European Commission Releases Formal Proposal on Data Protection Reform By Robert Stankey and Adam Shoemaker On Jan. 25, 2012, the European Commission released the final version of its proposed revisions to the European Union’s data protection framework. The package of changes represents a comprehensive reform of the EU’s 1995 data protection rules. Significant changes include:
- A “right to be forgotten,” which would give individuals a right to demand that user data be permanently deleted from websites;
- A requirement that websites obtain explicit consent from users to permit the storage and use of their personal data (and allow for revocation of consent);
- A requirement to provide notifications about data breaches to data protection authorities and individuals within 24 hours of discovery; and
- A right for individuals to request that their personal data (such as posts, contacts, and pictures on a social network) be moved from one online service to another.
- Make more non-EU websites subject to the rules (by merely offering goods and services to Europeans);
- Clarify which national privacy rules are applicable within the EU (based on the location of an organization’s “main establishment”);
- Eliminate some bureaucratic compliance obligations (e.g. registration and other filings with national data protection authorities); and
- Require more organizations to have data protection officers.