Data protection reform gets final approval by MEPs

This week the EU has announced its new and long awaited data protection regulations, designed to give citizens more control over their personal data. The fact that it is a regulation as opposed to a directive means it will be directly applicable to all EU member states without a need for national implementing legislation. These new regulations are expected to impact every company, business or individual operating within the EU that processes, collects or holds the personal data of any individual.

This legislation is the result of over four years of work to standardise the level of data protection used throughout all 28 Member States. The previous data protection directive was implemented in 1995 and has quickly become outdated due to the advancement of the internet and the popularity of smartphones, online gaming, online shopping, internet banking and apps like Facebook, Viber and Whatsapp. The new rules tackle the changing landscape of connectivity and include measures to give users more control in a new digital era.

The proposal consists of two legislative measures: a regulation that updates the general framework and a new directive that establishes rules for police and judicial cooperation. The main changes to the general framework include the following:

“One Stop Shop” Rule.

The regulation applies to companies whose main establishment is in the EU, and also to non-EU-based companies that process the personal data of EU residents. Instead of reporting directly to the Data Processing Authorities (“DPA”) in each Member State where the company has a physical establishment, the One Stop Shop Rule allows the company to report only to the DPA in the Member State where the company has its main establishment.

 

One Set of Consistent Rules.

Policymaking power would be shifted away from the Data Processing Authorities (“DPA”) of the EU Member States to the European Commission in Brussels. A European Data Protection Board (“EDPB”) would be established to help guide the Member States as they adjust to operating under one set of rules and one supervisory authority.

 

Requirement of Explicit Consent and Clear and Plain Language.

Under the Regulation, statements in a privacy policy or an implied consent will likely not be sufficient.  Consent from the data subject must be explicit, by a statement or clear affirmative action (such as an opt-in), and it may not be considered proper consent if the parties are in an unequal bargaining position (like an employer and employee). In addition to advising data subjects what kind of data is being collected and what will be done with it, the Proposed Regulation requires additional transparency in the form of using clear and plain language that is adapted to the data subject.

 

The Right to Be Forgotten.

Under certain conditions, individuals have the right to request that search engines remove links to personal information about them. Under this regulation, this right will be clarified and strengthened whilst still supporting the right to freedom of expression.

 

Data Portability.

It will be easier for individuals to transfer their personal information and data between service providers e.g. Facebook, Twitter, Gmail and the provider is bound to respond to such requests quickly and efficiently.

 

New Sanctions and Fines.

A new structure of sanctions and fines will be implemented in response to the new regulations. These include the suspension of data flows, banning of processing and various administrative sanctions, and changes to the process of initiating court proceedings. For example, in the case of data breaches a fine of up to 4% of global turn over can be imposed on the responsible party.

 

The regulation will enter into force 20 days after its publication and there will be a two-year implementation phase where all businesses and organizations that handle the personal data of EU residents, regardless of where they are based, will need to put in place measures to be compliant with the new rules. Once the regulation has been published in full, WH Partners will communicate to you a summary of all changes.

 

It is important to start considering these changes now and to plan measures to ensure compliance with the proposed regulation. To discuss how these changes will affect your business, please contact joseph.borg@whpartners.eu

 

Article by Alice Taylor and Patrick Massa