EU data protection reform: General

Data Protection Regulation

The new EU privacy law in short

The new EU privacy law in-depth

In January (2016), the European Union released a draft of the new
European Data Protection Regulation which will replace the current
centrepiece of existing EU legislation on personal data protection,
Directive 95/46/EC.
On May 4th, 2016, the General Data Protection Regulation (GDPR)
has been published in the Official Journal of the European Union.
As is the case with EU Regulations, the GDPR will come into force for the
entire territory of the Union within 20 days, that is to say, May 25th, 2016;
however, due to its two year implementation period it will not be

applicable until May 25th, 2018.

The new Regulation is a milestone in the field of data protection and will
serve the purpose of strengthening the existing rights and empowering
individuals with more control over their personal data, as well as
creating business opportunities and encouraging innovation.
The reform at hand is based on Article 16 of the Treaty on the Functioning
of the European Union (TFUE) which allows the adoption of rules relating
to the protection of individuals with regard to the processing of personal
data by Member States when carrying out activities which fall within the
scope of Union law.
It also allows the adoption of rules relating to the free movement of
personal data, including personal data processed by Member States or
private parties.

The reform consists of two legislative instruments:

The General Data Protection Regulation with regard to the
processing of personal data and on the free movement of such data
(which is the one, we as businesses and consumers are mostly
interested in).
The Data Protection Directive for the police and criminal
justice sector will ensure that the data of victims, witnesses, and
suspects of crimes, are duly protected in the context of a criminal
investigation or a law enforcement action. At the same time more
harmonised laws will also facilitate cross-border cooperation of police
or prosecutors to combat crime and terrorism more effectively across
Europe.

1. The General Data Protection Regulation

First and foremost, its important to understand that this will be a
regulation, not a directive like the previous Directive 95/46/EC. These two
terms are often used interchangeably, but they actually have very different

meanings: in fact, a directive is legislatively implemented by individual

countries whereas a regulation, once adopted, becomes immediately
enforceable as law in all member states simultaneously.
Strengthening of individuals' rights
The regulation will concern both users and businesses. In fact, on one hand
the new rules serve the purpose of strengthening the existing rights and
empowering individuals with more control over their personal data. In
particular, these include:
1. easier access to your own data: individuals will have more
information on how their data is processed and this information
should be available in a clear and understandable way;
2. a right to data portability: it will be easier to transfer your
personal data between service providers;
3. a clarified "right to be forgotten": when you no longer want your
data to be processed, and provided that there are no legitimate
grounds for retaining it, the data will be deleted;
4. processing of personal data of a child: introduction of
conditions for the lawfulness of the processing of personal data of
children in relation to information society services offered directly to
them;
5. the right to know when your data has been hacked: for
example, companies and organisations must notify the national
supervisory authority of serious data breaches as soon as possible so
that users can take appropriate measures.
Business principles
On the other hand - by unifying Europe's rules on data protection lawmakers aim to create business opportunities and encourage innovation.
In this perspective the new regulation will establish new principles:
I. One continent, one law: the regulation will establish one single
set of rules which will make it simpler and cheaper for companies to

do business in the EU.

II. One-stop-shop: businesses will only have to deal with one single
supervisory authority. This is estimated to save 2.3 billion per year.
III. European rules on European soil: companies based outside
of Europe will have to apply the same rules when offering services in
the EU.
IV. Risk-based approach: the rules will avoid a burdensome onesize-fits-all obligation and rather tailor them to the respective risks.
V. Rules fit for innovation: the regulation will guarantee that data
protection safeguards are built into products and services from the
earliest stage of development ("Data protection by design"). Privacyfriendly techniques such as pseudonomysation will be encouraged, to
reap the benefits of big data innovation while protecting privacy.
Moreover, this reform will "cut costs and red tape" for European business,
with particular attention to small and medium enterprises (SMEs). The
EU's data protection reform will help SMEs break into new markets. Under
the new rules, SMEs will benefit from four reductions in red tape:
I. No more notifications: notifications to supervisory authorities
are a formality that represents a cost for business of 130 million
every year. The reform will scrap these entirely.
II. Every penny counts: where requests to access data are
manifestly unfounded or excessive, SMEs will be able to charge a fee
for providing access.
III. Data Protection Officers: SMEs are exempt from the
obligation to appoint a data protection officer insofar as data
processing is not their core business activity.
IV. Impact Assessments: SMEs will have no obligation to carry out
an impact assessment unless there is a high risk.
V. Protecting personal data in the area of law enforcement
VI. Better cooperation between law enforcement authorities

2. Data Protection Directive for Police and Criminal Justice

Authorities

According to the European Commission, this directive aims to provide

better cooperation between law enforcement authorities enhancing mutual
trust between police and judicial authorities of different Member States,
thus contributing further to a free flow of data, and effective cooperation
between police and judicial authorities. It will also supply citizens with a
better protection of their data: individuals' personal data will be better
protected when processed for any law enforcement purpose including
prevention of crime. It will protect everyone regardless of whether they
are a victim, criminal or witness. All law enforcement processing in the
Union must comply with the principles of necessity, proportionality and
legality, with appropriate safeguards for the individuals. Supervision is
ensured by independent national data protection authorities, and effective
judicial remedies must be provided

Next Steps
Now it's time to review the above principles, wait for additional
instructions, guidance and - when the time has come - the practice by
European courts and data protection authorities.
The official documents about the reform of EU data protection rules can be
found here.