EU approves stricter data-protection rules

The 'right to be forgotten' will be expanded to include all kinds of personal information.


The European Parliament today voted in favor of broad new data-protection laws that apply to any company operating within the European Union, regardless of where it is based. First proposed more than four years ago, they represent a significant modernization of regulations drawn up in 1995, long before the internet and digital services had matured to the point they're at now. Various EU authorities agreed upon the rules late last year, and they were formally green-lit today. At their heart, the rules make companies more accountable for data protection and give citizens more control over the information held on them.

What it means for us

Under the General Data Protection Regulation (GDPR), companies are expected to make their products and services capture and process as little personal information as possible by default. Coined "privacy by design," this forces services like social networks to ensure users have the strictest privacy settings right off the bat, instead of having to dig through menus to opt out of programs or features they were automatically included in when they signed up.

This is in tune with a general responsibility to be more transparent about data collection. Companies must receive the "clear and affirmative" consent of users to process their personal data and offer a simple way to withdraw that consent. Furthermore, what the data is being used for must be stated in "clear and plain language"; dense and confusing privacy policies won't fly. Any business that handles large volumes of personal data is required to employ a data-protection officer under the new rules, and any breach must be disclosed within 72 hours.

Cyber Attack A01

The European Parliament says the rules will benefit companies by introducing a single set of laws to abide by (not the individual regulations of the 28 member states) and a single supervising authority to deal with. The GDPR is not to be taken lightly, though, as any company or organization that suffers a breach or is found to be generally noncompliant could be fined up to 4 percent of its global turnover. For a behemoth like Google, that would be a significant sum.

In addition to these stricter rules for companies, the GDPR affords EU citizens greater control over their personal data, including the right to "data portability." This is the power to move data between services, such as instructing your current internet service provider (ISP) to divulge certain information to a new ISP. It gets much more complicated than that, though. In theory, you'll also be able to switch email providers, moving all your contacts and email history from, say, Google to Yahoo; or, set up a new social media account using data from an existing one. We're a ways from knowing how this will work in practice, however.

Lorem ipsum text that has been redacted

The "right to be forgotten" is also a key part of the new rules. In a landmark case, the European Court of Justice ruled that one can request search engines remove links from results that contain "irrelevant" or "outdated" personal information. This legally binding decision is now part of EU law, and the right has been extended to cover all kinds of personal data. For instance, you could tell Facebook to delete your account and all data associated with your activity, and the social network would also have to action this anywhere your data have been replicated. There are certain caveats, of course, where "data is needed for historical, statistical and scientific purposes, for public health reasons or to exercise the right to freedom of expression."

Children will have special protections under the right to be forgotten, and the GDPR also introduced a rule requiring social networks to seek parental consent before letting kids open an account. Several EU member states have this provision already, and each country will set its own age threshold at which this no longer applies, from 13 to 16 years.

What it means for law enforcement

While not as relevant to general internet users, the data-protection "package" approved today also creates a blanket set of guidelines for the handling of personal data by EU law enforcement agencies. The Data Protection Directive lays out "minimum-protection standards" for the movement of data between member states, such as safeguards that ensure personal information is "processed lawfully, fairly and only for a specific purpose."

Police patrol in Wroclaw, Poland

Essentially, the Data Protection Directive tries to balance the rights of individuals with the need for cross-border cooperation between law enforcement. With one set of guidelines, agencies no longer have to operate within the cumbersome patchwork of differing national regulations, which should allow for smoother and more efficient data transfer between member state authorities.

T-minus two years

Now that they've been approved, the GDPR and Data Protection Directive will soon become part of EU law, but the regulations won't truly come into force until April 2018. That gives all member states two years to copy and paste the rules into their national laws and processes. The regulations are sure to have an impact long before then, though.

They will undoubtedly be key to discussions around an impending update to the EU e-Privacy Directive, which specifically deals with electronic communications data, including the use of cookies. What's more, the EU and US are working on Privacy Shield, an agreement that governs the movement and use of personal data across the Atlantic, designed to replace the now-defunct Safe Harbor agreement.

[Images: Getty (Lead, 1, 2); Alamy (3 - Policja)]