Early in 2012 the European Commission decided to review its data protection rules and last month they published a new European Regulation and a Directive.

The new Data Protection Regulation will apply from 25 May 2018 and repeal the 1995 Directive. It reiterates that any processing of personal data should be lawful and fair and that people should know how their personal information is being collected, used, consulted or otherwise processed and to what extent it is or will be processed. Citizens must also be made aware of the risks, rules, safeguards and their rights (and how to exercise them) in relation to any processing of their personal data. There should also be limits on what information is collected and how long it is kept, and it should be held securely and accurately and deleted when no longer required.

The key change is that the new Regulation specifically requires that citizens express explicit consent for their data to be processed at the time it is collected. It will no longer be acceptable to assume that “silence gives assent”. It is being suggested that even “opt-out” options may no longer meet the spirit of the law.

The Directive has to be transposed into national law by 6 May 2018 – this deals with processing of personal data by “competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data”. It also establishes specific rules for the transfer of personal data outside the EU.