The current EU data protection directive stems from 1995. With an industry that is changing right before our very eyes, this document is perhaps a bit outdated. That is why, back in 2012, the European Commission put forth a proposal to ‘update’ the legislation concerning data protection. These plans were further elaborated upon in December 2015. It is now clear that the new system of EU data protection will consist of the ´General Data Protection Regulation´ (for citizens to be better able to control their own data) and the ‘Data Protection Directive’ (for police and criminal justice sector). A more coordinated and up-to-date system of rules and regulations regarding data protection will provide everyone in the EU with the same rights, protection and possibly save businesses a total of €2.3 billion per year. The main aim of these reforms is to help Europe transition towards a Digital Single Market, making the EU a breeding ground for technological innovation. Check out this short video on the Digital Single Market.
Contrary to vivid speculation, the EU claims the new body of data protection will benefit businesses instead of harm them. The current Data Protection Directive is a rather fragmented document, there are a lot of areas in which national legislation has to be applied since EU legislation is simply missing. The new Directive and Regulation will ensure that the same rules are applied throughout the entire EU, leading to higher legal certainty and consistency, while simultaneously decreasing the administrative burden on businesses. The new legislation puts more responsibility and accountability in the hands of data center operators. They are responsible for the protection and safeguarding of personal data in compliance with EU legislation. It is their responsibility to notify and remind their users of their rights, and if there is a data breach operators will be required to notify it to the Commission. Although the fines for breaching the new EU rules will increase significantly, the Commission expects the new data protection regulation to save businesses an estimated €2.3 billion per year (€130 million in paperwork alone)!
The reform will also have an impact on the average EU citizen. First of all the ‘type’ of legislation is very different. The current data protection is a directive, meaning the EU proposes it and it is subsequently in the hands of Member States implement it in their national legislation. The new data protection legislation (the one most relevant to citizens) will be a ‘regulation’ which means it will automatically, and without question, be implemented in the national legislation of each Member State. Now, no matter where you are from in the EU, every citizen will have exactly the same level of data protection. Additionally, the Commission’s press release states that “The reform will allow people to regain control of their personal data.” For full text click here. In essence, this implies easier access to, and transfer of, your personal data, a stronger legal base for ‘the right to be forgotten’ and, last but not least, the mandatory obligation on companies to inform you and the national authorities in case your personal data has been hacked.
All in all the new data protection legislation sounds pretty promising. Increased protection for citizens at a lower cost for businesses, sounds nearly too good to be true. I guess we will find out in 2017/2018!
For more information: This is an interesting top-10 of changes that will take place with the implementation of the new Data Protection Regulation.