EU’s new privacy regulation

On April 16, 2016, a new privacy regulation was approved by the European Parliament. This new regulation, called GDPR for short, will be enforced in less than 2 months, the 25th May 2018.

Artículo disponible en Español | Article disponible en Français

Many of you may have received e-mails from different services you use, such as Google or LinkedIn, informing you of changes to their terms of service. This is due to a new regulation on data protection coming soon: the EU General Data Protection Regulation, or GDPR for short, will be enforced the 25th May 2018.

For the past 20 years, since 1995, data protection in the EU has been regulated with the Data Protection Directive 95/46/EC. Due to this one getting outdated and with an ever-evolving digital world, the European Commission, back in 2012, proposed a revised version.
In 2014, it was the turn of the European Parliament to approve its own version of the regulation. With the Council of the European Union approving its own version too in 2015, the new regulation could finally enter the final stage of legislation.
Over the next year, and after many meetings, the final text was approved. Companies where given a 2-year period to adapt to the new regulations, thus the recent changes in the terms of service of many tech giants.

GDPR forces all companies doing business with EU countries and working with EU citizens’ data to adapt their terms of service, regardless of the location of said companies, whether inside or outside the EU. Under the previous directive, companies had to adapt to national laws, varying from country to country, causing problems in some high-profile court cases, such as in Belgium.

 Some of the changes include:

  • Breach notification: companies will have to issue a notification within 72 hours of having become aware of the breach. Customers and controllers will have to be made aware of this breach as soon as possible. Over the past few years, there have been many cases of big companies getting hacked and the information of millions of users being compromised. These companies would only reveal such breaches months later, unless an organization leaked the news first.
  • Right to access: data subjects will be able to obtain confirmation from data controllers on whether they are processing personal data, where and for what purpose. They will also be allowed to obtain a digital copy of their information.
  • Data portability: data subjects will have the right to receive the personal data concerning them, as well as transmitting it to a different controller.
  • Privacy by design: the main idea behind privacy by design is using as little personal information as needed for the end goal.
  • Data protection officers: until now, controllers were required to notify local authorities if they were processing data. With this new regulation, controllers will have to keep an internal record following some requirements. A data protection officer will have to be appointed in some specific cases.

The biggest change for most EU citizens is the “Right to be forgotten”. This right entitles the data subject to have their personal data erased, as well as ceasing further dissemination of the data. Some conditions have to be met, such as the data not being relevant anymore, or the data subject withdrawing consent. Companies will also have to keep in mind whether this data is interesting for the public or not. In other words, criminals, well-known politicians, actors and such would not be able to have their data erased, as they are figures of public interest. On the other hand, average citizens that don’t have much of a presence on the web could perfectly well ask for their Facebook profile to be deleted and the data erased, as the public would most likely not care.

To be properly enforced, GDPR comes with new penalties. In our article about Facebook and Cambridge Analytica, we mentioned Spain having a threshold of 300 000 euros for some fines related to personal data.
Companies not properly applying GDPR or infringing some of the new rules may be fined up to 4% of their annual global turnover, with a maximum of 20 million euros. The amount of the fine will vary depending on how serious the infringement is. The EU documentation mentions a company could be fined 2% for not having their records in order.

As per usual, some companies will probably try to find ways around, to avoid complying with the new rules, or keep exploiting users’ data the same way they were until recently. But this time, governments and citizens will have a powerful tool to counter this on an EU-wide level.

For more information, users can check this website: https://www.eugdpr.org/

More on this subject: