News - Fresh Data Archive Article

Return to Fresh Data Blog
Return to Fresh Data Archive

Data Privacy Series #1: New EU Data Protection Regulation

Date: April, 2013 --

Europe is in the process of muddying the waters, and this time the current will flow across the Atlantic with even more force. Brussels has been negotiating a new data protection law. This time it has very big teeth and a very long reach.

This new statute, the General Data Protection Regulation (GDPR) will fundamentally change the data protection legal environment in Europe, and possibly much of the world.

Because the changes are numerous and far-reaching, Data Services will present our readers with a series of reports on the new law, appearing in subsequent issues of Fresh Data News, starting with a general overview and proceeding to more detailed discussions of the implications for data-focused marketing.

First, there is ample time to begin to get used to the statute because negotiations continue and there remain several disagreements that will take time to resolve. However, experienced observers of the Brussels scene are tending to accept the European Commission's prediction that Parliament will adopt the statute sometime in 2014. In addition, the statute by its terms contains a two year implementation term, meaning it would not go into effect until sometime in 2016.

Second, and a fundamental change with profound consequences, this law is a "regulation". In European terms this means that each Member State has to implement this law and be guided by its terms. No longer can each country formulate its own definition of fundamental privacy terms or develop completely different punishments and regulatory systems. The definitions of legal terms in the regulation will be in force throughout Europe. In addition, the statute sets out penalties for violations which will be uniform throughout Europe. Some of those penalties are unusually severe, and we will discuss and detail those more thoroughly in our next article.

Third, and a corollary to this new data protection regime where there is one single set of rules for the entire continent, there will be one single data protection authority in each country with identical rules to enforce and penalties to impose. There will be better uniformity of interpretation since there will now be a European Data Protection Board with authority to coordinate the data protection authorities in each country. No longer will there be differences among countries on subjects such as the availability/legality of using the phone book as a source of personal information to use in marketing.

Fourth, and one of the most radical of changes, the statute extends the scope of the EU data protection law to cover all companies who process the data of EU residents no matter where in the world said processing takes place. In addition to harmonizing the data protection regulations throughout the European Union, it extends the jurisdiction of those rules to wherever in the world European data is processed. However, the harmonization of the regulations throughout the continent should make life significantly easier for all data processors, not just for European companies. 

In short, the law will, at least in theory, also apply to organizations based outside Europe who process the personal data of residents of Europe. The good news is companies will not have to guess which country's interpretation it will accept.

Fifth, as with the current Directive, companies must register with a data protection authority and be subject to its jurisdiction, but they will no longer be required to do this in every member state in which they do business. This will be true for foreign companies as well, relieving a major headache and unnecessary bureaucratic obstacle to efficient business. It will not matter where one registers, although presumably a European company would register in its headquarters country and a foreign company might choose to register in the market/country where it does the most business.

There are other important changes made by this new Regulation, including clarity on the question of what constitutes consent, what procedures must be followed and when in the event of a data breach, the size of fines and how they are set, data portability, the right to be forgotten, and other new terms. We will address these in the next few issues of Fresh Data News so stay tuned.