Europe Finally Agrees Tough New Data Protection Rules

[Inga Goddijn <inga () riskbasedsecurity com>]

http://techcrunch.com/2015/12/16/gdpr-agreed/

Late yesterday European institutions finally agreed
<http://europa.eu/rapid/press-release_IP-15-6321_en.htm> the text of new
data protection rules (GDPR), more than three years after new regulation
was proposed
<http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf>
.
The 28 Member States of the European Union will have two years to transpose
the provisions of the GDPR into their national laws, with the regulation
set to come into force from 2018.

There are still a few more stages in the process — although the Parliament,
Council and Commission agreed the text yesterday there’s a further
confirmation vote tomorrow by the Civil Liberties Committee, and another
vote by the European Parliament as a whole in the new year — but the
Commission’s aim of finalizing data protection reform in 2015 has been met.

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality,
dubbed the rules “clear” and “fit for the digital age”. The current
European data protection directive was adopted back in 1995 so updating the
bloc’s rules to keep pace with seismic shifts in technology is the
overarching aim here, along with a parallel push to harmonize regulations
across the region with the goal of creating a so-called “Digital Single
Market” to simplify operations for businesses selling services in Europe.

Commenting on the agreement in a statement, Andrus Ansip, VP for the
Digital Single Market, argued the GDPR will “remove barriers and unlock
opportunities”. He also tacitly rebutted critics of the new rules. Brussels
has been host to a small army of lobbyists during the data protection
directive negotiation process, with the U.S. government
<http://techcrunch.com/2013/01/18/us-government-still-leaning-on-europe-to-dilute-data-protection-reform-proposals/>
and tech giants such Facebook
<http://techcrunch.com/2012/11/09/facebook-lobbying-europe-on-unreasonable-and-unrealistic-privacy-law-reform-but-ec-commissioner-doesnt-sound-like-shes-for-turning/>
and Google actively seeking to water down proposals.

“The digital future of Europe can only be built on trust. With solid common
standards for data protection, people can be sure they are in control of
their personal information. And they can enjoy all the services and
opportunities of a Digital Single Market. We should not see privacy and
data protection as holding back economic activities. They are, in fact, an
essential competitive advantage,” said Ansip.

“Today’s agreement builds a strong basis to help Europe develop innovative
digital services. Our next step is now to remove unjustified barriers which
limit cross-border data flow: local practice and sometimes national law,
limiting storage and processing of certain data outside national territory.
So let us move ahead and build an open and thriving data economy in the EU
— based on the highest data protection standards and without unjustified
barriers,” he added.

Dropping like a nuclear bomb into the midst of the data protection reform
discussions were the 2013 Snowden
<http://techcrunch.com/topic/person/edward-snowden/> disclosures, which
revealed the extent of U.S. government mass surveillance programs and
detailed how intelligence agencies were tapping directly into consumer data
held by commercial firms like Facebook. The fallout from those revelations
acted as a counterweight to high level U.S. lobbying against strengthening
privacy protections.

The Snowden disclosures also played a key role in convincing the European
Court of Justice to strike down the fifteen year old Safe Harbor
<http://techcrunch.com/2015/10/06/europes-top-court-strikes-down-safe-harbor-data-transfer-agreement-with-u-s/>
transatlantic data transfer agreement, this fall. EC officials are
currently engaged in negotiations with their U.S. counterparts to try to
hammer out a new deal — with a deadline set for that of January 2016
<http://techcrunch.com/2015/11/06/safe-harbor-2-talks-deadline/>. If you’re
interested in geopolitical data protection politics these have been very
interesting days indeed.

That’s the backstory, but what’s incoming in the new GDPR? It’s worth
noting that the full text has not yet been published (*Update: *it has now
been published here
<http://www.haerting.de/sites/default/files/pdfs/proposal-eudatap-regulation-final-compromise-151216.pdf>)
but the
general thrust is billed as strengthening individuals’ data protection
rights, giving Europeans a greater say in how their data is used — as well
as seeking to streamline some elements of compliance for businesses.

The new rules will apply to any companies who have customers in the region
regardless of whether the company itself is based outside Europe.

Some key provisions in the GDPR include:

   - fines of up to 4 per cent of a company’s global turnover for breaching
   data protection rules — which for big tech companies like Google could
   result in fines that run to billions of dollars
   - liability for data breaches extending to any data processors a data
   controller also uses — so also applying to any third party entities
   involved in processing data to provide a particular service, with plenty of
   implications for cloud-based business models
   - enshrining a so-called ‘right to be forgotten
   <http://techcrunch.com/tag/right-to-be-forgotten/>‘ in law, so when an
   individual no longer wants their data to be processed by a company, and
   “provided that there are no legitimate grounds for retaining it”, the
   data must be deleted. Huge implications for digital marketing
   - a requirement for companies to appoint a data protection officer if
   they process sensitive data on a large scale or collect info on many
   consumers, with an exemption for SMEs if data processing is not their core
   business activity
   - a requirement for companies and organizations to notify the
   relevant national supervisory authority of serious data breaches as soon as
   possible
   - parental consent required for children to use social media, with the
   specific age within a 13 to 16 year old bracket to be set by individual
   Member States
   - a one-stop-shop single supervisory authority for data protection
   complaints aimed at streamlining compliance for businesses
   - a right to data portability for individuals to enable them to more
   easily transfer their personal data between services

Commenting in a statement, Green MEP Jan Philipp Albrecht, who led the
European Parliament’s negotiations, said: “The regulation returns control
over citizens’ personal data to citizens. Companies will not be allowed to
divulge information that they have received for a particular purpose
without the permission of the person concerned. Consumers will have to give
their explicit consent to the use of their data.”

As with any new law, the devil will be in the interpretative detail around
specific clauses and exemptions. And with 28 Member States all needing to
interpret and transpose the regulation into their own national law there is
inevitably going to be variation in how the GDPR is applied across the
region. So one thing is certain: lawyers won’t be short of work
as businesses seek to understand how they are affected and what they need
to do to ensure compliance — and avoid the risk of a big fine.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!