Stronger data protection rules for Europe

More than 90% of Europeans are concerned about mobile apps collecting their data without their consent. Today, an important step was taken to finalize EU data protection rules to help restore that confidence.

Ministers in the Council reached a General Approach on the new data protection rules, confirming the approach taken in the Commission’s proposal back in 2012. The proposed rules received the backing of the European Parliament in March 2014.

How do EU data protection rules contribute to boosting the Digital Single Market?

Completing the Digital Single Market is one of the top priorities of the European Commission. The internet and digital technologies are transforming our world. But existing barriers online mean citizens miss out on goods and services, internet companies and start-ups have their horizons limited, and businesses and governments cannot fully benefit from digital tools.

With a fully functioning Digital Single Market, we can create up to €415 billion in additional growth, hundreds of thousands of new jobs, and a vibrant knowledge-based society (see IP/15/4919).

But if citizens do not trust online services, they will not benefit from all the opportunities presented by technology. Confidence is paramount, but it is still far from a reality.

Data protection reform will address this lack of trust. It will strengthen citizen’s rights such as the right to be forgotten, the right to data portability and the right to be informed of personal data breaches. The reform gives national regulators enforcement powers to ensure that these new rules are properly applied. They will be able to impose fines of up to 2% of a company’s annual worldwide turnover.

What are the main benefits of the EU Data Protection Reform?

The European Commission’s proposals for a comprehensive reform of the EU’s 1995 Data Protection Directive aim to strengthen privacy rights and boost Europe’s digital economy. The Commission’s proposals update and modernise the principles enshrined in the 1995 Directive, bringing them into the digital age and building on the high level of data protection which has been in place in Europe since 1995. A clear definition of personal data will be established in the regulation to ensure harmonised implementation of the rules across the EU. The legislation is technologically neutral: this means that it will not go out of date, enabling innovation to continue to thrive under the new rules.

What are the main benefits for citizens?

The data protection reform will strengthen citizens’ rights and thereby help restore trust. Nine out of ten Europeans say they are concerned about mobile apps collecting their data without their consent; seven out of ten are concerned about the potential use that companies may make of the information disclosed.

The new rules will put citizens back in control of their data, notably through:

• A right to be forgotten: When you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press (see section on right to be forgotten for more details).
• Easier access to your own data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. Moreover, a right to data portability will make it easier for you to transfer your personal data between service providers.
• The right to know when your data has been hacked: For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours) so that users can take appropriate measures.
• Data protection first, not an afterthought: ‘Data protection by design’ and ‘Data protection by default’ will also become essential principles in EU data protection rules – this means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm – for example on social networks or mobile apps.

What are the benefits for businesses?

Data is the currency of today’s digital economy. Collected, analysed and moved across the globe, personal data has acquired enormous economic significance. According to some estimates, the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020. Strengthening Europe’s high standards of data protection is a business opportunity.

The European Commission’s data protection reform will help the digital single market realise this potential, notably through four main innovations:

• One continent, one law: The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.
• One-stop-shop: The Regulation will establish a ‘one-stop-shop’ for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU; and easier, swifter and more efficient for citizens to get their personal data protected.
• The same rules for all companies – regardless of where they are established: Today European companies have to adhere to stricter standards than companies established outside the EU but also doing business on our Single Market. With the reform, companies based outside of Europe will have to apply the same rules. We are creating a level-playing field. Moreover rules for international transfers of data are streamlined, through simplified approval of binding corporate rules. This will foster international trade while ensuring continuity of protection for personal data.
• European regulators will be equipped with strong enforcement powers: data protection authorities will be able to fine companies who do not comply with EU rules up to 2% of their global annual turnover. The European Parliament has even proposed to raise the possible sanctions to 5%.

What are the benefits for SMEs?

The data protection reform is geared towards stimulating economic growth by cutting costs and red tape for European business, especially for small and medium enterprises (SMEs). First, by having one rule instead of 28, the EU’s data protection reform will help SMEs break into new markets. Second, the Commission has proposed to exempt SMEs from several provisions of the Data Protection Regulation – whereas today’s 1995 Data Protection Directive applies to all European companies, regardless of their size. Under the new rules, SMEs will benefit from four reductions in red tape:

• Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
• No more notifications: Notifications to supervisory authorities are a formality and red tape that represents a cost for business of €130 million every year. The reform will scrap these entirely.
• Every penny counts: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
• Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a specific risk.

The rules will also be flexible. The EU rules will adequately and correctly take into account risk. In a number of cases, the obligations of data controllers and processors are calibrated to the size of the business and to the nature of the data being processed.

What is the “consistency mechanism” proposed in the EU data protection reform?

Within a single market for data, identical rules on paper will not be enough. We have to ensure that the rules are interpreted and applied in the same way everywhere. That is why our reform introduces a consistency mechanism to streamline cooperation between the data protection authorities on issues with implications for all of Europe.

What is the one-stop shop and how does it work?

At present, a company processing data in the EU has to deal with 28 national laws and with even more national and local regulators.

For businesses

The regulation will create a regulatory “one-stop shop” for business: companies will only have to deal with one supervisory authority, not 28.

The flaws of the present system were illustrated in the Google Street View case. The actions of a single company affected individuals in several Member States in the same way. Yet they prompted uncoordinated and divergent responses from national data protection authorities.

The one-stop shop will ensure legal certainty for businesses operating throughout the EU and bring benefits for individuals and data protection authorities.

Businesses will profit from faster decisions, from one single interlocutor (eliminating multiple contact points), and from less red tape. They will benefit from consistency of decisions where the same processing activity takes place in several Member States.

For citizens

With the new rules, individuals will always be able to go to their local data protection authority. The aim is to improve the current system in which individuals living in one Member State have to lodge a complaint with a data protection authority of another Member State, where the company is based. At the moment, when a business is established in one Member State, only the Data Protection Authority of that Member State is competent, even if the business is processing data across Europe.

This makes it simpler for citizens – who will only have to deal with the data protection authority in their member state, in their own language. The proposal gives citizens the right to take a company processing their data to court in their home Member State. Everyone therefore have a right of administrative and judicial redress.