New rules which will regulate data protection in Europe have recently received the blessing of the European Parliament. After more than four years of negotiations among the EU institutions, European citizens will finally benefit from stronger harmonised rules ensuring a high level of data protection across Europe.

The new data protection package is made up of two legislative measures: a regulation on personal data processing in the EU and a directive on data processed by the police and judicial authorities.

The regulation will replace an outdated 1995 directive, drafted at a time when the internet was still at its inception. It aims at giving Europe’s citizens more control over their own private information in world where digitisation is the rule of the day.

The data protection directive regulates data processing by the police and the criminal justice sector. It aims to ensure that the data of victims, witnesses, and crime suspects is protected in criminal investigations and law enforcement actions.

The new rules give individuals greater control over their personal data in a number of ways. Any person will have the right to be ‘forgotten’, that is, to have his or her personal data erased when he or she no longer wants the data to be processed. If a person asks an internet company to erase his/her data, the company will be obliged to forward the request to any others that replicate the data.

There could be some restrictions to this right, such as, when the data is needed for historical, statistical and scientific purposes, for public health reasons or to exercise the right to freedom of expression. The right to be forgotten will also not apply when the retention of personal data is necessary to fulfill a contract or is required by law.

In terms of the new rules, the data subject will have to give clear and affirmative consent to the processing of his or her private data. This means that the individual will be required to take an active step, such as, ticking a box when visiting an internet website clearly indicating acceptance of the proposed processing of the personal data.

Silence, pre-ticked boxes or inactivity will no longer signify consent. ‘Small print’ privacy policies will also become a thing of the past and information must be given in clear and plain language before the data is collected.

Any person will have the right to ‘data portability’. This will make it easier for individuals to switch their personal data between service providers. Therefore, any user will be able to switch from one e-mail provider to another without losing contacts or previous e-mails.

The new rules give individuals greater control over their personal data in a number of ways

Companies and organisations will be obliged to notify the national supervisory authority of serious data breaches in their systems as soon as possible. Users will, therefore, be able to take immediate appropriate measures whenever such systems are hacked.

The new rules set limits to the use of ‘profiling’. This is a technique used to analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour based on the automated processing of his/her personal data. Profiling will, as a general rule, only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract.

Furthermore, profiling cannot be based solely on automated processing and must entail an element of human assessment. The procedure by which creditworthiness by some credit institutions is evaluated whenever a client approaches such an institution in order to take out a loan might therefore need to be revamped.

Firms are obliged to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers. Firms whose core business activities do not involve data processing will, however, be exempt from this obligation.

Firms established outside Europe, which offer goods or services on the EU market, will be obliged to observe these same rules as much as companies established in Europe. This will ensure a level playing field for all businesses which handle the data of European citizens.

The data protection directive, enacted together with the regulation, protects individuals, be they victims, perpetrators or witnesses, whose data is processed for the purpose of prevention, investigation, detection or prosecution of criminal offences.

All law enforcement processing undertaken in the EU must comply with the principles of necessity, proportionality and legality, with appropriate safeguards for the individuals. The rules will apply both domestically, within member states, and across borders within the EU. The directive also puts in place a strong legislative framework which regulates the transfer of personal data to third countries and international organisations in order to ensure that any such transfers take place with an adequate level of data protection.

The current patchwork of national laws dealing with data protection has finally been replaced with a harmonised law which caters specifically for data movement in a digitised world. Ensuring that an individual has full control over his personal data is of the utmost importance in a day and age when data passed on to one company for a specific purpose can, in the blink of an eye, thanks to the technological means available, be found in the possession of another.

mariosa@vellacardona.com

Mariosa Vella Cardona is a freelance legal consultant specialising in European law, competition law, consumer law and intellectual property law.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.