European Parliament adopts tough new data protection rules

The final vote on reforms to Europe’s data protection laws has just taken place in the European Parliament, with MEPs agreeing the new data protection directive — bringing to a close some four years of work to update existing legislation which dates back to 1995.

In a joint statement, EC commissioners Frans Timmermans and Věra Jourová welcomed the adoption, adding: “The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.”

Late last year the various European institutions involved in the legislative process agreed on the text of a new General Data Protection Regulation. Today’s vote in the EU parliament was the last stage of the adoption process. The GDPR will now be transposed into the national laws of the bloc’s 28 Member States over the next two years, with the regulation set to come into force from 2018.

Key changes in the GDPR include:

  • tougher penalties for companies found to be breaching European Union data protection law, with fines of up to 4 per cent of global turnover;
  • a requirement for larger companies to appoint a data protection officer if they process sensitive data at scale;
  • a requirement for companies to disclose personal data breaches within 72 hours;
  • liability for data breaches extending to any data processors used by a data controller;
  • enshrining Europe’s so-called right to be forgotten ruling in law, and expanding its scope;
  • a right for data portability for individuals to enable them to more easily switch between services;
  • parental consent for children to use social media;
  • a one-stop-shop single supervisory authority for data protection complaints aimed at streamlining the compliance process for businesses;

Speaking in the EU parliament immediately after the vote, Jan Philipp Albrecht — the MEP who has driven the reform of the GDPR — said: “This regulation is a huge step forward for the European Union, for fundamental rights in the European Union, and it shows that we can deliver a legal framework for the digital age, and that we can deliver for democratic decisions still in the European Union which has huge value for citizens and consumers.”

It’s pretty clear the new law will also be a boon for law firms, which are already touting data protection compliance expertise, anticipating an inrush of companies concerned to avoid the risk of future fines.

Europe’s data protection related reforms do not end here, though. The European Commission has now turned its attention to telecoms data privacy regulations — via the ePrivacy Directive — in order to harmonize that directive with the new GDPR.