The European Council and Parliament have reached a compromise agreement on the new data protection directive, following three years of debate. Designed to replace the existing data protection directive from 1995, the new law aims to give consumers greater control over how their personal data is used, especially online. It also extends EU regulations to businesses based outside the region and handling data on EU residents.
Consumers will receive more clear information about how their information is processed by businesses and organisations, and the latter must obtain explicit consent from the user before processing any of the personal data. Consumers also gain the right to port their data to another provider or have their data ‘forgotten’ when they stop using a service. Companies and organisations will also be required to notify regulators and customers when personal data is hacked or they suffer a security breach. Violations of the rules will result in increased fines, of up to 4 percent of annual turnover.
Businesses are expected to benefit from a uniform legal framework across the EU, reducing their administrative costs. They will be able to answer to a single data protection regulator in the country where they are based, for all their operations in the EU. However, large businesses will face the new requirement of appointing a data protection office if they process sensitive on a large scale. Unlike the previous data protection directive, the law also now covers non-EU businesses operating in the territory. In addition, the legislation will require all businesses to work on the principle of ‘data protection by design’ so privacy is ensured from the earliest stages of a product or service.
The legislation includes the General Data Protection Regulation, covering personal data controls and business data processing, and Data Protection Directive, covering access to personal data by law enforcement officials such as police and prosecutors. The Parliament and Council are expected to give their formal approval to the legislation in early 2016, after which member states will have two years to implement the new rules.