EU updates data protection rules

Data Protection Regulation expands EU's jurisdiction

In 1995, AOL still charged by the hour for dial-up Internet access, Stanford Ph.D. candidates Larry Page and Sergey Brin were a year away from launching the research project that would become Google, and Mark Zuckerberg celebrated his 11th birthday. Fewer than 1 percent of European Union residents were Internet users.

That was the year the EU adopted its Data Protection Directive, which regulates the collection, processing and storage of personal information in Europe. Fast forward to the age of cloud computing, social networking and online behavioral advertising, and the antiquated rules were in need of a face-lift. After more than two years of consultations with industry, governments and individuals, on Jan. 25 the European Commission (EC) released its draft General Data Protection Regulation, an Internet-era revision that will replace the 1995 directive.

Streamlined Rules

While the 1995 directive instructed each of the 27 member states to incorporate and implement the requirements into law, the update comes in the form of a regulation, which overrides national laws. Companies no longer will have to deal with 27 different interpretations of the 1995 directive. There will be one set of rules, and companies will only work with the national authority of the member state in which the company has its main establishment.

Companies with 250 employees or more would have to appoint a senior data protection officer in an auditor role.

“Only a small handful of very forward-looking companies have implemented accountability-type frameworks,” says Lisa Sotto, a partner at Hunton & Williams. “You can’t underestimate how significant this change is going to be.”

Associate Editor

Melissa Maleske

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.