The European Union has agreed on the much anticipated data protection regulation reforms designed to bolster the rights of internet users and impose steep fines on firms breaking the rules.
New laws are expected to take effect by 2017, and will enforce a tougher stand on privacy, breach reporting and the Right to be Forgotten ruling.
The proposals were agreed this week at a meeting between the European Commission, the European Parliament and the Council of Ministers.
The reform aims to put an end to the current “patchwork” of data protection rules in the EU, according to the EC.
The proposals consist of the General Data Protection Regulation (GDPR) and the Data Protection Directive, which both aim to create a more streamlined approach to data protection for consumers, businesses and law enforcement.
However, the reforms have been criticised by large technology firms, including Google and Facebook, that take advantage of data from a global user base to scoop up vast amounts of information for advertising purposes.
Controversially, large firms will face fines of up to four percent of global revenue under the proposals if found to have misused consumer data or breached user privacy. Companies will also be forced to inform national regulators of a data breach within three days.
The policies include a focus on the Right to be Forgotten ruling that allows internet users to request the removal of search results.
Ross McKean, a lawyer at Olswang LLP who specialises in data protection, told V3 that the proposals are a “paradigm change” in the way data is regulated in the EU.
“We have now moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world,” he said.
“Data permeates everything that we do in our digital lives and touches all organisations. This is not a compliance or legal challenge; it is much more profound than that. Organisations will need to adopt entirely new behaviours in the way they collect and use personal information.”
Věra Jourová, EU commissioner for justice, consumers and gender equality, claimed that the new rules are “good for citizens and good for businesses”.
“Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market,” she said.
“Harmonised data protection rules for police and criminal justice authorities will ease law enforcement co-operation between member states based on mutual trust, contributing to the European Agenda for Security.”
Andrus Ansip, EU vice president for the Digital Single Market, added that the proposals will “remove barriers and unlock opportunities”.
“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information. We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage,” he said.
Ansip explained that the agreement builds a strong foundation that will enable Europe to “develop innovative services”.
“Our next step is now to remove unjustified barriers which limit cross-border data flow: local practice and sometimes national law, limiting storage and processing of certain data outside national territory,” he said.
“So let us move ahead and build an open and thriving data economy in the EU based on the highest data protection standards and without unjustified barriers.”
Shake it up
Phil Lee, a partner in the privacy, security and information group at European law firm Fieldfisher, said: “This is the most significant development in data protection that Europe, possibly the world, has seen over the past 20 years.
“Businesses that get it wrong face substantial fines, potentially up to four per cent of global turnover. If data protection hadn’t previously reached board level before, it’s about to now.
“Fundamentally, the regulation is about accountability. It’s about businesses not only being compliant, but being able to show they’re compliant.
“The rules that Europe agreed last night will shape the way that businesses around the world interact with European consumers for decades to come. Europe has become the flag bearer for best practice in the treatment of individuals’ data.”
However, not everyone is satisfied with the current GDPR reforms. Matthew Fell, CBI interim chief policy director, hit out at the proposals, claiming that they “miss the mark” for companies and consumers.
“From driving research and development in healthcare to powering our free social media and search platforms, data analytics is a vital part of modern business. This new legislation could hamper that with unnecessary administrative burdens and costs, like mandatory data protection officers, placed on firms of all sectors and size,” he said.
“Businesses now need clarity from policymakers and regulators on what actually applies to their business so that they can mitigate the burden and cost of compliance as quickly and effectively as possible.”
DigitalEurope, which represents the technology industry in Europe and boasts members including Apple, Google, Microsoft and IBM, echoed these concerns, saying that the proposals fall short of the original intentions of the legislation.
“While we acknowledge that the instrument may bring greater consistency to the varied interpretations of data protection laws across Europe, the result fails to strike the proper balance between protecting citizens’ fundamental rights to privacy and the ability for businesses in Europe to become more competitive,” the organisation said.
“We fear that the text agreed upon between the EC, the European Parliament and the Council of Ministers will undermine the ability of businesses in Europe to invest, innovate and create jobs.”
The text of the reform is still subject to a final endorsement by the 28 member states and the European Parliament, which is expected next week. Once adopted by the EU, firms will have two years to create changes that will allow them to adhere to the new regulations.