The European Commission first put forward its bold and forward-looking EU General Data Protection Regulation proposals back in January 2012 to “make Europe fit for the digital age”. Now, an agreement has been reached between the European Parliament and the Council in the wake of final negotiations between the three institutions (the so-called ‘trilogue’ meetings).
More than 90% of Europeans say they want the same data protection rights across the European Union (EU) regardless of where their data is processed. This situation will now soon be a reality, with the proposed reform package putting an end to the ‘patchwork’ of data protection rules that currently exists across the EU.
The reform consists of two instruments: the aforementioned General Data Protection Regulation and the Data Protection Directive.
*The General Data Protection Regulation will enable people to better control their personal data. At the same time, modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust
*The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses crime suspects are duly protected in the context of a criminal investigation or a law enforcement action. At the same time, more harmonised laws will also facilitate cross-border co-operation among police and/or prosecutors to combat crime and terrorism more effectively right across Europe.
Fundamental right for citizens
The reform will allow people to “regain control” of their personal data. According to a recent Euro Barometer survey, two-thirds (67%) of Europeans stated they’re concerned about not having complete control over the information they provide online. Seven Europeans out of every ten worry about the potential use that companies may make of the information disclosed. The data protection reform will strengthen the right to data protection, which is a fundamental right in the EU, and allow them to have trust when they give their personal data.
The new rules address these concerns by strengthening the existing rights and empowering individuals with more control over their personal data. Most notably, these include:
*easier access to your own data: individuals will have more information on how their data is processed, with that information being available in a clear and understandable way
*a right to data portability: it will be easier to transfer your personal data between service providers
*a clarified ‘right to be forgotten’: when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the specified data will be deleted
*the right to know when your data has been hacked: companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.
Removing barriers, unlocking opportunities
Andrus Ansip, vice-president for the Digital Single Market, said: “This agreement is a major step towards a Digital Single Market. It will remove barriers and unlock opportunities. The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they’re in control of their personal information, and they can enjoy all the services and opportunities of a Digital Single Market.”
Ansip continued: “We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage. The agreement builds a strong basis to help Europe develop innovative digital services. Our next step is to remove unjustified barriers which limit cross-border data flow. Let’s move ahead and build an open and thriving data economy in the EU based on the highest data protection standards and without unjustified barriers.”
Věra Jourová (Commissioner for Justice, Consumers and Gender Equality) said: “We’re delivering on the promise of the Juncker Commission to finalise data protection reform in 2015. These new pan-European rules are good for citizens and good for businesses. Citizens and businesses alike will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market. In addition, harmonised data protection rules for police and criminal justice authorities will ease law enforcement co-operation between Member States based on mutual trust, in turn contributing towards the European Agenda for Security.”
Clear modern rules for businesses
In today’s digital economy, personal data has acquired enormous economic significance, in particular in the area of big data. By unifying Europe’s rules on data protection, lawmakers are creating a business opportunity and encouraging innovation.
*One continent, one law: The General Data Protection Regulation establishes one single set of rules which will make it simpler and cheaper for companies to conduct business in the EU
*One-stop shop: Businesses will only have to deal with one single supervisory authority. This should save something in the region of €2.3 billion per annum
*European rules on European soil: Companies based outside of Europe will have to apply the same rules when offering services in the EU
*Risk-based approach: The rules will avoid a burdensome ‘one size fits all’ obligation, instead tailoring those obligations to the respective risks
*Rules fit for innovation: The General Data Protection Regulation will guarantee that data protection safeguards are built into products and services from the earliest stage of development (ie ‘data protection by design’). Privacy-friendly techniques will be encouraged so as to reap the benefits of big data innovation while protecting privacy.
Benefits for companies large and small
The data protection reform will stimulate economic growth by cutting costs and red tape for European business, notably so for small and medium-sized enterprises (SMEs). The EU’s data protection reform will help SMEs break into new markets. Under the new rules, SMEs will benefit from four reductions in red tape:
*No more notifications: Notifications to supervisory authorities are a formality that represents a cost for business of €130 million every year. The reform will scrap these entirely
*Every penny counts: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access
*Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity
*Impact assessments: SMEs will have no obligation to carry out an impact assessment unless there’s a high risk
Protecting personal data in the area of law enforcement
Better co-operation between law enforcement authorities
With the new Data Protection Directive for Police and Criminal Justice Authorities, law enforcement authorities in EU Member States will be able to exchange information necessary for investigations more efficiently and effectively, subsequently improving co-operation in the fight against terrorism and other serious crime in Europe.
The Data Protection Directive for Police and Criminal Justice Authorities takes account of the specific needs of law enforcement, respects the different legal traditions in Member States and is fully in line with the Charter of Fundamental Rights.
Better protection of citizens’ data
Individuals’ personal data will be better protected when processed for any law enforcement purpose including the prevention of crime. It will protect everyone – regardless of whether they are a victim, criminal or witness.
All law enforcement processing in the Union must comply with the principles of necessity, proportionality and legality, with the appropriate safeguards for individuals in place. Supervision is ensured by independent national data protection authorities, while effective judicial remedies must be provided.
The Data Protection Directive for Police and Criminal Justice Authorities provides clear rules for the transfer of personal data by law enforcement authorities outside of the EU to ensure that the level of protection for individuals guaranteed in the EU isn’t undermined.
What are the next steps?
Following the political agreement just reached in trilogue, the final texts will be formally adopted by the European Parliament and Council at the beginning of 2016. The new rules will become applicable in 2018.
The Commission will work closely with Member State data protection authorities to ensure a uniform application of the new rules. During the two-year transition phase, the Commission will inform citizens about their rights and companies about their obligations.
Data protection authorities will work more closely together in the future – and particularly through the one-stop shop mechanism – to solve cross-border data protection cases.
The General Data Protection Regulation updates and replaces the current data protection rules based on the 1995 Data Protection Directive.
Business “not prepared for complex legal changes”
Commenting on the EU’s adoption of the General Data Protection Regulation, Stewart Room (partner at PwC and head of PwC Legal’s data privacy and protection practice) has warned that business is not prepared for the complex legal changes to compliance and risks heavy financial penalties and a wave of litigation.
This landmark piece of legislation is important because of what it seeks to do by assisting people to gain more control over their personal data, which is also a vital asset of the global economy.
“The scale and breadth of the changes to privacy rules will deliver unprecedented challenges for business and every entity that holds or uses European personal data both inside and outside the EU,” urged Room. “Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in 2018. That’s not a great deal of time for the magnitude of internal changes that will be required. Compliance costs will also be high, in some cases tens of millions of pounds for larger entities.”
Room continued: “Major retailers, organisations within the banking sector and any entity that’s aiming their marketing and promotion to consumers are particularly at risk, as is any entity that uses data around children. Technology companies will also be in the firing line.”
With financial penalties of up to 4% of global annual turnover for non-compliance, some of the UK’s largest multinationals as well as public entities could face penalties worth many millions in pounds or Euros as organisations are forced to publicly disclose any security and confidentiality breaches to the regulators and the people affected. The new laws will go much further than just reputational damage.
“New enhanced rights for people over their personal data may also unleash a wave of legal action and compensation claims against entities that will face new rights including the right to be forgotten,” added Room, “such that personal data is deleted and destroyed by organisations, while obtaining consent to use personal data is also about to become a lot harder for companies. There are also new requirements to assess the risks to personal data and privacy.”
In conclusion, Room informed Risk UK: “Business will also face greater scrutiny from the European data protection regulators as new powers enable them to shape how personal data is used.”