New EU data protection legislation, informally agreed on Tuesday and backed by Civil Liberties MEPs on Thursday morning, will create a uniform set of rules across the EU fit for the digital era. It should also improve legal certainty and boost trust in the digital single market for citizens and businesses alike. Clear and affirmative consent to data processing, the right to be forgotten and strong fines for firms breaking the rules are some of the new features.
“The new rules will give users back the right to decide on their own private data”, said Parliament’s lead MEP on the regulation, Jan Philipp Albrecht (Greens, DE). “At the same time, the new rules will give businesses legal certainty and chances for competition. It will create one single common data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market”, he added.
The informal agreement reached by Parliament and Council on Tuesday evening was backed by 48 votes to 4, with 4 abstentions.
The new rules will replace the EU’s current data protection laws which date from 1995, when the internet was still in its infancy, and give citizens more control over their own private information in a digitised world of smart phones, social media, internet banking and global transfers. At the same time they aim to ensure clarity and legal certainty for businesses, so as to boost innovation and the further development of the digital single market.
The new rules include provisions on:
- Clear and affirmative consent to the processing of private data by the person concerned, so as to give consumers more control over their private data. This could for example mean ticking a box when visiting an Internet website or by another statement or action clearly indicating acceptance of the proposed processing of the personal data. Silence, pre-ticked boxes or inactivity will thus not constitute consent. It should also be as easy for a consumer to withdraw consent as to give it
- Kids on social media: children below a certain age will need to get their parents’ permission (“parental consent”) to open an account on social media such as Facebook, Instagram or Snapchat, as is already the case in most EU countries today. The new, flexible rules ensure that member states can set their own limit provided it is not below 13 or above 16 years, thus giving them the freedom to maintain those they already apply.
This flexibility was included at the pressing request of member states. Parliament’s negotiators would have preferred an EU-wide age limit of 13 years,
The right to be forgotten: Consumers will thus have the “right to be forgotten” or erased from the databases of companies holding their personal data, provided there are no legitimate grounds for retaining it
The right to know when your data has been hacked: companies and organisations will be required to notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures
Plain language: MEPs insisted that the new rules must put an end to “small print” privacy policies. Information should be given in clear language before the data is collected
Fines of up to 4% of firms’ total worldwide annual turnover should constitute a real deterrent to breaking the rules
Firms will have to appoint data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers. Firms whose core business activity is not data processing will be exempt from this obligation so as to avoid red tape,
One-stop-shop for complaints and enforcement: national Data Protection Authorities (DPAs) will be enhanced to become a first instance body where citizens can complain about data breaches. Cooperation among the DPAs will also be significantly strengthened to ensure consistency and oversight.