The European Parliament has voted and passed the biggest shake-up of data protection laws for 20 years.
On Thursday the 14th April, the European parliament voted through some new legislation which centered on tougher rules for data protection for its citizens. The new laws are primarily concerned with increasing privacy for individuals and also gives authorities greater powers to take action against businesses that breach the new laws.
The new laws reform the current data protection directive that dates back to the latter years of the 20th Century, and a time when Google, Amazon, still didn’t exist, and Windows 95 was still brand spanking new. It was also a time when there were still programs on TV dedicated to explaining just what the World Wide Web was, and the internet was still something most people associated with medium sized fishing nets. (Get it?)
“The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share”, said Jan Philipp Albrecht (Greens, DE), who was mainly responsible for steering the new legislation through Parliament.
The new rules including the new General Data Protection Regulation (GDPR), were four years in the making, and faced some strong opposition from some the companies, including Google.
The new laws though will be the backbone of laws for national data regulators in the EU to prosecute companies that cross the line with some hefty financial penalties for incidents such as data breaches. Fines could go as high as forcing companies to hand over as much as 4% of their annual turnover.
By enacting the new legislation, the EU has committed to providing some of the strongest data protection laws in the world, and also for EU’s 500 million citizens. Once ratified by the EU’s 28 member states, it will replace the old and ineffective patchwork of national rules that currently exist.
The new rules include provisions on:
- a right to be forgotten,
- “clear and affirmative consent” to the processing of private data by the person concerned,
- a right to transfer your data to another service provider,
- the right to know when your data has been hacked,
- ensuring that privacy policies are explained in clear and understandable language, and
- stronger enforcement and fines up to 4% of firms’ total worldwide annual turnover, as a deterrent to breaking the rules.
“The regulations will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date.”
Due to UK and Ireland’s special status regarding justice and home affairs legislation, the directive’s provisions will only apply in these countries to a limited extent.