EU introduces stricter data privacy rules giving citizens new rights
Companies will face fines of up to 4pc of global turnover under stricter data privacy laws passed by the European Parliament today.
The new laws, which also incorporate a “right to be forgotten” and the right to know when your personal data has been hacked, will come into force around the EU from 2018.
Having been stuck between different arms of the EU’s law-making procedures for four years, the General Data Protection Regulation (GDPR) also gives EU citizens the following new rights:
- "clear and affirmative consent" to the processing of private data by the person concerned
- a right to transfer your data to another service provider
- privacy policies to be explained in clear and understandable language
- new limits on “profiling” that is based on automated data processing
- an age limit of between 13 and 16 under which children need to get parental consent to sign up to social media services
The new directive also warns that companies will have to appoint a data protection officer “if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers”. Firms “whose core business activities are not data processing” will be exempt from this obligation, it says.
However, the elements of the new law’s data sharing facilities for civil authorities may not have full effect in Ireland as both Britain and Ireland have “special status” on issues of justice and home affairs legislation.
“The directive's provisions will only apply in these countries [Ireland and UK] to a limited extent,” said a spokesman for the European Parliament.
“Ireland can opt in on a case by case basis,” said a spokeswoman for the European Commission in Ireland. “Indeed, it has done so on the questions of taking part in some of the new arrangements for the relocation of refugees.”
The new law received the highest number of amendments (3,999) ever tabled in the European Parliament.
"Consistent fines across the EU – up to 4pc of Global Revenue – will provide a fairer, clearer approach to enforcing data protection," said Anthony Merry, head of data protection at the IT security firm Sophos. "In addition, the proposal that National Data Protection authorities will have the power to impose fines on companies directly, instead of having to go through the courts, should make it easier and quicker to take action. Those outside the EU will also need to pay attention as the law applies to all companies that hold data on European citizens, regardless of whether that company has an EU base or not."
According to the Parliament, here is the context around some of the new rights introduced.
1. ‘Right to be forgotten’: this is already in place for search engines since the European Court of Justice ruled on it two years ago.
“If a person asks an internet company to erase his or her data, the company should also forward the request to any others that replicate the data,” says the Parliament in an explanatory note. “However, this right would be restricted in some cases, for instance when the data is needed for historical, statistical and scientific purposes, for public health reasons or to exercise the right to freedom of expression. Also, the right to be forgotten would not apply when the retention of personal data is necessary to fulfil a contract or is required by law.”
2. “Clear and affirmative consent”: this now requires an “active step” by the person whose data is being processed. “This could mean ticking a box when visiting an internet website or another action or statement clearly indicating acceptance of the proposed processing of the personal data,” says the Parliament’s note. “Silence, pre-ticked boxes or inactivity will thus not constitute consent. In future, it should also be as easy for a person to withdraw consent as to give it.”
3. “The right to be informed in clear and plain language”: this is supposed to put an end to small print privacy policies. “Information should be given in clear and plain language before the data is collected,” says the Parliament.
4. “The right to know if your data has been hacked”: according to the Parliament: “companies and organisations will be required to notify the national supervisory authority of serious data breaches as soon as possible, so that users can take appropriate measures.”
5. “Stricter limits on the use of profiling”: there are new limits to the use of "profiling", where automated processing of someone’s personal data is used “to analyse or predict a person's performance at work, economic situation, location, health, preferences, reliability or behaviour”. “Under the regulation, profiling would only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract,” says the Parliament.
“Also, profiling should not be based solely on automated processing and should comprise human assessment, including an expectation of the decision to be reached after such an assessment. This could affect the way in which creditworthiness is evaluated, for example.”
6. Kids’ age of consent online: “children below a certain age will need their parents' permission to open an account on social media such as Facebook, Instagram or Snapchat,” says the Parliament. “The age threshold is for member states to define within a range of 13 to 16 years…. the rules specify that children below the age limit will not need to ask their parents' permission to make use of counselling or preventive services offered directly to children.”
6. “The right to switch one’s personal data to another service provider”: “This right should allow a user to switch to another email provider without losing contacts or previous emails,” says the Parliament.
7. Privacy as a norm: “In future, companies will have to design defaults and products such that as little personal data as possible are collected and processed… Privacy by default should become an essential principle.”
The new laws have been welcomed by acting Irish minister of state for European affairs and data protection, Dara Murphy.
“I believe we have struck a good balance with these new rules, with strong protections for individuals’ personal data, based on the key principles of data protection,” he said. “These are combined with clear, and in many cases, risk-based, obligations for organisations, including a requirement for mandatory notification of data breaches and a sanctions regime for cases of serious data breaches.”