- •Ministry of science and education of ukraine ukrainian state university of finance and
- •International trade
- •Introduction
- •Chapter 1 legal framework
- •1.1. Directives
- •Regulation
- •Definitions
- •Fundamental Principles Governing Personal Data Processing
- •Grounds for Processing of Personal Data
- •Processing of Special Categories of Data
- •Exemptions
- •Rights of Data Subjects
- •Data Collection by Smartphone Applications
- •Transfer of Personal Data to Third Countries Outside the eu
- •Chapter 2 pending reforms
- •2.1. Definitions and Basic Principles
- •2.2. Processing of Special Categories of Data
- •2.3. Processing of Health Data
- •Chapter 3 role of data protection authorities
- •3.1. Eu Level: European Data Protection Supervisor
- •3.2. Member States
- •Designation of Data Protection Officers
- •Summary
- •List of sources
Summary
The right to data protection and the right to privacy are two distinct human rights recognized in the Charter of Fundamental Rights of the European Union, the Treaty on the Functioning of the EU (TFEU), and in two legal instruments of the Council of Europe, to which all the EU Member States are parties.
In January 2012, the European Commission proposed a major overhaul of the existing legislative framework on the protection of personal data. The reform was necessitated mainly by three factors: (a) new challenges posed by globalization and Internet developments in the area of online services, which impact the processing of personal data and endanger the privacy of individuals; (b) a new legal basis in the TFEU; and (c) a dramatic increase in Internet users and serious concerns expressed by 70% of individuals in the EU about the possible misuse of their personal data.
Landmark EU Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data on the Free Movement of Such Data, which was adopted in 1995 when the Internet was still in its infancy, met to some extent its twin objectives of safeguarding the personal data of individuals and improving the flow of personal data among EU Member States, but it resulted in diversity of implementation by the twenty-seven EU Members. By contrast, the pending proposal, which is in the form of a draft regulation because of its direct applicability in the legal systems of the Member States of the EU, will bring about greater harmonization of data protection rules, legal certainty, and transparency, and will also remove any obstacles in the flow of personal data within the single market and improve competition.
The draft regulation builds upon the fundamental principles on the processing of personal data established by Directive 95/46/EC. Thus, online processing of personal data is prohibited unless it meets necessary safeguards and is based on one of the required legal grounds, such as consent or the protection of vital interests of data subjects. Special categories of data, such as data concerning race, ethnic origin, political affiliations, religion, genetic data, or criminal convictions (the last two added by the Draft Regulation), are granted extra protection.
The proposal is designed to enhance the rights of data subjects by introducing two distinct rights: the right to portability and the right to be forgotten. These rights are in addition to those provided for in Directive 95/46/EC, that is, the right to access, object, correct, and erase. The right of portability allows individuals to obtain a copy of their data from one service provider and transfer it easily to another; the right to be forgotten allows individuals to request the elimination of personal data that are no longer needed or wanted. Additional safeguards include new provisions on profiling, and a requirement that data controllers notify individuals in the event of a security breach in order to avoid identity fraud. The privacy of children and their right to personal data protection is also enhanced, because the draft regulation prohibits the processing of personal data of a child below the age of thirteen without the consent of a parent or guardian.
Companies are obliged to implement the principles of privacy by design and privacy by default early in their business practices. The first principle relates to a company's obligation to include data protection safeguards from the very beginning in the development of products or services, whereas the second requires that privacy-friendly default settings must be the norm.
The draft regulation also strengthens the enforcement powers of data protection authorities, established under Directive 95/46/EC, by granting them the authority to impose a fine of €250,000 (about US$306,500) on individuals and administrative fines of up to 2% of global annual turnover on companies. Another innovation is that companies that employ more than 250 employees are required to appoint an independent data protection officer. Processors of personal data are required to notify data supervisory authorities within twenty- four hours when there is a security breach of personal data.
The scope of territorial applicability of the Regulation is broad. It will apply when a controller or processor is established in the EU and also to those established outside the EU who offer goods and services to data subjects in the EU or are involved in monitoring the behavior of individuals in the EU. Adequacy decisions verifying that a third country meets the EU standards will be further simplified and clarified. For transfers of personal data outside the EU, contractual clauses and simplified binding corporate rules will ensure that data processed outside the EU are adequately handled and protected.
The draft regulation will be further discussed in the Council and the Parliament and will enter into force two years after its publication in the Official Journal of the European Union.