New rules on data protection have finally been agreed after lengthy discussions between the European Parliament, European Council and Council of Ministers. Any business breaching the new laws could be fined up to four percent of its global turnover.
More than 90% of Europeans say they want the same data protection rights across the EU – and regardless of where their data is processed: this will soon be a reality. The EU said the reform package will put an end to the patchwork of data protection rules that currently exists in the EU.
The deal has still to be ratified by MEPs, who will vote on the reforms presented, but the move has been welcomed by the marketing industry, which had been braced for major changes to the way they can gather and hold data. Earlier rumours had suggested there could have been strict measures in place for gathering data, however consent for telephone and direct marketing can still be given on an opt-out basis.
In addition to the fines proposed, any data breach will have to be reported within three days.
Věra Jourová, EU commissioner for justice, consumers and gender equality, said: “Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market. Harmonised data protection rules for police and criminal justice authorities will ease law enforcement co-operation between member states based on mutual trust, contributing to the European Agenda for Security.”
The Reform consists of two instruments:
• The General Data Protection Regulation will enable people to better control their personal data. At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.
• The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.
The groups said that the new laws would create a business opportunity that encouraged innovation. If passed in Parliament, the regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU. Businesses will only have to deal with one single supervisory authority, which is estimated to save €2.3bn per year.
European rules on European soil– companies based outside of Europe will have to apply the same rules when offering services in the EU. The regulation will also guarantee that data protection safeguards are built into products and services from the earliest stage of development (Data protection by design). Privacy-friendly techniques such as pseudonomysation will be encouraged, to reap the benefits of big data innovation while protecting privacy.
For SMEs there is further good news as they are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
The DMA Chief Executive Chris Combemale said that he believed the text is better than he was braced for, in five key areas – specifically the definition of personal data, the definition of consent, the consumer right to object, ‘profiling’ and what is the ‘legitimate interest’ of businesses to process consumer data.
“These areas will be the concern of digital and data-driven marketers for the foreseeable future, and we are pleased that the agreed text will allow the continued development of the data-driven sector. Companies that already adhere to the DMA Code will find that they are mostly compliant already, and have a head-start with two years to go before implementation, but there will still be some work to do.”
Following political agreement reached in trilogue, the final texts will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter.
The Commission will work closely with Member State Data protection authorities to ensure a uniform application of the new rules. During the two-year transition phase, the Commission will inform citizens about their rights and companies about their obligations.
Data Protection Authorities will work more closely together in the future, especially through the one-stop shop mechanism to solve cross-border data protection cases.