After political agreement was reached last December, linguists and legal experts have finally reached the final version of the 261-page Regulation on data protection. This is the culmination of years of negotiations and lobbying. In an attempt to keep up with the initial deadline for final adoption of the text, the Council adopted its position via an extremely short written procedure, which ended on 8 April.
The new regulation’s objective is to remove obstacles to the flow of personal data in the EU, while ensuring a higher level of data protection for European citizens.
This may very well affect readers of this newsletter and I would suggest that they seek advice on what it means to them in practice. For instance, many organisations will likely need a Data Protection Officer or DPO; If the main activities of your organisation involve “systematic monitoring of data subjects on a larger scale”, or large-scale processing of ‘special categories’ of data – racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data, health or sex life, or sexual orientation; then you will be required to have a DPO.
More generally, the new regulation introduces the following measures:
– more specific rules allowing data controllers (those responsible for the processing of data) to process personal data, including through the requirement for the consent of the individuals concerned.
– easier access to their personal data.
– a right to erase personal data and “to be forgotten”.
– a right to portability, facilitating the transmission of personal data from one service provider to another.
– a right to object to the processing of personal data relating to the public interest or to legitimate interests of a controller. This right covers the use of personal data for the purposes of ‘profiling’.
– common safeguards covering the processing of personal data for archiving purposes where that is in the public interest and for scientific and historical research or statistical purposes.
A very good analysis of the concrete effects of the changes can be found here. These include: “Managers, data protection officers, heads of IT and other staff responsible for data protection within a company must be careful. Those in senior positions who do not comply with the new rules face fines of up to EUR 20 million. In addition, they could be personally liable if the company is forced to pay fines or damages due to their own errors. The dramatic increase in risks means individuals should be aware that, in future, acts of negligence could very quickly cost them their jobs.”
The implementation phase has now begun: Organisation and companies concerned have 2 years to prepare for the entry into force of the new Regulation in the second quarter of 2018.