On April 14 2016, the European Union’s parliament voted for massive reforms to their old and outdated data protection laws. The new laws will come into effect in April 2018, giving the member states two years to make changes to their current data protection laws and prepare for the more rigorous policing system that will be put into effect. The system will streamline data protection and create consistency, eliminating the patchwork of laws the European Union has been using up to this point.
These new changes were first put forward in January 2012 to replace the old laws from 1995. There will be two main components to the new laws: the General Data Protection Regulation (“GDPR”), which will give European Union citizens increased control of their private data; and the Data Protection Directive, which targets the use of private data by European Union police.
While the new laws may not be perfect – for example, DigitalEurope has said the new laws don’t strike the right balance between protecting the right to citizens’ privacy and the ability for European businesses to become more competitive – there could be bigger challenges in store. The European Union and the US continue to negotiate and work out the kinks in their new “Privacy Shield” agreement. If Privacy Shield, the follow-up to the old safe harbor laws, goes into force, it will need further updating as a result of these new laws.
So what do the new laws cover? The GDPR will provide increased information to citizens on how their personal data is being used by companies. Personal data will become more portable, so it can be moved between online services with increased ease. If there’s a serious data breach, the companies and organizations that are victim to these breaches will have to tell the national supervisory bodies so citizens can be made aware and have the ability to make decisions regarding whether or not they leave their data with that company. Overall, the purpose is to require user consent in all areas of how their data can and will be used and for the user to be kept update on any changes to that use.
In addition,these new rules will be supported by stronger enforcement mechanisms. The largest deterrent? Data protection authorities will be able to fine companies violating the new laws up to four percent of their global annual turnover. This could mean billions of Euros in fines for major US Internet companies.
Under the Data Protection Directive, the focus will be on the police and criminal justice elements of the data protection laws. A key area of focus will be the protection of personal information when it’s being used for criminal law enforcement purposes.
The laws may not be perfect, but their streamlined nature and advances being made to improve data protection for European Union citizens are certainly an improvement from what they’ve had in the past. Only time will tell how US companies doing business throughout Europe will react to these even stricter guidelines, and they have the next two years to figure it out.
For more information regarding the new agreement and what it could mean for US and European companies alike, contact Revision Legal’s Internet attorneys through our contact form or by calling 855-473-8474.
Image courtesy of Flickr user safwat sayed