Nearly four years after the European Commission originally proposed its European Data Protection Reforms, and just in time for Christmas, the European Commission, Council and Parliament have finally reached agreement on the new European data protection reforms.
The reform consists of The General Data Protection Regulation (GDPR) and the Data Protection Directive (Directive) (which will focus on the police and criminal justice sector).Both seek to harmonise the data protection laws across Europe and provide individuals with stronger rights in respect of their personal data.
A reminder of just some of what to expect from the data protection reforms.
Strengthened rights for individuals
A variety of rules within the now agreed reforms entitle individuals to more control over their data. Individuals will have easier access to their data and transparent information about the data held about them. The GDPR will clarify the ‘right to be forgotten’ and also require easier transfer of data between service providers.
With harmonisation at the core of the reforms, the Article 29 Working Party (currently made up of all EU member state data protection authorities) will become a European Data Protection Board ‘one stop shop’ tasked with enforcing consistent decision making across Europe; something increasingly important for the growing number of digital companies operating across multiple European territories.
Cutting the red tape
Another key objective at the heart of the reforms is the removal of some of the red tape pervading data protection laws across Europe. The new rules will scrap the ‘notification’ or registration requirement for data controllers and introduce a number of more flexible ‘risk-based’ approaches to data protection. One example is the removal of the requirement for SMEs whose core business activities are not focused on data processing to appoint a Data Protection Officer.
The UK’s ICO currently has the ability to serve monetary penalty notices of up to £500,000 for serious contraventions of data protection laws. The new rules significantly increase the levels of fines available of up to 4% of a company’s total worldwide annual turnover. This is a substantial deterrent, introduced to incentivise compliance.
Age limit requirements for social media
The new rules impose a general age limit restriction for access to social media platforms. Member states are able to determine their own age limits (provided that it is between 13-16) to enable each to continue to maintain limits that already apply.
How have the data protection reforms been received?
Whilst many welcome a more consistent approach to data protection laws across Europe and the strengthening of individual rights, others see the reforms as introducing far stricter compliance requirements likely to be cumbersome for growing businesses in the digital age and a possible further barrier to innovation.
Rest assured, there is still some way to go before the GDPR and Directive are applicable. We are expecting the final texts of both pieces of legislation to be formally adopted in Spring 2016 (probably March or April). There will then be a further two years before the new rules come into force.
We’ll be examining and digesting the final agreed text of both the GDPR and Directive once adopted in the New Year and will keep you updated on the preparatory steps to be taken ahead of implementation. Watch this space.
This article was produced by Harbottle & LewisBLOG COMMENTS POWERED BY DISQUS