Fresh Data Blog
Fresh Data Archive
Data Privacy Series #1: New EU Data Protection Regulation
Date: April, 2013 --
Europe is in
the process of muddying the waters, and this time the current will flow across
the Atlantic with even more force. Brussels has been negotiating a new data
protection law. This time it has very big teeth and a very long reach.
statute, the General Data Protection Regulation (GDPR) will fundamentally
change the data protection legal environment in Europe, and possibly much of
changes are numerous and far-reaching, Data Services will present our readers
with a series of reports on the new law, appearing in subsequent issues of Fresh Data News, starting with a general
overview and proceeding to more detailed discussions of the implications for
is ample time to begin to get used to the statute because negotiations continue
and there remain several disagreements that will take time to resolve. However,
experienced observers of the Brussels scene are tending to accept the European
Commission's prediction that Parliament will adopt the statute sometime in
2014. In addition, the statute by its terms contains a two year implementation
term, meaning it would not go into effect until sometime in 2016.
Second, and a
fundamental change with profound consequences, this law is a
"regulation". In European terms this means that each Member State has
to implement this law and be guided by its terms. No longer can each country
formulate its own definition of fundamental privacy terms or develop completely
different punishments and regulatory systems. The definitions of legal terms in
the regulation will be in force throughout Europe. In addition, the statute
sets out penalties for violations which will be uniform throughout Europe. Some
of those penalties are unusually severe, and we will discuss and detail those
more thoroughly in our next article.
Third, and a
corollary to this new data protection regime where there is one single set of
rules for the entire continent, there will be one single data protection
authority in each country with identical rules to enforce and penalties to
impose. There will be better uniformity of interpretation since there will now
be a European Data Protection Board with authority to coordinate the data
protection authorities in each country. No longer will there be differences
among countries on subjects such as the availability/legality of using the
phone book as a source of personal information to use in marketing.
one of the most radical of changes, the statute extends the scope of the EU
data protection law to cover all companies who process the data of EU residents
no matter where in the world said processing takes place. In addition to
harmonizing the data protection regulations throughout the European Union, it
extends the jurisdiction of those rules to wherever in the world European data
is processed. However, the harmonization of the regulations throughout the
continent should make life significantly easier for all data processors, not just
for European companies.
In short, the
law will, at least in theory, also apply to organizations based outside Europe
who process the personal data of residents of Europe. The good news is
companies will not have to guess which country's interpretation it will accept.
with the current Directive, companies must register with a data protection
authority and be subject to its jurisdiction, but they will no longer be
required to do this in every member state in which they do business. This will
be true for foreign companies as well, relieving a major headache and
unnecessary bureaucratic obstacle to efficient business. It will not matter
where one registers, although presumably a European company would register in
its headquarters country and a foreign company might choose to register in the
market/country where it does the most business.
other important changes made by this new Regulation, including clarity on the
question of what constitutes consent, what procedures must be followed and when
in the event of a data breach, the size of fines and how they are set, data
portability, the right to be forgotten, and other new terms. We will address
these in the next few issues of Fresh
Data News so stay tuned.