On 14 April 2016, the European Parliament adopted the text of the new Data Protection Regulation, which will be published in the official journal in the coming days.
WHY IS THIS REGULATION IMPORTANT?
The Regulation will repeal the legislation currently in force on protection of personal data. The existing legislation was published in 1995, in other words, before widespread use of the Internet and the arrival of the digital economy. The aim of the regulation is to respond to the challenges raised by the technological revolution over recent decades and to provide better protection for the rights of European Union citizens.
WHO WILL THE REGULATION AFFECT?
The new Regulation will apply to all companies that process personal data within the European Union, even if they are based outside the European Union.
"Personal data" means any information in relation to an identified or identifiable natural person. One of the main objectives of the Regulation is for citizens to recover control over their personal data. It introduces more transparent procedures for data processing that will apply to all entities, including public authorities and other bodies.
WHAT ARE THE MAIN CHANGES?
- New rights for citizens, including the right to be forgotten and the right to data portability. The right to data portability allows citizens to transfer the data they have supplied to one data controller to another. Companies are, therefore, obliged to supply the data subject with any data the subject has transferred to it, in a structured and commonly used format. Alternatively, whenever it is technically possible, companies must transfer the data directly to the controller in question.
- Increased obligations on companies. Besides the obligation to adopt data security policies and procedures, including data pseudonymisation and encryption, the new regulation creates the position of 'data protection officer'. This person must have expert knowledge of data protection law and practices, and his or her main duty will be to monitor the implementation and application of the rules of the new Regulation by the company.
- Special rules for minors. The new Regulation provides that it is impossible for minors aged below 16 give their consent to data processing in online services. However, it will be at the discretion of each Member State to determine whether children aged between 13 and 16 can have access to online services.
- Obligation to notify data breaches. Companies will be under an obligation to notify personal data breaches to the competent authorities and to the data subjects affected.
WHAT ARE THE CONSEQUENCES OF BREACHING THE RULES?
A breach of the rules contained in the new Regulation may result in the application of fines up to EUR 20 million, or up to 4% of the annual turnover of the company on a worldwide basis, whichever is the higher.
WHEN DOES IT COME INTO FORCE?
The new Regulation will have direct effect in all EU Member States within two years of it coming into force, in other words, around May 2018. This period of two years will be crucial for companies to adapt to the new rules.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.