The EU privacy reform providing for the adoption of the EU Data Protection Regulation has been agreed setting a milestone for the future of privacy within the EU.
An agreement was found between the European Commission, the European Parliament and the Council on the EU privacy reform that provides for the adoption of
- the EU Data Protection Regulation that will set out consistent data protection rules across the European Union to ensure a better protection of individuals’ personal data in the Digital Single Market and
- the Data Protection Directive for the police and criminal justice sector which will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action facilitating at the same time cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.
What is new in the EU Privacy Regulation?
I had defined in a previous blog post the upcoming EU privacy regulation as your next headache. And indeed it is true that the regulation will provide a higher level of protection to personal data within the digital single market. But its implementation might not be fully straight forward as some gray areas still remain.
The data protection regulation will provide among others:
1. Easier access to individuals’ personal data
Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. This is an evolution of the right of access already provided by the current data protection directive.
2. A right to data portability
It will be easier to transfer individuals’ personal data between service providers. This right might have an impact for instance on data protection issues affecting Internet of Things technologies when an individual purchases a new connected car and wants to “port” his profile from the old to the new vehicle.
3. A clarified “right to be forgotten”
After the famous decision of the European Court of Justice on the exercise of the right to be forgotten in the usage of Google search engine, the regulation now entitles individuals that no longer want their data to be processed may require their deletion provided that there are no legitimate grounds allowing the retention of data by the data controller.
4. Stricter data breach obligations
A privacy by design and security by design shall be adopted in the protection of personal data. But when a data breach occurs stricter rules apply for the notification of breaches to the affected individuals and the competent data protection authorities.
5. Heavier sanctions
Non-compliance could lead to heavier sanctions. Indeed, the final version of the privacy regulation contains fines up to 4% of the annual worldwide turnover of the breaching entity.
Companies might change their current structure
The EU privacy regulation will have a massive impact for both
- European entities that might have to restructure their group in order to gain the benefits of the so called “one-stop shop” rule enabling to deal with a single data protection authority; and
- Non-European entities that will have to comply with EU data protection law when offering their services in the European Union regardless of where they are based.
What is the timing?
The final steps for the adoption of both the EU privacy regulation and the directive will be adopted by the European Parliament and the Council at the beginning of 2016. Once these pieces of legislation will be adopted, they will come into force 2 years later.
This seems a quite broad time window, but some of our clients are already concerned that they might not be able to complete all the necessary transitional steps required under the new regime within the deadline.