New European General Data Protection Regulation gets the green light
- Published: Tuesday, 22 December 2015 08:37
Organizations based and operating in the European Union have a new compliance risk to prepare for, as the European General Data Protection Regulation passes its final hurdle.
Following extensive, multi-year negotiations the European Parliament and European Council have now reached an agreement on the new General Data Protection Regulation modernising a legal framework which dates back to the 1990s (source: ENISA).
The Regulation gives national competent authorities (DPAs) greater enforcement powers, strengthening their role, as well as reinforcing the rights of individuals with regards to data protection in the digital era.
According to the European Commission the main provisions of the European General Data Protection Regulation are:
- One continent, one law: the regulation will establish a single set of rules on data protection, valid across the EU. Companies will deal with one law, not 28.
- Strengthened and additional rights: the right to be forgotten will be reinforced. When European citizens no longer want their data to be processed and there are no legitimate grounds for retaining it, the controller must delete the data, unless they can show that it is still needed or relevant. Citizens will also be better informed if their data is hacked as the Regulations impose a breach reporting requirement. A right to data portability will make it easier for users to transfer personal data between service providers.
- European rules on European soil: companies based outside of Europe will have to apply the same rules when offering services in the EU.
- More powers for independent national data protection authorities: national data protection authorities will be strengthened in order to effectively enforce the rules, and will be empowered to fine companies that violate EU data protection rules. This could lead to penalties of up to €1 million or up to 2 percent of the global annual turnover of a company.
The European General Data Protection Regulation will now be ratified by the European Council, a step considered to be a formality. The next meeting of the European Council starts on February 18th 2016 and if ratification occurs at this meeting the Regulations are expected to come into force two years later.