Fact of the Week: New EU Data Protection law is now reality!

This week, after more than four years of negotiations, the European Union finally adopted the new legislation on data protection. The European Parliament’s plenary gave its final approval on Thursday 14 April in Strasbourg. The new General Data Protection Regulation (GDPR) that could give people more control over their personal information. From one side, the GDPR is expected to give people back control over their personal data, but from the other side it also means that companies could face high fines for breaching the new law.

The new Regulation will replace the old and obsolete Data Protection Directive of 1995 and it is expected to make data handling easier for companies operating within the European Union as it provides a fully harmonized, unique set of rules. "The regulation will create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition", declared the Member of the European Parliament Mr. Jan Philipp Albrecht (Greens, DE), who steered the legislation through Parliament.

The new rules include provisions on:

  • a right to be forgotten,
  • "clear and affirmative consent" to the processing of private data by the person concerned,
  • a right to transfer your data to another service provider,
  • the right to know when your data has been hacked,
  • ensuring that privacy policies are explained in clear and understandable language, and
  • stronger enforcement and fines up to 4% of firms' total worldwide annual turnover, as a deterrent to breaking the rules.

However, many concerns remain, especially from the business side, as companies violating the GDPR will face vary high fines. In fact, for most of the industry associations, 4% is an excessive rate since it could effectively destroy a business. The Data Protection Regulation will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all EU Member States two years after this date, in order to give companies the time to adapt their business practices.