News: Businesses will face potentially huge fines if they break the new data protection rules.
The General Data Protection Regulation has cleared its final approval hurdle, having today won approval from MEPs.
The new EU data protection rules are designed to return control of personal data to EU citizens, creating a uniform level of data protection across the EU and providing a minimum set of standards on the use of data for policing and judicial purposes.
Today’s vote of approval on the complete overhaul of EU data protection rules replaces the current data protection directive, dating back to 1995.
Jan Philipp Albrecht (Greens, DE), who steered the legislation through Parliament, said: "The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality.
"This is a great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share."
The new rules, put simply, will impact every business which deals with data – and in this digital world, that pretty much means everyone.
Businesses will have to comply with various provisions, among which include the right to be forgotten; ‘clear and affirmative consent’ to private data processing; the right to know when data has been hacked; and the right to transfer data to another service provider.
For all businesses who fail to comply with the new set of rules, or break the rules, fines of up to 4% of firms’ total worldwide annual turnover will be issued.
The first major rewrite of Europe’s privacy laws have been welcomed by privacy experts, with Phil Lee, data protection partner at Fieldfisher, celebrating the fact the EU will now lead the world in data protection.
"Today is truly historic. Europe has adopted its new data protection laws and these will raise the bar right across Europe – and quite possibly worldwide – for the protection of individuals’ fundamental privacy rights.
"There’s been a lot of political rhetoric about how the new law is a win-win for individuals and industry alike, but it’s not that simple. Certainly, individuals are much more protected, but the result is not quite so positive for industry – many of the rules introduce significant new burdens for businesses that will be keenly felt for years to come.
"Is this law ground-breaking? Absolutely. Europe has created the notions of a ‘right to be forgotten’ and of ‘data portability’, and created fines for data breaches that are on a scale equivalent to fines for antitrust violations. No other region has done that before."
However, as previously mentioned, this law is set to hit every business that deals with data – a fact which means a lot of companies, inside and outside the EU, have an awful lot of work to do before the regulation comes into play in 2018. Mark Thompson, privacy lead in KPMG’s cyber security practice, said:
"The approach of the GDPR provides a risk based application of a "one size fits all" set of rules across the EU and recognises the different levels of privacy risk associated with SMEs and large global organisations. Privacy will be catapulted up the list of global organisations’ enterprise risks, requiring them to re-evaluate take action. "
"For non-EU businesses that trade in the EU, this agreement will require some to re-think some of the activities they carry out in the EU. This makes it much harder to operate certain "global" services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market."