EU: New data protection rules adopted

Finally the EU General Data Protection Regulationg under the roof. "We now have first-class rules with the highest data protection standards in the world. Now we need to work together to implement these standards in the EU so that consumers and businesses can enjoy their benefits as soon as possible," said First Commission Vice-President Frans Timmermans, Vice-President Andrus Ansip and Justice Commissioner Věra Jourová.

To ensure consistent application of the new rules, the Commission will work closely with the data protection authorities of the Member States. During the two-year transition period, the Commission will inform citizens about their rights and businesses about their obligations.

"Today's vote is a milestone: it marks the successful conclusion of three years of hard work with Member States, Members of the European Parliament, business, civil society and other stakeholders," the statement by Timmermans, Ansip and Jourová added. "The new rules ensure that the right of all EU citizens to protection of their personal data is respected, while promoting the Digital Single Market by increasing consumer trust in online services and providing more legal certainty for businesses."

The new EU data protection rules include two legal instruments, the General Data Protection Regulation and the Directive on Data Protection in Police and Criminal Justice.

Below are the key points of the new rules.

Data protection as a fundamental right of citizens

• Easier access to one's own data: Better information is provided about how the data is processed. This information must be clear and understandable.
• Right to data portability: Personal data can be more easily transferred from one provider to another.
• A clarification of the "right to be forgotten": If data subjects do not want their data to be further processed and there are no legitimate reasons for storing it, the data must be deleted.
• The right to know if data has been hacked: Companies and organizations must, for example, inform the national supervisory authority as soon as possible about serious breaches of data protection so that users can take appropriate measures.

Clear rules for companies

In today's digital economy, personal data has taken on enormous economic importance, especially in the area of mass data (Big Data). By unifying European data protection standards, legislators have created business opportunities and opportunities for innovation.

• One continent, one law: The regulation will create a uniform set of rules that will make it easier for companies to do business in the EU and save costs.
• Single point of contact: Companies now only have to deal with a single regulatory authority. This saves an estimated 2.3 billion euros per year.
• European rules on European soil: Companies based outside Europe must follow the same rules when offering services in the EU.
• Risk-based approach: Instead of a burdensome general obligation, the new rules introduce an obligation adapted to the respective risks.
• Innovation-friendly rules: The Regulation ensures that data protection safeguards are built into products and services from the earliest stages of development ("data protection by design"). Privacy-friendly techniques such as pseudonymization are promoted to take advantage of mass data-related innovations while protecting privacy.

Advantages for SMEs

The data protection reform will stimulate economic growth by reducing costs and administrative burdens, especially for small and medium-sized enterprises (SMEs). The EU data protection reform is designed to help SMEs penetrate new markets. Under the new rules, the administrative burden for SMEs will be reduced in four respects:

• Abolition of the reporting obligation: Notifications to the supervisory authorities are a formality that costs companies EUR 130 million every year. The reporting obligation will be completely eliminated by the reform.
• Every cent counts: If requests for access to data are clearly unfounded or disproportionate, SMEs will be able to charge fees for providing access in the future.
• Data protection officers: SMEs are not required to appoint a data protection officer unless data processing is their core business.
• Impact assessment: SMEs are not required to conduct an impact assessment unless there is a high risk.

Protection of personal data in law enforcement

• Better law enforcement cooperation: With the new Data Protection Directive for Police and Criminal Justice, law enforcement agencies in Member States will share investigative information more efficiently and effectively. They will also be able to cooperate better in the fight against terrorism and other serious crime in Europe. The Directive takes into account the specific needs of law enforcement, respects the different legal traditions of the Member States and is fully in line with the Charter of Fundamental Rights.
• Better protection of citizens' data: Personal data will be better protected when processed for law enforcement purposes, which includes crime prevention. The protection applies to everyone - regardless of whether they are a victim, a criminal or a witness. Data processing in Union police forces and prosecutors' offices must comply with the principles of necessity, proportionality and lawfulness, and be accompanied by adequate safeguards to protect individuals. It is subject to supervision by independent national data protection authorities, and effective judicial protection must be provided. The Directive on Data Protection in Police and Criminal Justice contains clear rules on the transfer of personal data from the EU to ensure that the data protection guaranteed to individuals in the EU is not undermined.

(Source: https://ec.europa.eu, EU Commission, Representation in Germany)

For more information:

Statement of the EU Commission on the adoption of the data protection reform
The reform of EU data protection rules
Data protection reform - questions and answers