One continent, one law: data protection in Europe
- Data transfers to non-EU countries – Coming in direct response to the data surveillance activities revealed earlier this year, should a third country request a company disclose personal information, firms will have to seek authorisation from their national data protection authority before transferring the data, as well as inform the individual(s)
- Data Protection Officers – It will become mandatory for companies with more than 5,000 client contacts per year to appoint a Data Protection Officer
- Right to erasure – Individuals will be able to request data controllers erase personal information – and firms will also have to forward this request onto other organisations where data are replicated
- Explicit consent – Where processing is based on explicit consent, organisations will have to obtain clear permission from the data subject (who can withdraw their consent at any time) before processing personal information
- Profiling – Profiling will only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract
- Sanctions – Fines of up to €100m or 5% of annual worldwide turnover (whichever is greater) will be levied against companies found in breach of data protection rules
A breakthrough for European data protection
Satisfying the requirements of 28 member states has meant that it’s been a long road to even reach this point, and although critics have pointed out that vague wording could cause loopholes, the progress has been championed in the European Parliament as a “breakthrough” and a ‘clearsignal [that] data protection is made in Europe’.
The strength of this support must galvanise organisations in the UK, and the rest of Europe, to engage directly with the data protection reform. Thanks to its extensive aims, the impacts of the reform will be far reaching, meaning that every organisation will have to be aware of what will, or won’t, change for them.