EU Parliament approves new data protection rules

The EU’s MPs have given their final approvals to new EU data protection rules, which aim to give citizens back control of their personal data and create a high, uniform level of data protection across the EU fit for the digital era. The reform also sets minimum standards on use of data for policing and judicial purposes.

Parliament’s vote ends more than four years of work on a complete overhaul of EU data protection rules. The reform will replace the current data protection directive, dating back to 1995 when the internet was still in its infancy, with a general regulation designed to give citizens more control over their own private information in a digitised world of smartphones, social media, internet banking and global transfers.

Making a uniform level of data protection throughout the EU a reality

“The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share”, said Jan Philipp Albrecht (Greens, DE), who steered the legislation through Parliament.

“The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition”, he added.

EU firms need to re-evaluate cybersecurity risks

Commenting on approval, Mark Thompson, Privacy Lead in KPMG’s cybersecurity practice, said: “It has been a long time coming; with more suggested amendments than any other EU regulation, we are finally there. The EU has finally herded the cats up the hill, which sends a firm message to businesses that privacy is at the forefront of the EU’s mind, and organisations need to take action to address their privacy risks.

“The approach of the GDPR provides a risk based application of a “one size fits all” set of rules across the EU and recognises the different levels of privacy risk associated with SMEs and large global organisations. Privacy will be catapulted up the list of global organisations’ enterprise risks, requiring them to re-evaluate take action.

Non-EU businesses trade in the EU affected

Thompson continued: “For non-EU businesses that trade in the EU, this agreement will require some to re-think some of the activities they carry out in the EU. This makes it much harder to operate certain “global” services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market. It’s clear that by the time the regulation comes into play in 2018, for a number of organisations, there will be a lot of work to do.”

The regulation will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date.

Edited from press release by Cecilia Rehn.