Portfolio blogger

Sunday, January 10, 2016

Both the Council of the EU and the LIBE Committee of the European Parliament accepted the compromise text of the new General Data Protection Regulation which will be formally voted on plenary and then in the Council early 2016 to come into force in 2018.
The compromise text is available here.

Some important issues (based on the first analyses http://www.ashfords.co.uk/the-new-eu-general-data-protection-regulation-is-finally-here/; http://www.natlawreview.com/article/general-eu-data-protection-regulation-bullet-points)

The most publicised change is maybe the formal inclusion of the "right to be forgotten" : that even when processing (mainly in the case of publishing) date was legitimate originally, with time the interest of privacy of the data subject may override the interest of processing (the public to know, for example).
All companies processing data of residents of the EU are subject to the regulation, whether seated in the EU or not.
Some points enhance the responsibility of the controllers (who determine the prupose and means of the data processing and are primarily responsible for it and usually most interested also) and processors (who act on instructions of the controller). The latter are explicitly responsible for their actions and can directly (without instruction of the controller) be instructed by the courts or by the data protection authorities.
Nomination of a data protection officer, stricter rules for consent of the data subjects to processing their data, the risks to the data subjects must be assessed before processing their data - with reasonable limits of proportionality. This risk analysis gives companies the possibility on the other hand to define themselves what security measures are adequate.
The research community noticed with relief that those points which they thought would hinder scientific (mainly medical) research were softened. However, there are restrictions: pseudonymised data remain personal data, for example with the resulting responsibility and rules to be complied with.
The much heralded "one stop shop" - making it easier for the data subjects to complain in case of cross-boarder processing of their data - gave some way to convenience of the authorities but basically stayed in the text.
A compromise was found between the Parliament (who wanted 5% of turnover) and the Council (who wanted 2) about maximum fines: it will be 4%.
Privacy by design is another new concept enshrined in the new regulation.
Transfer of data, possibility to base processing personal data on legitimate interest of the controller and data portability (the possibility of the data subject to request transmitting his/her data to another controller, for example in the case of changing a service provider) is also better defined.

No comments:

Post a Comment