After several years of prevarication, the EU looks set to approve its raft of data protection measures, having at last agreed on the wording in mid-December. They include strict requirements for data protection compliance and heavy fines for breaches.
Following agreement by negotiators for the European Commission, European Parliament and the Council of the European Union, the laws are likely to be passed this month, and will come into effect in early 2018, according to summaries on www.lexology.com .
There are two strands to the legislation: the GDPR (General Data Protection Regulation), which governs the general use and privacy of EU citizens' data, and the Data Protection Directive, which governs its use by law enforcement. The laws cover all EU Member States and affect all companies which are active in the EU market and offer their products and services to EU citizens. Offending companies could face fines as high as four percent of worldwide annual turnover.
Key sections in the new laws include the expansion of liability to cover data processors as well as data controllers; extension of the 'Right to Be Forgotten' - removing data which is deemed irrelevant or outdated and including the right of a consumer to stop a marketing company from profiling them; strengthening of requirements to give consent; establishment of a Centralized Supervisory Authority within each EU Member State; and the need for any public authority which processes data, and any company whose core activity consists of processing, to employ a data protection officer.
All articles 2006-21 written and edited by Mel Crowther and/or Nick Thomas unless otherwise stated.