Europe has a new privacy law. The data protection framework for Europe starting 2018 is called: General Data Protection Regulation – GDPR. Read on for an overview and the most important changes.
The new EU privacy law in short
This is what the new EU privacy law brings in short:
- In force on May 25th, 2018 (therefore allowing for 2 years to adapt to its requirements);
- The GDPR will be directly applicable in all of the EU (therefore the same rules for all countries), unlike the existing rules under the current privacy directives and European framework;
- Increased control over personal data for individuals, which allows you to take your data with you and therefore take it to other service providers;
- Children are subject to additional conditions for data processing
- Simplifications for businesses in dealing with data privacy
The new EU privacy law in-depth
In January (2016), the European Union released a draft of the new European Data Protection Regulation which will replace the current centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC.
On May 4th, 2016, the General Data Protection Regulation (GDPR) has been published in the Official Journal of the European Union.
As is the case with EU Regulations, the GDPR will come into force for the entire territory of the Union within 20 days, that is to say, May 25th, 2016; however, due to its two year implementation period it will not be applicable until May 25th, 2018.
The new Regulation is a milestone in the field of data protection and will serve the purpose of strengthening the existing rights and empowering individuals with more control over their personal data, as well as creating business opportunities and encouraging innovation.
The reform at hand is based on Article 16 of the Treaty on the Functioning of the European Union (TFUE) which allows the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Member States when carrying out activities which fall within the scope of Union law.
It also allows the adoption of rules relating to the free movement of personal data, including personal data processed by Member States or private parties.
The reform consists of two legislative instruments:
- The General Data Protection Regulation with regard to the processing of personal data and on the free movement of such data (which is the one, we as businesses and consumers are mostly interested in).
- The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.
1. The General Data Protection Regulation
First and foremost, it’s important to understand that this will be a regulation, not a directive like the previous Directive 95/46/EC. These two terms are often used interchangeably, but they actually have very different meanings: in fact, a directive is legislatively implemented by individual countries whereas a regulation, once adopted, becomes immediately enforceable as law in all member states simultaneously.
Strengthening of individuals’ rights
The regulation will concern both users and businesses. In fact, on one hand the new rules serve the purpose of strengthening the existing rights and empowering individuals with more control over their personal data. In particular, these include:
- easier access to your own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way;
- a right to data portability: it will be easier to transfer your personal data between service providers;
- a clarified “right to be forgotten”: when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted;
- processing of personal data of a child: introduction of conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them;
- the right to know when your data has been hacked: for example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.
On the other hand – by unifying Europe’s rules on data protection – lawmakers aim to create business opportunities and encourage innovation. In this perspective the new regulation will establish new principles:
- I. One continent, one law: the regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.
- II. One-stop-shop: businesses will only have to deal with one single supervisory authority. This is estimated to save €2.3 billion per year.
- III. European rules on European soil: companies based outside of Europe will have to apply the same rules when offering services in the EU.
- IV. Risk-based approach: the rules will avoid a burdensome one-size-fits-all obligation and rather tailor them to the respective risks.
- V. Rules fit for innovation: the regulation will guarantee that data protection safeguards are built into products and services from the earliest stage of development (“Data protection by design”). Privacy-friendly techniques such as pseudonomysation will be encouraged, to reap the benefits of big data innovation while protecting privacy.
Moreover, this reform will “cut costs and red tape” for European business, with particular attention to small and medium enterprises (SMEs). The EU’s data protection reform will help SMEs break into new markets. Under the new rules, SMEs will benefit from four reductions in red tape:
- I. No more notifications: notifications to supervisory authorities are a formality that represents a cost for business of €130 million every year. The reform will scrap these entirely.
- II. Every penny counts: where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
- III. Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
- IV. Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.
- V. Protecting personal data in the area of law enforcement
- VI. Better cooperation between law enforcement authorities
2. Data Protection Directive for Police and Criminal Justice Authorities
According to the European Commission, this directive aims to provide better cooperation between law enforcement authorities enhancing mutual trust between police and judicial authorities of different Member States, thus contributing further to a free flow of data, and effective cooperation between police and judicial authorities. It will also supply citizens with a better protection of their data: individuals’ personal data will be better protected when processed for any law enforcement purpose including prevention of crime. It will protect everyone – regardless of whether they are a victim, criminal or witness. All law enforcement processing in the Union must comply with the principles of necessity, proportionality and legality, with appropriate safeguards for the individuals. Supervision is ensured by independent national data protection authorities, and effective judicial remedies must be provided
Now it’s time to review the above principles, wait for additional instructions, guidance and – when the time has come – the practice by European courts and data protection authorities.
The official documents about the reform of EU data protection rules can be found here.