Newly agreed data protection laws will pose far more than just a compliance and legal challenge to European businesses, lawyers warned today.
Organisations will have to completely transform the way they collect and use personal information when legislators introduce what are being described as the most stringent data laws in the world.
After three years of difficult negotiations, the European Commission announced last night that agreement has been reached on the content of Europe’s General Data Protection Regulation. Sanctions for failure to comply include fines of up to 4% of global annual turnover.
The European Parliament had originally wanted maximum fines of 5% of global sales, while the Council had been firm on 2%.
The new rules will introduce mandatory breach notification for all; joint and several liability for suppliers (data processors); tougher restrictions on the use of profiling; enhanced rights for individuals; and a requirement for most organisations to appoint a data protection officer. The final text now needs to be translated for formal adoption by the Parliament and the Council in early 2016, with the new rules coming into effect in 2018.
Ross McKean, head of Olswang’s data protection practice, said the new regulation amounts to a ‘paradigm change’ in the way that data collection and use is regulated. He added: ‘We have now moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world.
‘Data permeates everything that we do in our digital lives and touches all organisations. The good news is that we have just over two years to prepare for the new regime. However in that time, organisations will need to completely transform the way they collect and use personal information.’
Mahisha Rupan, senior associate at technology specialist Kemp Little, noted that the regulation does not only apply to businesses based in the EU, but also to any business offering goods or services to EU citizens. ‘The objective of this change is to ensure that EU businesses are not put at a disadvantage by being forced to operate under stricter privacy standards versus organisations based elsewhere and will help to create a more level playing field for all businesses operating in the EU.’
The proposed changes have proved particular unpopular with technology companies, which have pointed to their inhibiting effect on data innovation. However, consumer groups welcomed the reforms.
David Martin, senior legal officer at consumer advocacy group BEUC, told the Brussels-based newspaper Politico: 'What’s important at the end of the day is that they set a threshold that is important enough to have a deterrent effect on companies so they take data protection seriously.’
Negotiators also agreed an accompanying directive on data sharing between police and criminal justice authorities.
Věra Jourová (pictured), commissioner for justice, consumers and gender equality said: 'Today we deliver on the promise of the Juncker Commission to finalise data protection reform in 2015. Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European digital single market.
'Harmonised data protection rules for police and criminal justice authorities will ease law enforcement cooperation between member states based on mutual trust, contributing to the European agenda for security.’