EU Proposes New Data Protection Law — Potentially Significant Implications for US Companies Doing Business in the EU

by Patrick Van EeckeCameron Craig and Jim Halpert

Viviane Reding, European Commission Vice-President and Commissioner responsible for justice, fundamental rights and citizenship, has announced the long-awaited Proposal for a new Data Protection Regulation.

The Proposal, announced December 6, has now entered into inter-service consultation with other Commission Directorates-General, after which the text will be considered by the Parliament and the Council, who may make significant changes.

The Regulation would repeal the current Data Protection Directive 95/46. It is expected to become law in two to three years.

DLA Piper had the chance to take a first glance at the draft Regulation before it was leaked by various Internet blogs. In some ways, the new law should make compliance more achievable by reducing bureaucratic filing requirements and authorizations. However, businesses would have to take additional steps to demonstrate compliance, variations in member state interpretations of the Data Protection Directive would be harmonized in ways that expand the rights of data subjects significantly, and the possible penalties for non-compliance would become much more severe than is currently the case.