New EU data laws shake up privacy regulation
The European Commission originally put forward its EU Data Protection Reform in January 2012 to make Europe fit for the digital age (IP/12/46), but in December 2015, an agreement was found with the European Parliament.
More than 90 per cent of Europeans say they want the same data protection rights across the EU, regardless of where their data is processed, and this will soon be a reality. As a result, businesses will need to be aware of how to comply.
The reform consists of two policies:
- The General Data Protection Regulation will enable people to better control their personal data. At the same time, modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust
- The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes are duly protected in the context of a criminal investigation or a law enforcement action. At the same time, more harmonised laws will also facilitate cross-border co-operation of police or prosecutors to combat crime and terrorism more effectively across Europe
It is believed that the reform will allow people to regain control of their personal data, which may create a burden for some businesses.
According to a recent Eurobarometer survey, 67 per cent of Europeans are concerned about not having complete control over the information they provide online, while 70 per cent worry about the potential use that companies may make of the information disclosed. The data protection reform will strengthen the right to data protection, which is a fundamental right in the EU and allows users to have trust when they give their personal data.
The new rules address these concerns by strengthening the existing rights and empowering individuals with more control over their personal data. These include:
- easier access to your own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way
- a right to data portability: it will be easier to transfer your personal data between service providers
- a clarified “right to be forgotten”: when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted
- the right to know when your data has been hacked. For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures
The Commission will work closely with Member State data protection authorities to ensure a uniform application of the new rules and during the two-year transition phase from 2016 to 2018, the Commission will inform citizens about their rights as well as update companies about their obligations.