Data privacy reform

In our earlier blog we discussed the use of personal data in regards of privacy in the European Union area, and continue now to look at the changes brought by the planned EU Data Protection reform. The reform is currently scheduled to be approved by the end of 2015, and with 2 years transition period it would be fully operational around the beginning of 2018.

The data protection reform provides a comprehensive set of data protection rules for the EU enhancing legal certainty and strengthening trust from consumers. 

New rights for citizens

As earlier, the personal data shall be obtained and processed fairly and lawfully and stored and used for specified and legitimate purposes. It must be adequate, relevant and not excessive in relation to the purposes. Data shall be accurate and kept up to date and in a form which permits identification of the data subjects for no longer than is required for the purpose. The transparency principle will be even stronger in the future.

The EU Data Protection reform package will guarantee even stronger rights for citizens including an explicit right to be forgotten, a right to object to data processing, and a right to be informed when data security is breached.

The right to be forgotten means that when one no longer want his data to be processed and there are no legitimate grounds for retaining it, the data must be deleted. A right to data portability will make it easier to transfer the personal data between service providers. A consent is required to process personal data and it must be given explicitly. Individuals will need to be informed without delay about data breaches or data hacking that could affect them. Privacy-friendly default settings should be the norm, for example on social networks or mobile apps.

Changes for businesses

The digital single market will be facilitated by new regulations. There will be a single law for data protection in the EU, replacing the current national laws and establishing a 'one-stop-shop' (one single supervisory authority) for businesses. The same rules apply for all companies – regardless of their establishment. The stricter enforcement of the law will affect companies who do not comply with EU rules with sanctions up to 2-5 % of their global annual turnover. Privacy-friendly European companies will have a competitive advantage on a global scale. It has been proposed that there will be exceptions for small and medium enterprises (SMEs) from some Data Protection Regulation provisions to enable growth by cutting costs and red tape.

‘Privacy by design’ and ‘privacy by default’ mean that data protection safeguards should be built into products and services from the earliest stage of development, ensuring that privacy is taken into account from the very beginning and throughout the data life cycle.

Where a company has over 250 employees or handles data sets of over 5000 consumers a year, they must nominate a privacy officer for ensuring the compliance, internal training and documentation as well as communication with the supervisory authorities. In case of data breaches or hacking the authorities and the individuals will need to be informed without delay.

One target of the data protection reform package is to boost innovation in sustainable data services by enhancing legal certainty and strengthening trust in the digital marketplace, ensuring the protection of a fundamental right, consumer trust and economic growth.

The regulations are still under discussion, so the final form of the data protection laws is still to be finalized. However, it’s time for companies to start preparing for the new regulations ensuring the compliance, and to be on the competitive edge.