Following years of negotiations, several bodies of the European Union have finally agreed on the final draft text of the EU General Data Protection Regulation (GDPR) and the EU Data Protection Directive for Police and Criminal Justice Authorities (DPD).
The documents are aimed at harmonizing approach to personal data across 28 European states: if approved, the regulation will automatically supersede various national laws while the directive could be tweaked by individual governments.
The GDPR gives more power to the users of online services, proposes stronger safeguards for EU citizens’ data that gets transferred abroad, and considerably increases the fines that can be imposed on companies that break the rules. It states that businesses could be fined up to 4 percent of their worldwide annual turnover for non-compliance.
For context, 4 percent of Facebook’s worldwide turnover in 2014 would total almost $500 million.
In addition, companies will also have to appoint a data protection officer if they process sensitive data on a large scale.
At the moment, European privacy regulators can only levy minor fines and are criticized for lacking means to enforce what are already some of the toughest privacy rules in the world.
Are we there yet?
The current EU directive ‘on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ had been approved in October 1995, long before the Internet became the driving force behind some of Europe’s major economies.
The GDPR has been in the making since 2012, but went through considerable changes as a response to the practices of the US government intelligence agencies, revealed by Edward Snowden in 2013.
The text of the draft had to be agreed by the European Commission, the European parliament and the Council of the European Union.
The final draft of the GDPR outlines what exactly constitutes consent to data collection, introduces new rules on the wording of privacy policies and instructs businesses to allow easy transfer of personal data on request of its owners.
The document requires businesses to report security breaches that affect customer data within 72 hours of discovery. It also expands the controversial ‘right to be forgotten’ that can legally prevent search engines like Google from indexing certain content.
Some of the earlier proposals suggested rising the ‘age of digital consent’, so a business wouldn’t be allowed to collect information about children under 16 unless it had an explicit permission from their guardians. This approach would present considerable challenges, since this age group includes the most active users of social media.
According to the latest iteration of GDPR, member states will be able to choose their own ‘age of digital consent’ – anywhere between 13 and 16 years old.
But the real revelation in the draft is the amount businesses would have to pay if they breach regulations: up to 4 percent of the annual worldwide turnover. It was previously suggested by the European Council that the fines should be set around 2 percent of the turnover.
Under the terms of the regulation, companies based outside of Europe will have to apply the same rules when offering services in the EU.
“The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned,” explained Jan Philipp Albrecht, Parliament’s lead MEP on the regulation.
“Consumers will have to give their consent by a clear and affirmative action to the use of their data.”
Meanwhile the DPD deals with data transfer for the purposes of law enforcement, aiming to ease cross-border cooperation while protecting information related to victims, witnesses, and suspects of crime.
Once both documents receive final approval, expected in the beginning of 2016, member states will have two years to integrate them into national legislation.