EU Agrees on Data Protection Rule RebootDraft Law Mandates EU-Wide Breach Notifications, Stronger Privacy Protections
Europe looks set to pass sweeping new data privacy rules.
On Dec. 15, after extensive negotiations, representatives of the European Parliament and European Council agreed on a new draft of the General Data Protection Regulation, which would give Europeans greater control over how their personal details get used by organizations and businesses. The new measures would also grant privacy regulators stronger enforcement powers, clarify existing rules relating to the right to be forgotten and impose mandatory data breach notifications on organizations, allowing people to learn when their personal information has been exposed (see EU Prepares Tough Breach Notification Law).
On Dec. 17, members of the European Parliament's Civil Liberties, Justice and Home Affairs Committee also backed the proposed measure, meaning it now goes to the full European Parliament, which is expected to vote in March or April on whether the draft legislation should become law. If passed, the regulation would come into effect after two years.
Reaching this agreement before the end of this year was a stated goal of Luxembourg's Jean-Claude Juncker, the current head of the European Commission, which is the EU's executive arm. It is responsible for managing the EU's day-to-day business, proposing legislation and implementing related decisions.
New Rules: Two Parts
This week's draft data-protection rule agreement includes two parts:
- General Data Protection Regulation: This contains rules that would apply, EU-wide, relating to consumer data protection and privacy.
- Data Protection Directive: This mostly applies to law enforcement agencies and the part of the judiciary that handles crime and crime prevention, and relates to ensuring that information relating to victims, witnesses and suspects is properly protected.
The new General Data Protection Regulation would replace the 1995 General Data Protection Directive, and the shift from directive to regulation is a crucial difference. Directives are legislative goals that each country interprets by enacting its own laws. By comparison, a regulation is a binding legislative act that must be applied, in its entirely, across the EU.
In theory, that means that the new data-protection law - including its protections for individuals - will now apply equally across the 28 EU member states. But some civil and privacy rights advocates say that there are a number of exemptions in the regulation, and in some cases also awkwardly worded passages that are not entirely clear, and which appear to be the result of compromise deals designed to finally get the legislation passed, after years of related negotiations. As a result, it's not clear how uniformly the regulations will apply across Europe, or the exact cybersecurity requirements or cost repercussions facing businesses.
Regulators Can Impose Large Fines
What is clear, however, is that the new regulations will give countries' data protection regulators stronger tools for deterring and punishing privacy violations. Notably, organizations that violate the privacy rules would face fines of up to 4 percent of their annual gross income. Many organizations would also be required to hire qualified data protection officers.
For the first time, the regulations would also bring into effect data breach notification rules that cover all business and industry sectors in Europe. Under the EU's current ePrivacy Directive, only telecom operators must currently alert authorities when they suffer a data breach. But under the new rules, "companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures," according to the European Commission. And any failure to comply with those rules could trigger the aforementioned fine.
The reaction from business lobbies, privacy watchers and many others has been guarded. In part, that's because many experts are still untangling exactly what is contained - or implied - in the 91 different articles that comprise the legislation, which fills 200 pages. It's also not clear how or if the new regulations will affect the Safe Harbor policy discussions currently underway between the United States and the EU (see EU Court Invalidates U.S.-EU Data Sharing Agreement).
Stronger Consumer Protection
Broadly speaking, the new General Data Protection Regulation will give individuals more control over their personal information, as well as greater rights when it comes to seeking redress for any misuse of that information.
Some of the new rights conferred on people in Europe - a.k.a. "data subjects" - include people's ability to demand that all of their PII gets erased when they leave a service, as well as to take away in an easily readable format any information they have provided, when they switch service providers. Such information also includes both IP addresses and location data. People can also object to any attempts to profile them for direct-marketing purposes.
"For the first time, a law is trying to put extensive limits around the pervasive generation of data that happens now by default," Eduardo Ustaran, a privacy lawyer for Hogan Lovells who works with U.S. tech firms, tells The Wall Street Journal. "Because business in general is becoming more data-dependent, every business will be affected."
Business Lobby's Reaction
The Confederation of British Industry, which represents 190,000 large and small businesses, has criticized the new rules, saying they will impose unnecessary costs on businesses that handle private data relating to customers or consumers. "This new legislation could hamper that with unnecessary administrative burdens and costs, like mandatory data protection officers, placed on firms of all sectors and size," says Matthew Fell, CBI's interim chief policy director. "Businesses now need clarity from policymakers and regulators on what actually applies to their business so that they can mitigate the burden and cost of compliance as quickly and effectively as possible."
Similarly, Digital Europe - which represents such technology firms as Apple, Google and Microsoft - warned that the new rules "[failed] to strike the proper balance between protecting citizens' fundamental rights to privacy and the ability for businesses in Europe to become more competitive."
But the EU says that the new rules should save businesses money. Notably, officials say the new rules will scrap some now-mandatory notifications to data privacy regulators, and exempt small-and-medium businesses from having to appoint a data protection officer, provided data processing is not one of their core business activities. Likewise, SMEs would be exempted from having to conduct impact assessments - unless they're in a high-risk sector - and gain the ability to charge for any data access that are "manifestly unfounded or excessive."
Furthermore, some European officials have stressed the competitive upsides for organizations that handle PII while keeping it secure.
"ENISA welcomes the new General Data Protection Regulation, which gives greater role and enforcement powers to national competent authorities and reinforces the EU citizens' right to data protection," says Udo Helmbrecht, executive director of ENISA, the EU's cybersecurity agency. "An important element of this agreement, often underestimated, is its potential to provide a competitive advantage to EU industry by adopting privacy and data protection as its core value."
Meanwhile, civil rights group Privacy International has called the new laws "okay, but a tremendous missed opportunity." In part, that's because the new rules will not apply "to state security, i.e. surveillance practices, or to the EU institutions themselves" (see Europe Seeks More Mass Surveillance).
It's also questioned why the Data Protection Directive - which focuses only on law enforcement agencies and judiciaries - isn't a regulation, since each individual EU member state will get to interpret the rule as it sees fit, potentially resulting in 28 different interpretations. It also alleges that the directive doesn't grant data protection regulators sufficient oversight of how law enforcement agencies handle people's personal information, and doesn't have sufficient safeguards governing how "highly sensitive data" gets shared with outside countries that lack EU privacy safeguards.
But EU officials have said the new directive "respects the different legal traditions in member states and is fully in line with the Charter of Fundamental Rights," which enshrines Europeans' civil, political and social rights.
The EU Parliament's Civil Liberties, Justice and Home Affairs Committee also says that the new rules will "ensure smooth police cooperation in the EU," and that it complements the information-sharing agreement reached earlier this month by the association of European police agencies - known as Europol - and the EU's border agency, known as Frontex.