After four years of negotiation the text of the new EU data laws have been approved. The draft still has to be voted on by EU member states, likely to happen early in 2016, after which it will take around two years for it to be fully implemented across Europe. The two year respite has been given so that member states have enough time to adapt their own laws to this new legislation; for some countries this might involve passing entirely new regulations.
These new laws, known as General Data Protection Regulation, will replace the 1995 EU Data Protection Directive. The laws will have significant consequences for internet users across Europe and for the companies that store their data.
The laws have been devised to incentivise businesses to tread more carefully when processing data. Those who do not follow the new laws could be faced with fines of up to 4% of their global turnover. For leading tech companies this could equate to fines in the tens of billions. This figure was decided upon after lengthy negotiations between the European Parliament and Council. The Parliament initially stated it wanted fines of 5% of global turnover whilst the Council argued for fines of just 2%.
A number of measures will be introduced that will give users more scope for monitoring how their data is being used. The “Right to be Forgotten” has been incorporated into the new laws giving users the right to demand that their information be removed by providers. This primarily concerns data that is considered out of date and no longer of any use. A new body, named the Data Protection Authorities (DPA), will be established to help EU users who are affected by data breaches. It will record complaints, whilst a European Data Protection Board will be created to negotiate the claims of different parties.
Businesses also now need to have their own data protection officer; small and medium sized businesses are exempt from this rule, unless they specialise in data processing.
Laws surrounding the digital age of consent have also been tightened. Guardians of children under the age of 16 must give permission before their child hands over any of their information to certain sites. This age limit can be lowered by governments to 13, which is the age of consent most commonly used for social media sites in the U.S.
The overriding aim of the new laws is to create uniform compliance across Europe in order to make the transfer of data around the Continent more seamless and efficient. It is also hoped that the laws will mean businesses take more responsibility when it comes to the protection of their customers’ data. High profile data breaches, mostly in the U.S, have demonstrated that businesses are still ill-equipped when it comes to the handling of mass data breaches; breaches which tend to have lasting repercussions not the only the company involved, but also their customers.
The new EU laws include a transparency clause demanding that companies inform regulators of a data breach within 72 hours of discovery. This will speed up recovery time and will enable customers to take the necessary precautions to protect themselves more quickly. When corporate data breaches occur consumers are often more frustrated by the actions of the company involved during the aftermath of the attack than the attack itself.
The new laws have received their fair share of criticism. Some business leaders believe that not enough time has been allowed for organisations and governments to comply with the incoming regulations, whilst others complain that the new measures do not go far enough in protecting consumers online.
When it comes to data privacy it is unlikely that any set of proposals will be able to satisfy everyone given the diverse use of data and the sheer number of those involved in the processing of information across the continent.