Marking the biggest changes to privacy laws in the European Union in twenty years, negotiators last night (Tuesday, 15 December) agreed on the fundamentals of pan-European Data Protection rules which will give more power to consumers and promises sizeable fines for non-compliant organisations. The new law will finally put an end to the patchwork of data protection rules that have existed throughout the EU since the enactment of the 1995 Data Protection Directive.
Věra Jourová, EU Commissioner for Justice stated that "These new pan-European rules are good for citizens and good for businesses. Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market."
The effects will obviously be felt at all levels, however the following are the significant effects of the General Data Protection Regulation (the Regulation) that will be felt by Irish businesses:
1. Misuse of consumer data will result in hefty fines. Penalties in the past were negligible and irregular. However, under the Regulation, sanctions will now be as high as 4 percent of a company’s annual global revenues.
2. The new law will expand the potential liability for companies. Currently, only the data controller is liable for data breaches in the EU. Under the new Regulation, both the data controller and all associated data processors will now be jointly liable for any damages incurred.
3. Organisations will be required to appoint Data Protection Officers. The position will be mandatory, except for SMEs. However, if data processing is core to their business then SMEs will also be obliged to appoint DPOs. The test for measuring the relative importance of data processing for certain sectors will undoubtedly be decided by the Courts in the near future once the Regulation takes effect.
4. Organisations with access to personal data will be required to get expressed consent from users and to give a clear explanation of what data is being collected and how it will be used. Moreover, organisations will not be allowed to collect data for one stated purpose and then use it for another. Simply put, when someone goes online and buys something, a business will be unable to use that data for direct marketing. The Regulation also gives people the right to have their personal data corrected if inaccurate, and expands their right to remove irrelevant or outdated information. This “right to erasure” gives consumers the right to stop a company from using data when they close an account, for example. Essentially, they will be empowered to stop marketing companies from building a data profile of them.
5. The Regulation contains the famous “one-stop shop” for data protection complaints. This process means that businesses will only have to deal with one single supervisory authority and will, according to estimates, save over €2 billion per year.
More on the Regulation to follow...