Greetings from Brussels!
Well there we have it. Four years in the making, and Europe has braved a few storms along the way in taking a giant step towards consistent and significant pan-European data privacy laws. Somewhat surprisingly, or perhaps not, I checked the European broadsheet press front pages this morning and I see barely a mention, if any. To be sure, though, it’s headline news in the privacy world.
Sing it from the rooftops.
As if anyone needed reminding, the data protection regulation was hit with thousands of amendments and branded one of the top lobbied draft bills during its four-year journey on the legislative slate; perhaps the most debated in recent history. Following six months of trilogue meetings,EU negotiators finally wrapped up talks on the major reform last night in the last legislative session of the year (15 December).
Technology companies and privacy lawyers are already saying the new regulation will make Europe's data protection rules a lot stricter. The new streamlined regulation for the 28 member states will allow for a strong data protection law setting common standards. Under the new rules, companies will have to employ a data protection officer if they handle significant amounts of data, along with a host of other mandates aimed at giving European citizens and consumers more say over what businesses can do with their personal information. In short, for EU citizens, the regulation will clarify the laws around rights such as the “right to be forgotten” and the right to transfer their data between providers while being given easier access to their own data and transparency around how it is processed. These rights as cited speak to citizen empowerment. This cannot be denied.
Jan Philipp Albrecht, the Parliament’s chief negotiator, said that the new laws would give regulators real means to clamp down on misconduct and that “firms breaching EU data protection rules could be fined as much as 4 percent of annual turnover; for global internet companies in particular, this could amount to billions.”
The business response has been more cautious; maybe rightly so? DigitalEurope, the tech trade association, acknowledges that more consistency in the law is welcome. However, they fear that the agreed text will undermine the ability of businesses in Europe to invest, innovate and create jobs. A major fear is that the result fails to strike the proper balance between protecting citizens’ fundamental rights to privacy and the ability for businesses in Europe to become more competitive.
From the regulator viewpoint, the GDPR will also impact how national data protection authorities (DPAs) deal with complaints. An independent body, the European Data Protection Board, will be set up to coordinate national authorities that jointly address complaints from consumers in a country outside where a company is based. European Data Protection Supervisor Giovanni Buttarelli, whose office will oversee the Board, was rather positive about developments, saying that he thought the DPAs were ready to work more closely together. In addition, he believes that the new GDPR framework would greatly facilitate new privacy legislation in the future, including new agreements with the U.S. expected in early 2016.
We have exciting yet busy times ahead in the privacy world; passing the regulation was a significant step. The work truly begins now and I expect the next two-to-three years to be as significant as the last four. Much more to follow.
If you want to comment on this post, you need to login.