Last week, the Civil Liberties Committee of the European Parliament and the EU member states agreed on a final version of the long-awaited General Data Protection Regulation (GDPR), which is aimed at updating EU data protection rules for the digital age. This regulation will replace the 1995 Data Protection Directive and harmonise data protection — its terms and conditions — across EU member states. The conclusion of the regulation, taking place over three years after negotiations launched, arrives with impeccable timing, given the ongoing Safe Harbour negotiations and mystery-clad data retention debate.
The new rules will ensure individuals are in control of their own data, providing for a long list of users’ rights and a clear set of obligations for companies. At first glance, “obligations” might seem like a headache for businesses that have difficulty meeting their responsibility to respect human rights. However, having harmonised rules across the EU will provide legal certainty and lower the administrative burden. Of course, for companies that simply want to ignore their obligations and commit repeated, serious infringements, there are serious penalties. Data protection authorities can fine them up to 4% of their total worldwide annual turnover.
What’s here for users? Users-centric reform
- True consent. When users’ consent is used as basis for collecting and using individuals’ personal data, Individuals must give consent to the processing of their data. The rules require “a clear affirmative action establishing a freely given, specific, informed and unambiguous indication”. That means that simply having an opt-out mechanism — for instance, one where users must uncheck a box to indicate that they do not want their data used — will not be accepted as true consent.
- Easy-to-understand agreements, and breach notifications. There will no longer be any fine print on privacy agreements; language must be clear and easy for everyone to understand. Companies must notify individuals if there are serious data breaches that put their right to privacy and data protection at risk. However, it’s not clear how the seriousness of a breach will be determined.
- You retain your current rights. The rights established under the 1995 Directive for users to access their data, to rectify problems, to be forgotten, or to object to the use or collection of the data remain.
- You can take your data with you. Users have gained a new right to data portability. This means that if they wish to switch to a new social platform, for example, they can quickly and easily take their data with them.
- You can object to profiling. Perhaps most importantly in the era of big data, users will now have the right to object to profiling — that is, to object when your information is gathered to be evaluated, analysed, and used to predict your behaviour and make assumptions about you. This practice is an attack on your right to privacy and can be highly discriminatory.
All you wanted for Christmas…
These changes are all born of dire necessity. Europeans have been asking for better data protection and guarantees for the last decade — and not just because of the questions surrounding Safe Harbour. When the EuroBarometer posted the data protection public opinion survey earlier this year, 91% of those surveyed said they would want to be informed if their personal data was lost or stolen, 69% were worried about companies using their data for external purposes, and 74% demanded that companies should have unequivocal explicit consent before collecting any personal data.
Monsters under the bed? The caveats
The issue of data protection is tricky, especially in our fast moving and increasingly digital world. This regulation, although generally positive, still has its flaws.
- Unclear ‘legitimate interests” clause for private sector data collection. Just as the 1995 Directive provided, the regulation lets companies collect users’ personal data for their ‘legitimate interest’ — an umbrella term that creates a significant loophole, since it goes against the concept of users having control over their data.
- Member states could also use data for broadly defined purposes. Member states could infringe users’ rights if there is a ‘national security’, ‘defence’, or ‘public security’ concern. These are sweeping terms that EU legislators have used to make the legislative process opaque.
- Some confusion on age of consent for using online services. One of the last-minute changes to the GDPR concerns when there is no longer a need for parents to give consent before a child can enter data to use online services. It looked as though parents of children under 16 would be required to give consent, but now the age is a range from 13-16, with each member state free to determine the age individually. Leaving this decision up to each and every member state will not achieve the goal of harmonised rules across the EU.
- Lack of clarity on how to apply the rules. The compromise achieved in this regulation lacks ambition in crucial parts of the text. The GDPR allows for more than 30 exceptions where EU countries can decide how to apply the rules.
Final steps and considerations
The Parliament will vote on the regulation in the spring and once it is ratified, the law will directly apply in all EU member states. There will be two years for the non-harmonised provisions to be implemented by all the member states.
In spite of its shortcomings and unprecedented levels of lobbying, the GDPR maintains essential data protection standards across the EU. The previous Directive in 1995 helped provide a standard for developing privacy regimes across the world, and we encourage governments outside the EU to be guided by the user-centric approach of this regulation when they create new binding privacy legislation.