The Ministry of Justice (MoJ) has issued a 'call for evidence' to "data controllers, rights groups, information policy experts and other interested parties" in a bid to understand what impact the groups think the proposals will have. MoJ said the information provided would help shape how the Government will negotiate over the planned reforms.
"To negotiate for an effective EU data protection legislative framework, the Government needs information about what the impact of the Commission’s proposals is likely to be," the MoJ's call for evidence (46-page / 327KB PDF) document said.
"In particular, we would like information on the potential impact on organisations processing personal data, as well as the likely benefits to individuals through strengthened rights," it said. "Wherever possible, we would like this information to include practical, day-to-day examples of the proposals’ possible effects and monetised cost and benefit figures. We would also like views on the extent to which these proposals build trust in the online environment, whether they can contribute to economic growth and whether they affect the rights of individuals to the protection of their personal data."
"Comments on how the draft provisions would affect data controllers and data subjects, including monetised costs and benefits, are very welcome," the MoJ said.
The call for evidence is open until 6 March and a paper summarising the responses is due to be published on 4 June.
Last month the European Commission set out plans to replace the 1995 EU Data Protection Directive with a new General Data Protection Regulation. If enforced it would introduce a single data protection law across all 27 EU member states.
Companies from outside the trading bloc that process personal data of EU citizens would also be subject to the rules. The Commission also laid out plans for a separate Directive to govern the way law enforcement processes personal data.
The Commission said that the current data protection regime in the EU was fragmented and outdated and that reform was required to bring the rules up-to-date with advancements in technology.
Under the terms of the draft proposals many large businesses and those with personal data-heavy processing operations would be required to appoint dedicated data protection officers. A new regime of penalties was also proposed that could see businesses fined up to 2% of their annual global turnover for failure to issue timely notifications about any breaches of data security.
Businesses will also be required to keep a record of their personal data processing and provide the information upon request to regulators.
Organisations operating in the EU will generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data, whilst that consent will not be able to be gleaned through silence or inactivity on the part of individuals. Instead must be obtained through a statement or "clear affirmative action" before it can be said to have been given.
Organisations could also have to delete personal data associated with individuals upon request under a new qualified 'right to be forgotten'. Consumers will also have a general right to switch electronically processed personal data between rivals under 'data portability' rules proposed.
Changes to the rules around data transfers have also been proposed to make it easier for companies to establish a single set of legally-binding corporate rules (BCRs) that apply across the EU. Under the Regulation proposed BCRs approved by one regulator will apply in all other EU countries.
Marc Dautlich, expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com, previously expressed concern about the "burdens" that the new laws could have on businesses. He said that medium sized companies would "balk" at having to employ a data protection officer even if they did not process much personal data.
Dautlich said that giving organisations only 24 hours to report data breaches was an insufficient amount of time for those companies to assess the impact of those breaches and recommend effective remedies to customers.