Proposing a Regulation, and therefore one set of directly applicable rules throughout the EU, should hopefully level the playing field and eliminate the undesirable effects of the current lack of harmonisation under the Directive. For example, it is not always clear which, or how many, of the EU member states' data protection laws apply to an organisation operating in multiple EU jurisdictions.

This unified approach should therefore be a real improvement for international businesses grappling with different standards, regulators and bureaucratic hurdles.

Under the draft Regulation, an organisation with multiple presences across the EU will only have to deal with one of the member states' data protection authorities (DPAs) (for example, the Information Commissioner's Office in the UK).

The relevant DPA will be determined by the location of the organisation's "main establishment" based on where the main decisions about the data processing are taken or, failing that, where the main processing activities take place in the EU. This could lead to international businesses locating their EU headquarters in the traditionally more pragmatic data protection jurisdictions, such as the UK.

The draft Regulation would also apply to the processing of EU residents' personal data by an organisation which is not established in the EU but is either offering goods or services to such individuals, or is monitoring their behaviour (which could include behavioural advertising).

This has displeased some of the larger US-based internet businesses since these "non-established" data controllers would be required to comply with the Regulation when processing EU residents' data, and to appoint an EU representative.

As expected, the draft Regulation requires data controllers across all sectors to notify their DPA of data security breaches involving personal data (at present, only public telecommunications service providers have to do so).

There is currently no minimum threshold which applies to the duty to report. The DPA must be notified without undue delay and, if feasible, within 24 hours of the organisation becoming aware of any data breach. Organisations will also be required to notify the individuals affected by the breach where it is likely adversely to affect the protection of their privacy.

In future, it will become more challenging to rely on consent as a ground for lawful processing of personal data; in particular, in relation to children under 13. This is because the draft Regulation requires all consent to be "explicit" and either to be by way of a statement or a clear affirmative action of the individual (or data subject (see box "Key words")).

This will require a major change in practice in the UK, particularly in the direct marketing sector, where data controllers generally operate on the basis of implied consent.

The much-vaunted and controversial "right to be forgotten" is openly targeted at the online sphere, with the activities of younger people in mind, and will strengthen the existing right to require deletion of data (for a feature article on this topic, see "Online content: managing the growing youth market risk", www.practicallaw.com/6-505-8573).

An organisation processing an individual's data and which has made those data public (including via a social networking site) will, as well as deleting the data it holds, be required to take all reasonable steps to inform third parties processing the published data of the deletion request.

The obligations are drawn broadly, although it is clear that they will increase costs and potential liability for social networking service providers, among others. A new data portability right has also been proposed, which will enable individuals to obtain a copy of the data held about them in a reusable, electronic format.

The restrictions under the current regime on transferring personal data to non-EEA countries that do not ensure an adequate level of data protection cause some of the greatest compliance challenges for international businesses.

The draft Regulation extends the current options slightly. Binding corporate rules (BCRs) (sets of regulator-approved intra-group compliance rules) appear as the preferred transfer mechanism. A DPA will be obliged to approve a set of BCRs provided that they meet the requirements set out in the draft Regulation and, in theory, BCRs approvals should be easier to obtain.

The draft Regulation also proposes that BCRs will, for the first time, be available for data processors, not just data controllers (see box "Key words"). Data transfer agreements using the Commission-approved "model clauses" will remain available as an alternative compliance route. (For an example of BCRs in practice, see Briefing "First Data's binding corporate rules: not for the faint-hearted?", www.practical law.com/0-513-9209.)

Under the draft Regulation, there will no longer be a formal registration ("notification") requirement for data controllers with the DPAs; this is estimated to save €130 million.

However, the requirement will be replaced by obligations to adopt internal policies and compliance measures, as well as implementing measures to audit the effectiveness of such policies and measures. In addition, records of any security breaches will have to be kept and data protection officers will have to be appointed for all public sector organisations and for larger private sector ones.

Currently, data processors are not regulated under the Directive. This will change under the proposals, as some obligations will apply directly to data processors; in particular, in relation to security.

More measures are prescribed for data processing agreements (defining the relationship between a data controller and a data processor) and these look set to become more important, complex documents in future.

Data subjects will be able to sue for damages both controllers and processors that infringe their rights by failing to comply with the Regulation. In addition, DPAs will be able to impose sanctions ranging from a written warning in cases of first and non-intentional failure to comply, to fines of up to 2% of annual worldwide turnover.

The Commission promised comprehensive reform and has delivered. It is also proposing a new Directive on protecting personal data in the area of law enforcement and related judicial activities.

The Commission commends the proposals as strengthening online privacy rights and boosting Europe's digital economy. It estimates that the Regulation should save businesses €2.3 billion a year compared with the costs of dealing with the fragmented legislation currently in place across the 27 member states.

Some costs savings should certainly be achieved; however, these could well be negated by the increased investment required to meet new internal accountability and governance requirements, underpinned by fines of up to 2% of annual worldwide turnover for non-compliance. Changes such as the greater jurisdictional reach and the "right to be forgotten" are causing particular disquiet to key players in the global digital economy, namely, internet services providers and social media giants.

It is reasonable to expect some changes to be made to the draft Regulation before it is finalised. The text must first be approved by both the Council of the EU and the European Parliament and the earliest it is likely to come into force is late 2014.

The text of the draft Regulation is at www.ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm.

For a list of PLC's data protection resources, see Data Protection Toolkit, www.practicallaw.com/6-517-4600.