Stricter data privacy rules will come in across the EU in 2018 after MEPs finally agreed them – but what does that mean exactly for you and your private information?
The GDPR, which will apply across the EU and is aimed at creating a high, uniform level of data protection fit for the digital age, includes a ‘right to be forgotten’ as well as the right to know when your personal data has been hacked and replaces rules dating back to 1995 when the internet was still in its infancy.
The new rules are backed up by harsh sanctions including fines of a up to 4pc of a company’s global turnover if they don’t comply. So what are the key elements to be aware of?
- A right to be forgotten – an individual right to have data deleted from companies when you no longer want them to have it, or because consent was given for something that no longer applies. This is distinct from the 3rd party Right to be Forgotten, where individuals can request that outdated or undesirable information about them be removed from search engines, (read more about the difference here) and the provisions are clear that this is about improving personal privacy, not restricting the freedom of the press or erasing past events. Historical and scientific research are also safeguarded. The only caveat is that where “the retention of the data is necessary for the performance of a contract or for compliance with a legal obligation”, such as on medical records, for eg, it can be kept for as long as necessary.
- Clear and affirmative consent will be needed before private data is processed and this will require an “active step” such as ticking a box. The Parliament is clear that “silence, pre-ticked boxes or inactivity will thus not constitute consent. In future, it should also be as easy for a person to withdraw consent as to give it.”
- Right to be informed in plain and clear language – MEPs have insisted that the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.
- Right to know if your data has been hacked – companies and organisations will have to notify their national data authority as soon as possible so that users can take appropriate measures to protect themselves and their data.
- A right to data portability will make it easier for individuals to transmit personal data between service providers, such as to a new email provider without losing contacts and emails, and this information must be provided in a way that is easy to reuse.
- Clear limits on the use of profiling – new limits where automated processing of personal data is used to “analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour”, including creditworthiness. Under the new regulation, profiling would generally only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and should comprise a human element, including an expectation of the decision to be reached. MEPs also insisted that profiling should not lead to discrimination or be based solely on sensitive data, such as ethnic origin, political opinions, religion or sexual orientation.
- Easier access to personal data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way.
- Special protection for children – Children below a certain age (for member states to each define between 13 and 16) will need parental consent to open an account on social media sites such as Facebook, Instagram or Snapchat. (This is already the case in most EU countries). They will also have a “clearer right to be forgotten” in case they are put under pressure to share their personal data without fully realising the consequences.
Privacy as the new norm – data privacy by design and default are now essential elements of the EU data protection rules, and data protection safeguards will be built into products and services from the earliest stage of development, while privacy-friendly default settings will be the norm on social networks or mobile apps. In future, companies will have to design defaults and products so that as little personal data as possible is collected and processed.
The new laws have been four years in the making and received the highest number of amendments (3,999) ever tabled in the European Parliament.
Due to UK and Ireland’s special status regarding justice and home affairs legislation, the directive’s provisions will only apply in these countries to a limited extent, while Denmark will be able to decide within six months after the final adoption of the directive whether it wants to implement it in its national law.