets growth potential.
What will be the key changes?
n
n n
A level playing eld for businesses through one single law applicable to any business across the EU. This harmonisation is expected to save businesses up to 2.3 billion per year. Simplication of the regulatory environment by drastically cutting red tape and bureaucratic requirements which impose unnecessary costs on businesses. A one-stop-shop companies in the EU will be answerable to a single data protection authority (DPA), no matter how many EU countries they do business in. Enhanced cooperation between DPAs to ensure the consistent application of rules across the EU. Companies with more than 250 employees should be proactive and take measures to ensure compliance with data protection law by appointing a data protection ocer.
Any questions? http://ec.europa.eu/justice/data-protection/index_en.htm Contact Europe Direct: 00 800 67 89 10 11 - http://europa.eu/europedirect/
