Sergii Figurnyi - Fotolia

Data protection law sails through European Parliament

The European Union’s new General Data Protection Regulation has successfully passed through the European Parliament

The European Parliament has successfully passed the long-awaited General Data Protection Regulation  (GDPR) after receiving the go-ahead from the parliament’s civil liberties (Libe) committee on 12 April 2016.

European Union (EU) member states will now had two years to pass the new regulations – which were proposed by former EU justice commissioner Viviane Reding four years ago – into law. However, owing to the UK’s special status regarding justice and home affairs legislation, the provisions will only apply in this country to a limited extent – and the same applies to Ireland.

The data protection reform package includes both the GDPR and the Data Protection Directive for Police and Criminal Justice Authorities. It replaces current rules based on directives laid down in 1995 and 2008. The EU said the new package was a key enabler for the Digital Single Market.

The European Commission first vice-president Frans Timmermans; the vice-president in charge of the Digital Single Market Andrus Ansip; and the commissioner for justice, consumers and gender equality Věra Jourová released a joint statement about the GDPR.

“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The GDPR will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules,” they said.

“These rules are for the benefit of everyone in the EU. Individuals must be empowered. They must know what their rights are, and know how to defend their rights if they feel they are not respected.”

Robust rules

In practice, the EU hopes the GDPR will give citizens in all 28 member states more information on how their personal data is processed, presented clearly and understandably.

They will gain the right to know as soon as possible if their personal data is ever compromised, while the “right to be forgotten” has been clarified and strengthened. It will also become easier for people to transfer data between service providers, with the introduction of a right to data portability.

The EU also said it saw benefits for businesses, with companies having only to deal with one supervisory authority across the EU, as opposed to one in each member state in which they operate.

It estimated this could save €2.3bn per annum. Non-EU companies wishing to do business in the union will also be subject to the laws. Businesses that break the rules may be fined up to 4% of their total worldwide annual turnover.

“The GDPR makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age,” said German Green MEP Jan Philipp Albrecht, who was instrumental in steering the legislation through.

“Citizens will be able to decide for themselves which personal information they want to share.”

At the same time, police and criminal justice authorities across the EU will be able to exchange information between themselves more smoothly, and will no longer have to apply different sets of rules according to the data’s origin.

“The main problem concerning terrorist attacks and other transnational crimes is that member states’ law enforcement authorities are reluctant to exchange valuable information”, said Parliament’s lead MEP on the directive, Marju Lauristin, of Estonia.

“By setting European standards for information exchange between law enforcement authorities, the data protection directive will become a powerful and useful tool which will help authorities transfer personal data easily and efficiently. At the same time, it will also be respecting the fundamental right to privacy,” she explained.

Herding cats

Mark Thompson, privacy lead at KPMG’s cyber security practice, said the regulations had been a long time coming after lengthy discussions and more suggested amendments than any other piece of EU regulation. “The EU has finally herded the cats up the hill,” he said.

“The approach of the GDPR provides a risk-based application of a one size fits all set of rules across the EU. It also recognises the different levels of privacy risk associated with small and medium-sozed enterprises [SMEs] and large global organisations. Privacy will be catapulted up the list of global organisations’ enterprise risks, requiring them to re-evaluate to take action.  

“For non-EU businesses that trade in the EU, this agreement will require some [companies] to re-think some of the activities they carry out in the EU. This makes it much harder to operate certain global services and will require them to put an EU lens on the business activities which are undertaken in the EU market,” said Thompson.

Tougher regulations for airlines

As previously reported, the GDPR was also tied to a plan to store airline passengers’ personal data as a counter-terrorism initiative.

The Passenger Name Record (PNR) plan had been resisted by many European parliamentarians over concerns about blanket surveillance, however the Brussels Airport attacks of 22 March 2016 are thought to have added impetus to the directive’s passage.

Authorities will be able to process PNR data against predetermined criteria and databases, and extract information on potential terrorists and other criminals, such as drug or people traffickers. The data will be kept for five years, with personally identifying information redacted after six months.

Frans Timmermans said: “This is a strong expression of Europe’s commitment to fight terrorism and organised crime together through enhanced co-operation and effective intelligence sharing.

“The atrocious terrorist attacks in Paris on 13 November 2015 and Brussels on 22 March showed once more that Europe needs to scale up its common response to terrorism and take concrete actions to fight it. The EU PNR Directive will be an important contribution to our common response.”

Read more about EU data protection legislation

Read more on Privacy and data protection