EU approves stricter data protection rules

The European Parliament today voted in favor of broad new data protection laws that apply to any company operating within the EU, regardless of where they are based. First proposed more than four years ago, they represent a significant modernization of previous regulations drawn up in 1995, long before the internet and digital services had matured to the point they’re at now. After various EU authorities agreed upon the rules late last year, they’ve been formally green-lit today, and at their heart, make companies more accountable for data protection and give citizens more control over the information held on them.

What it means for us

Under the General Data Protection Regulation (GDPR), companies are expected to make their products and services capture and process as little personal information as possible by default. Coined “privacy by design,” this forces services like social networks to ensure users have the strictest privacy settings right off the bat, instead of having to dig through menus to opt out of programs or features they were automatically included in when they signed up.

This is in tune with a general responsibility to be more transparent about data collection. Companies must receive the “clear and affirmative” consent of users to process their personal data, and offer a simple way to withdraw that consent. Furthermore, what the data is being used for must be stated in “clear and plain language”; dense and confusing privacy policies won’t fly. Any business that handles large volumes of personal data has to employ a data protection officer under the new rules, and any breach must be disclosed within 72 hours.

The European Parliament says the new rules will benefit companies by introducing a single set of laws to abide by (not the individual regulations of the 28 member states) and a single supervising authority to deal with. The GDPR is not to be taken lightly, though, as any company or organization that suffers a breach or is found to be generally non-compliant could be fined up to 4 percent of their global turnover. For a behemoth like Google, that would be an extremely significant sum.

In addition to these stricter rules for companies, the GDPR affords EU citizens greater control over their personal data, including the right to “data portability.” This is the power to move data between services, such as instructing your current internet service provider (ISP) to divulge certain information to a new ISP, for instance. It gets much more complicated than that, though. In theory, you’ll also be able to switch email providers, moving all your contacts and email history from, say, Google to Yahoo; or, set up a new social media account using data from an existing one. We’re a ways from knowing how this will work in practice, however.

The “right to be forgotten” is also integral to the new rules. As you may remember, in a landmark case the European Court of Justice ruled that one can request search engines remove links from results that contain “irrelevant” or “outdated” personal information. This legally binding decision is now not only part of EU law, but the right has been extended to cover all kinds of personal data. You could tell Facebook, for instance, to delete your account and all data associated with your activity; the social network would also have to action this anywhere your data has been replicated. There are certain caveats, of course, where “data is needed for historical, statistical and scientific purposes, for public health reasons or to exercise the right to freedom of expression.”

Children will have special protections under the right to be forgotten, and the GDPR also introduces a new rule requiring social networks to seek parental consent before letting kids open an account. Several EU member states have this provision already, and each country will set their own age threshold at which this no longer applies, from 13 to 16 years.

What it means for law enforcement

While not as relevant to your general internet user, the data protection “package” approved today also creates a blanket set of guidelines for the handling of personal data by EU law enforcement agencies. The Data Protection Directive lays out “minimum protection standards” for the movement of data between member states, such as safeguards that ensure personal information is “processed lawfully, fairly and only for a specific purpose.”

Essentially, the Data Protection Directive tries to balance the rights of individuals with the need for cross-border cooperation between law enforcement. With one set of guidelines, agencies no longer have to operate within the cumbersome patchwork of differing national regulations, which should allow for smoother and more efficient data transfer between member state authorities.

T-minus two years

Now that they’ve been approved, the GDPR and Data Protection Directive will soon become part of EU law, but the regulations won’t truly come into force until April 2018. That gives all member states two years to copy and paste the rules into their national laws and processes. The regulations are sure to have an impact way before then, though.

They will undoubtedly be key to discussions around an impending update to the EU e-Privacy Directive, which specifically deals with electronic communications data, including the use of cookies. What’s more, the EU and US are currently working on Privacy Shield, an agreement that governs the movement and use of personal data across the Atlantic, designed to replace the now-defunct Safe Harbor agreement.

[Images: Getty (Lead, 1, 2); Alamy (3 – Policja)]

Source: European Parliament (1), (2), European Commission