The pan-EU law aims to give its citizens more rights to control over their online information. It has a list of technically demanding requirements, and threatens fines of up to 4% of a company’s annual revenue for serious infringements
The law covers companies that collect large amounts of customer data, including Facebook and Google. It won’t be overseen by a single authority but instead by a patchwork of national and regional watchdogs across the 28-nation bloc
The new privacy law (GDPR) seeks to harmonise the scattered data protection laws in the EU and envisages stringent penalties under it. It replaces the existing EC Data Protection Directive (95/46/EC). GDPR seeks to enhance the data privacy rights of users and imposes certain new responsibilities upon data controllers and processors.
The new law endeavours to create a model for a data protection and privacy framework that will be able to keep pace with rapid advancements in technology. Most importantly, GDPR attempts to give back to individuals control over their personal data, while recognising the protection of one’s personal data as a fundamental right. Here are some key elements of GDPR:
New definition of personal data
Under the GDPR, personal data is anything that relates to an identified or identifiable individual. For example: name, address, email address, location data or computer IP address. Sensitive data, such as religious beliefs, racial or ethnic origin, sexual orientation or trade union membership, are subject to extra protections.
The GDPR foresees fines of 2 to 4 per cent of a company’s annual revenues or 20 million euros ($24 million), whichever is higher.
Stricter rules on consent
Companies will need to get freely given, specific, unambiguous and informed consent from individuals to process their data. They will also need users to opt in to the processing of their data – simply giving them an opt out will not be valid. In other words, companies will no longer be able to ask consumers to tick a box after a long set of terms and conditions that most people never read.
The GDPR will apply to any company that has customers in the EU, whether the firm was established in the bloc or not.
New rules for data processors
The GDPR distinguishes between data “controllers” and data “processors”. A data controller determines why personal data must be collected and processed as well as how. A data processor only processes personal data on behalf of the controller and is usually a third-party company.
For example: A retailer that hires a human resources company to handle payroll and other functions is the data controller, while the human resources company is the data processor.
Under GDPR, data processors must guarantee the same standards as controllers and ensure they meet the requirements of the law. There must be a legal contract between a processor and a controller, and a processor may not engage another company to process data without the controller’s consent.
Data breach notifications
Companies must notify data protection authorities of data breaches within 72 hours of becoming aware of it, if it is likely to impact the rights of individuals. If the breach carries a high risk for individuals then the company must notify the affected people without undue delay.
The GDPR introduces a “one-stop shop” mechanism to make it easier for companies operating across the EU, for example Facebook, Google and Mastercard. Companies processing data across the bloc will have a lead authority in the country where they have their main establishment, for example Facebook in Ireland.
The lead authority will be the main point of contact for the company and responsible for ensuring its compliance with GDPR. In cases involving citizens from several countries the lead authority will coordinate with other “concerned” authorities. If there are disputes between authorities, a new body, the European Data Protection Board (EDPB), can make binding decisions. — Reuters
Lawfulness of data processing
Companies processing personal data must ensure it is lawful, fair and transparent. They may not use data for purposes other than those for which it was collected, with limited exceptions. Data processing is lawful if:
- An individual has consented to it
- It is necessary for the performance of a contract
- It is necessary to meet a legal obligation under EU or national law
- It is necessary to protect the vital interests of an individual
- It is necessary to carry out a task in the public interest under EU or national law
- It is in the company’s legitimate interest, as long as it does not override an individual’s fundamental rights and freedoms
- If a company collected data on the basis of consent, then it may not use it for other purposes
Stronger rights for Europeans
People living in the European Union will get the right to:
- Receive clear and understandable information about who is processing their data and why
- Access data an organisation holds about them
- Ask for personal data to be erased if there is no longer any legitimate reason to keep it
- Have data corrected if it is incorrect
- Move data from one service provider, such as an email service or social network, to another