Data protection reform: Frequently asked questions
European Commission - MEMO/12/41 25/01/2012
Other available languages: none
Brussels, 25 January 2012
Data protection reform: Frequently asked questions
Why do we need to reform the EU data protection rules?
With social networking sites, cloud computing, location-based services and smart cards, we leave digital traces with every move we make. We need a robust set of rules to make sure people's right to personal data protection – recognised by Article 8 of the EU's Charter of Fundamental Rights – is made effective.
The right to the protection of personal data is also explicitly stated in Article 16 of the Treaty on the Functioning of the European Union. This gave the EU new responsibilities to protect personal data in all areas of EU law, including police and judicial cooperation.
In Europe, legislation on data protection has been in place since 1995. The Data Protection Directive guarantees an effective protection of the fundamental right to data protection. But differences in the way that each Member State implements the law have led to inconsistencies, which create complexity, legal uncertainty and administrative costs. This affects the trust and confidence of individuals and the competitiveness of the EU economy. The current rules also need modernising – they were introduced at a time when many of today's online services and the challenges they bring for data protection did not yet exist.
Are people concerned about how their personal data is used?
According to a recent Eurobarometer (IP/11/742), 70% of Europeans are concerned that their personal data may be misused. They are worried that companies may be passing on their data to other companies without their permission. Many users – especially young people – are not aware of privacy policies when they create a profile on a social networking site. When people surf the net, they are also not aware that their search data could be used by online advertisers. Therefore, privacy policies must be written in clear, plain language. Companies should be transparent about their privacy statements.
74% of Europeans think that disclosing personal data is increasingly part of modern life, but at the same time, 72% of Internet users are worried that they give away too much personal data, according to the Eurobarometer survey. They feel they are not in complete control of their data. This erodes their trust in online and other services and holds back the growth of the digital economy in general.
What is personal data?
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. The EU’s Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet.
What will change under the proposals?
The Commission's proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. They focus on: reinforcing individuals' rights, strengthening the EU internal market, ensuring a high level of data protection in all areas (including police and criminal justice cooperation) ensuring proper enforcement of the rules, facilitating international transfers of personal data and setting global data protection standards.
The proposed changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people's personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.
How will the changes help improve personal data protection for individuals?
How will they help businesses?
How will the rules be enforced?
Under the new proposals, there will be only one set of data protection rules and one responsible data protection authority – the national authority of the Member State in which the company has its main establishment. This 'one-stop-shop' for data protection will greatly simplify the way businesses and citizens interact with data protection laws and give incentives to trade and invest cross-border in the internal market, as opposed to the current situation where businesses are supervised by a different authority in each Member State they are established.
Are there any penalties?
The Regulation provides for sanctions that are proportionate and dissuasive. For first offences, the national supervisory authorities may send a warning letter. For serious violations (such as processing sensitive data without an individual's consent or on any other legal grounds) supervisory authorities shall impose penalties up to €1 million or up to 2% of the global annual turnover of a company. The fines start out at €250,000 or up to 0.5% of turnover for less serious offences (a company charges a fee for requests from a user for his data) and move up to €500,000 or up to 1% for not supplying information to a user or for not having rectified data.
What about the economy?
A stronger, simpler and clearer data protection framework will encourage companies to get the most out of the Digital Single Market, fostering economic growth, innovation and job creation. This will especially help small and medium-sized enterprises.
For companies offering cloud services – remote storing and processing of data on computer servers – the trust in the EU’s coherent regulatory regime will be a key asset and attractive point for investors.
Having the same rights across the EU will also boost individuals' confidence in the fact that the protection they get for their data will be equally strong, wherever their data is processed. This will improve trust in online shopping and services, helping to boost demand in the economy.
Both for citizens and business, these reforms will help break down barriers that are hindering Europe's response to the crisis.
What about the use of data by police and judicial authorities?
A new Directive will apply general data protection principles and rules to police and judicial cooperation in criminal matters. These rules will apply to both domestic processing and cross-border transfers of data. Having the same law in all EU Member States will make it easier for our police forces to work together in exchanging information. This will help fight crime more effectively. If people's personal data is shared in this way, they can be confident that it will be protected by the same law everywhere and that your fundamental right to data protection will be respected.
What are the next steps?
The Commission's proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. The Regulation will be enforceable in all Member States two years after it has been adopted. Member States will also have a period of two years to transpose the provisions in the Directive into national law.
Press pack: data protection reform:
European Commission – data protection:
Homepage of Vice-President Viviane Reding, EU Justice Commissioner:
Justice Directorate General Newsroom: