A new dawn for data privacy in Europe as new rules are voted in

18 Dec 2015

This is the most important development in data protection law in Europe in 20 years.

A new set of privacy rules for the EU has been voted in as the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee voted in favour of the General Data Protection Regulation (GDPR). This is the most important development in data protection law in Europe in 20 years.

In what has to be one of the most vital EU legislative initiatives, the GDPR will take effect in early 2018 and data protection regulation in Europe will centre on a single set of rules.

Earlier this week the European Parliament and the EU Council reached an agreement on the new data privacy rules, which will have a key role in the future Single Digital Market.

‘The new rules will give users back the right to decide on their own private data’

The new regime aims to tighten existing laws and get rid of the haphazard interpretation and implementation of data laws across Europe, which were playing into the hands of internet giants and spy agencies that had little regard for Europeans’ privacy.

The GDPR will apply to the processing of personal data by businesses and organisations that are operating in the EU, regardless of whether the processing takes place in the EU.

Tough data privacy fines of up to 4pc of global turnover await social networks, e-commerce firms and search engines

Such rules will be vital to the EU’s ambitions to create a Single Digital Market for online goods and services.

Tough fines – as much as 4pc of global turnover – could be levelled against e-commerce giants, search engines and social networks that fail to respect the privacy of Europeans.

The new rules will create a uniform set of rules across the EU fit for the digital era, said German MEP Jan Albrecht.

“The new rules will give users back the right to decide on their own private data,” said Albrecht.

“At the same time, the new rules will give businesses legal certainty and chances for competition. It will create one single common data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market,” he added.

Effectively, the new rules include provisions on clear and affirmative consent to the processing of private data by the person concerned, to give consumers more control over their private data. For example, not ticking a box does not constitute consent and a consumer should be able to withdraw consent as easy as they give it.

Right to be forgotten

Children below a certain age will need to get their parents’ permission to open an account on social media such as Facebook, Instagram or Snapchat, as is already the case in most EU countries today.

The new, flexible rules ensure that member states can set their own limits, provided these are between the 13 and 16 years, thus giving them the freedom to maintain those they already apply.

The new rules also enshrine the “right to be forgotten” so people can have their identities erased from databases of companies holding their personal data if there is no legitimate grounds for retaining it. This is a grey area that could cause problems for the media, for example, in terms of newspaper archives containing references to people who may have committed crimes in the past and seek to have that data removed.

The GDPR rules also enshrine the right for consumers to know when their data has been hacked and, as such, firms must notify their data protection authority as quickly as possible if a data breach occurs.

The rules also set the scene for the end of small print privacy policies, with information provided in plain language before the data is collected.

Firms with more 250 employees will have to appoint a data protection officer if they are handling sensitive data or monitoring the behaviour of consumers. Only firms whose core business activity is not data processing will be exempt.

The GDPR also creates a one-stop shop for enforcement. National Data Protection Authorities (DPAs) such as Ireland’s Data Protection Commission will be enhanced to become a first-instance body where citizens can complain about data breaches.

European Parliament image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years