The European Parliament and Council have reached agreement on the data protection reform proposed by the Commission. The reform is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market.
The data protection reform package includes the General Data Protection Regulation (“Regulation”) and the Data Protection Directive for the police and criminal justice sector.
Why did the Commission propose a reform of EU data protection rules?
EU legislation on data protection has been in place since 1995. The Data Protection Directive guarantees an effective protection of the fundamental right to data protection. But differences in the way that each Member State implements the law have led to inconsistencies, which create complexity, legal uncertainty and administrative costs. This affects the trust and confidence of individuals and the competitiveness of the EU economy. The current rules also need modernising – they were introduced at a time when many of today’s online services and the challenges they bring for data protection did not yet exist. With social networking sites, cloud computing, location-based services and smart cards, processing of personal data has grown exponentially. We need a robust set of rules to make sure people’s right to personal data protection – recognised by Article 8 of the EU’s Charter of Fundamental Rights – remains effective in the digital age. This will at the same time be beneficial for the development of the digital economy.
What will change under the Regulation?
The Regulation updates and modernises the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on: reinforcing individuals’ rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.
The changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.
What are the benefits for citizens?
The reform provides tools for gaining control of one’s personal data, the protection of which is a fundamental right in the European Union.
The data protection reform will strengthen citizens’ rights and build trust. Nine out of ten Europeans have expressed concern about mobile apps collecting their data without their consent, and seven out of ten worry about the potential use that companies may make of the information disclosed.
The new rules address these concerns through:
- A “right to be forgotten”: When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.
- Easier access to one’s data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers.
- The right to know when one’s data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures.
- Data protection by design and by default: ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
- Stronger enforcement of the rules: data protection authorities will be able to fine companies who do not comply with EU rules up to 4% of their global annual turnover.
Right to be forgotten: How will it work?
Already the current Directive gives individuals a possibility to have their data deleted, in particular when the data is no longer necessary.
For example, if an individual has given her or his consent to processing for a specific purpose, e.g. display on a social networking site, and does not want this service anymore, than there is no reason to keep the data in the system. In particular, when children have made data about themselves accessible, often without fully understanding the consequences, they must not be stuck with the consequences of that choice for the rest of their lives.
This does not mean that on each request of an individual all his personal data are to be deleted at once and forever. If for example, the retention of the data is necessary for the performance of a contract or for compliance with a legal obligation, the data can be kept as long as necessary for that purpose.
The proposed provisions on the “right to be forgotten” are very clear: freedom of expression, as well as historical and scientific research are safeguarded.
For example, no politician will be able to have their earlier remarks deleted from the web. This will thus allow, inter alia, news websites to continue operating on the basis of the same principles.
Is there specific protection for children?
Yes, the Regulation recognises that children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. For instance, they benefit from a clearer right to be forgotten.
When it comes to information society services offered directly to a child, the Regulation foresees that consent for processing the data of a child must be given or authorised by the holder of the parental responsibility over the child. The age threshold is for Member States to define within a range of 13 to 16 years.
The aim of this specific provision aims at protecting children from being pressured to share personal data without fully realising the consequences. It will not to stop teenagers from using the Internet to get information, advice, education etc. Moreover, the Regulation specifies that the consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.