Europe Finally Agrees Tough New Data Protection Rules

Late yesterday European institutions finally agreed on the text of new data protection rules (GDPR), more than three years after new regulation was proposed.

The 28 Member States of the European Union will have two years to transpose the provisions of the GDPR into their national laws, with the regulation set to come into force from 2018.

There are still a few more stages in the process — although the Parliament, Council and Commission agreed the text yesterday there’s a further confirmation vote tomorrow by the Civil Liberties Committee, and another vote by the European Parliament as a whole in the new year — but the Commission’s aim of finalizing data protection reform in 2015 has been met.

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, dubbed the rules “clear” and “fit for the digital age”. The current European data protection directive was adopted back in 1995 so updating the bloc’s rules to keep pace with seismic shifts in technology is the overarching aim here, along with a parallel push to harmonize regulations across the region with the goal of creating a so-called “Digital Single Market” to simplify operations for businesses selling services in Europe.

Commenting on the agreement in a statement, Andrus Ansip, VP for the Digital Single Market, argued the GDPR will “remove barriers and unlock opportunities”. He also tacitly rebutted critics of the new rules. Brussels has been host to a small army of lobbyists during the data protection directive negotiation process, with the U.S. government and tech giants such Facebook and Google actively seeking to water down proposals.

“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information. And they can enjoy all the services and opportunities of a Digital Single Market. We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage,” said Ansip.

“Today’s agreement builds a strong basis to help Europe develop innovative digital services. Our next step is now to remove unjustified barriers which limit cross-border data flow: local practice and sometimes national law, limiting storage and processing of certain data outside national territory. So let us move ahead and build an open and thriving data economy in the EU — based on the highest data protection standards and without unjustified barriers,” he added.

Dropping like a nuclear bomb into the midst of the data protection reform discussions were the 2013 Snowden disclosures, which revealed the extent of U.S. government mass surveillance programs and detailed how intelligence agencies were tapping directly into consumer data held by commercial firms like Facebook. The fallout from those revelations acted as a counterweight to high level U.S. lobbying against strengthening privacy protections.

The Snowden disclosures also played a key role in convincing the European Court of Justice to strike down the fifteen year old Safe Harbor transatlantic data transfer agreement, this fall. EC officials are currently engaged in negotiations with their U.S. counterparts to try to hammer out a new deal — with a deadline set for that of January 2016. If you’re interested in geopolitical data protection politics these have been very interesting days indeed.

That’s the backstory, but what’s incoming in the new GDPR? It’s worth noting that the full text has not yet been published (Update: it has now been published here) but the general thrust is billed as strengthening individuals’ data protection rights, giving Europeans a greater say in how their data is used — as well as seeking to streamline some elements of compliance for businesses.

The new rules will apply to any companies who have customers in the region regardless of whether the company itself is based outside Europe.

Some key provisions in the GDPR include:

  • fines of up to 4 per cent of a company’s global turnover for breaching data protection rules — which for big tech companies like Google could result in fines that run to billions of dollars
  • liability for data breaches extending to any data processors a data controller also uses — so also applying to any third party entities involved in processing data to provide a particular service, with plenty of implications for cloud-based business models
  • enshrining a so-called ‘right to be forgotten‘ in law, so when an individual no longer wants their data to be processed by a company, and “provided that there are no legitimate grounds for retaining it”, the data must be deleted. Huge implications for digital marketing
  • a requirement for companies to appoint a data protection officer if they process sensitive data on a large scale or collect info on many consumers, with an exemption for SMEs if data processing is not their core business activity
  • a requirement for companies and organizations to notify the relevant national supervisory authority of serious data breaches as soon as possible
  • parental consent required for children to use social media, with the specific age within a 13 to 16 year old bracket to be set by individual Member States
  • a one-stop-shop single supervisory authority for data protection complaints aimed at streamlining compliance for businesses
  • a right to data portability for individuals to enable them to more easily transfer their personal data between services

Commenting in a statement, Green MEP Jan Philipp Albrecht, who led the European Parliament’s negotiations, said: “The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data.”

As with any new law, the devil will be in the interpretative detail around specific clauses and exemptions. And with 28 Member States all needing to interpret and transpose the regulation into their own national law there is inevitably going to be variation in how the GDPR is applied across the region. So one thing is certain: lawyers won’t be short of work as businesses seek to understand how they are affected and what they need to do to ensure compliance — and avoid the risk of a big fine.