The European Parliament has voted on the biggest shake-up of data protection laws for 20 years.
By Jane Wakefield, Technology reporter
The data protection regulation’s stated aim is to give citizens back control of their personal data as well as simplifying the regulatory environment.
It could mean huge fines for companies that breach the law and offer some complex problems about how they store, delete and return data to citizens.
Here is a quick guide to what is involved.
Why was change needed?
It is a modernisation of data protection laws drawn up in 1995, before mass internet adoption.
Four years in the making, the new laws’ stated aim is to strengthen the rights individuals have over their data and make companies take the issue of data protection far more seriously.
Although much of the legislation stays the same, the new rules offer “significant powers around the edges”, according to Peter Church, a technology expert from law firm Linklaters.
What is the timeframe?
In December, the EU Commission, Parliament and Council of Ministers reached agreement on the General Data Protection Regulation, after months of negotiations, and on Thursday the document went before the European Parliament for a formal vote.
The rules will come into force in the summer. Then, member states will have two years to comply.
What will it mean for companies?
The most significant change will be an increase in the amount of money regulators can fine companies who do not comply with the legislation – up to 4% of their global turnover or 20m euros (£15.8m), whichever is greater.
Having this threat hanging over companies is going to make them to shake up the way they deal with data, says Mr Church.
“People will start taking data protection a lot more seriously,” he says. It could also stifle innovative uses of data, with companies concerned about “falling foul of regulation”.
Businesses will also be required to show how they are complying with the legislation.
“A regulator could knock on the door, and companies will have to have the mechanics in place and show the systems that they have to achieve compliance, says Ruth Boardman, a partner with law firm Bird and Bird.
It also makes it mandatory for large companies to employ a data protection officer.
The legislation is fiendishly complicated, though, and many predict it will take companies and regulators a good while to get their heads around it.
Data breaches, for example, must be reported within 72 hours – a regulation most agree could be extremely hard for businesses to comply with.
The legislation will apply to any company that handles EU citizens’ data, even if that company is not based in Europe.
Will it strengthen consumers’ rights over their data?
It has long been argued consumers often have no idea what happens to their data once they relinquish it to the big technology companies, and it is unclear whether this new set of rules will change that.
Companies will have to be more transparent about how they are using data, but this is likely to translate as even more complex privacy policies individuals, if they read them at all, may not fully understand.
There are provisions that could increase consumers’ rights over their data, but there are big questions about how they will apply in practice.
For example, the controversial right to be forgotten is being extended beyond web searches to all aspects of online life – so someone could ask Facebook or another social network to delete their profile entirely.
It is unlikely to extend to news articles that people want removed, which are likely to be protected under freedom of expression rules.
Similarly, there is provision in the new regulation for consumers to transfer their data from one service to another.
This could be a massive boon for consumers – allowing them to swap internet or email provider more easily and to shop around for services such as utilities and insurance.
Questions arise though over how companies would actually give data back, in what format and, more crucially, what data the user is considered to have provided.
In the case, for example, of someone wishing to transfer their web email service from Google to Yahoo, “would it apply just to emails that you sent or could you argue that email replies sent to you have, in effect, been provided by you to Google?” asks Ms Boardman.
Or, in the case of someone wanting to transfer their data from one utility or insurance provider to another or even to many, to ensure they get the best deal, “your name and address is probably data you provided, but companies could argue that your gas usage is something that they have collected directly”, says Ms Boardman.
What will change?
Privacy is now big business, with consultants and lawyers lining up to advise companies on how to implement the changes and make sure their policies and procedures are in order.
The need to have more data protection officers could make companies go on a recruitment drive, but whether there are sufficient people to fill such posts is less clear.
Companies could see more legal challenges from individuals and consumer groups that take up privacy issues on behalf of citizens, but they may also see less challenges from individual country regulators, because of a “one-stop shop” clause that would put the onus on the regulator in the country in which the company is headquartered to pursue legal action.
Regulators are also being given more powers to intervene if they feel another is being too lenient.
“If one regulator is unhappy with how another is dealing with a case, there is a mechanism to get them to toughen up their approach,” says Mr Church.
This could mean regulators take a tougher line on US technology companies such as Google and Facebook.
The legislation is as yet untested, and it remains to be seen whether companies will face more legal challenges over how they handle and process data and whether consumers feel they have wrested back control of their information.