News

Data Protection

The European Commission has published proposals for major changes to data protection legislation in the EU.

The idea is to encourage greater consistency in data protection across all Member States, with new rights for individuals, new obligations for data controllers (such as employers and pension scheme trustees) and much tougher penalties where breaches occur.

The changes won't be immediate, but there are some key areas to watch as the draft goes through the European parliamentary process. The impact on pension schemes is not known. Immediate points to note are: there will be new, severe penalties for breach of the regulation. Fines of up to EUR 1 million, or 2% of annual worldwide turnover, could be imposed for breaches in relation to consent, security measures, system design and reporting of breaches.

There will be significant changes to consent requirements for data processing. The regulation requires that a data subject's consent to the processing of their data must be 'freely-given, specific and informed' and must be by way of an explicit statement or clear affirmative action. It will not be possible to take silence or inactivity as implied or negative consent. The draft regulation raises a number of questions in the context of employment and pensions.

For example, it states that 'consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller', and that this applies, in particular, to processing by an employer of employees' information.