On 14 April 2016, the European Parliament adopted the legislative package for the new data protection rules that the European Council had also adopted on 8 April 2016.
The New Package
This includes two new instruments:
- The General Data Protection Regulation, which replaces Directive 95/46/EC; and
- The Data Protection Directive in the area of law enforcement (intended to replace the 2008 data protection framework decision).
The purpose of this data protection reform is to update and modernise existing data protection rules to provide a greater level of data protection for individuals whose personal data is processed and to increase business opportunities in the digital single market through a reduced administrative burden.
Who has to comply?
All businesses that do business within the EU and deal with personal data will be required to comply with the Regulation.
- Specific rules allowing data controllers to process personal data, including through the requirement for the consent of the individuals concerned;
- Easier access by individuals to their personal data;
- Better information about what happens to personal data once it is shared – e.g. informing individuals about what happens when their personal data is shared;
- Enhanced “right to be forgotten”;
- Parental consent for the use of online services for those under the age of 16. This may be lowered by Member States but only as low as the age of 13;
- A right of portability, facilitating the transfer of personal data from one service provider such as a social network to another. This will increase data protection rights but will also increase competition among services providers.
- A right to object to the processing of personal data relating to public interest or to legitimate interests of a controller; and
- Safeguards allowing the processing of personal data for archiving purposes, for public interest and historical research or statistical purposes.
Increased business opportunities
The regulation will provide a single set of rules, valid across the UK and applicable both to European and non-European companies offering on-line services in the EU. This will attempt to avoid situations where conflicting national data protection rules may disrupt the cross-border exchange of data.
Notification of breaches
Data controllers must implement a number of security measures, including the requirement in certain cases to notify personal data breaches. To future-proof the regulation, the principles of data protection by design and by default are introduced.
Data controllers can face a maximum fine of €20 million or 4% of a company’s annual global turnover.
Transfer of personal data outside the EU
Transfers may take place as long as a number of conditions and safeguards are met, in particular where the Commission has decided that an adequate level of protection exists. New adequacy decisions will have to be reviewed every 4 years and exiting adequacy decisions and authorisations remain in force until amended, replaced or repealed.
Data protection directive for law enforcement
The Directive is aimed at protecting personal data processed for prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against the prevention of threats to public security.
The texts will shortly be published in the Official Journal of the EU and the data protection rules will come into force in 2018. Businesses should be reviewing their data protection practices now in preparation for the new laws.