The EU's new data protection rules are set to bolster European citizens' rights while imposing new responsibilities on companies.
Here is an explainer on the rights and obligations entailed under the General Data Protection Regulation (GDPR), which is set take effect later this month:
– Power to the people –
These are the main rights guaranteed to European internet users under the GRPD — please note that some are already covered by national legislation in several countries.
1. The right to be informed. Internet users who hand over personal data have the right to know how it will be used, how long it will be kept and whether it might be used outside the European Union.
2. The right to access, correct and erase data. Users will be able to transfer their data to another service provider, or receive it themselves in a usable format.
3. The right to be forgotten. Users can ask that they no longer appear in searches, although this right is also balanced against the public's right to know.
4. The right to challenge algorithms. If algorithms play an important role in decisions, such as admission to universities, those affected should have the right to challenge the decision and request human intervention.
5. The right to contest violations of rights. Each country's information rights agency will accept complaints. If the complaint concerns a company in another EU state, it will be transferred to the regulator in that country. Final decisions taken by all the national agencies together are binding across the EU.
– New rules for companies –
For companies, the regulations is not one-size-fits-all. Their obligations depend on what kind of data they collect, what they do with it and their size. It doesn't matter if they are European firms or not — if they collect data from Europeans then the GDPR applies to them.
For most small and medium-sized businesses the new regulations simply protect the information they have on their clients and suppliers using the "rules of common sense", in the words of France's data protection agency CNIL.
The GDPR's main objectives is to reduce the amount of data being collected and processed from the start.
This means that firms should evaluate what data they really need, and then how to protect it. The information should then be updated regularly.
Clients and subcontractors should also be informed what data is being collected and what for, as well as how they can exercise their rights.
Companies also need to set out policies on who has access to data and how, designate who is responsible for data protection, and put into place all necessary measures to safeguard the data, particularly sensitive information.
Firms also have the right to appeal to their national data regulator.
EU data laws set to bite after Facebook scandal
Brussels (AFP) May 14, 2018 –
New European Union data protection laws take effect on May 25 to protect users' online information, in what Brussels touts as a global benchmark after the Facebook scandal.
The laws will cover large tech companies like Google, Twitter and Facebook that use personal data as an advertising goldmine, as well as firms like banks and also public bodies.
One major change is that consumers must explicitly grant permission for their data to be used, while they can also specifically ask for their personal information to be deleted.
Firms face huge fines of up to 20 million euros ($24 million) or four percent of annual global turnover for failing to comply with the EU's General Data Protection Regulation (GDPR).
"It's your data — take control," the European Commission, the EU's executive arm, urges the bloc's 500 million citizens in guidelines for the new rules.
The case for the new rules has been boosted by the recent scandal over the harvesting of Facebook users' data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.
Facebook chief Mark Zuckerberg told US lawmakers last month the firm plans to fall into line with the EU rules as it seeks to rebuild its reputation after the breach, which affected 87 million users.
– 'Living in a jungle' –
The scandal has proved a godsend for the EU.
EU Justice Commissioner Vera Jourova told AFP in an interview that the incident fueled "a campaign" for the new European law in a way that she could never have done.
She said the EU was setting a global benchmark for data protection as many Americans who once criticised Europe as too set on regulation now see the need for the GDPR.
The Facebook scandal showed "that we really are living in the kind of jungle where we are losing ourselves," the Czech commissioner added.
But not everything has run smoothly.
At least eight of the 28 EU countries will not have updated their laws by May 25.
The lack of preparedness comes despite the fact that the new laws were officially adopted two years ago, with a grace period until now to adapt to the rules.
This "will create some legal uncertainty," Jourova said, blaming countries for neglect rather than resistance to the law.
Facebook, WhatsApp, Instagram and Twitter have all started in the last few weeks to alter their terms of use, but the situation appears more complicated for small- and medium-sized firms.
– 'Brave choice' –
In Germany, the chamber of commerce and industry expressed fears smaller companies may react defiantly to what they call "excessive red tape" under threat of fines.
The new EU law establishes consumers' "right to know" who is processing their information and what it will be used for.
Individuals will be able to block the processing of their data for commercial reasons and even have data deleted under the "right to be forgotten."
They will have to be warned when there is unauthorised access, with the law establishing the key principle that individuals must explicitly grant permission for their data to be used.
Parents will decide for children until they reach the age of consent, which member states will set anywhere between 13 and 16 years old.
In return, EU officials argue that digital firms will benefit from regulation that restores consumer confidence and replaces the patchwork of national laws.
European leaders have backed the new laws.
French President Emmanuel Macron said in a speech in Germany last week that he welcomed the "brave choice" of the new law, calling it a cornerstone in a new "digital sovereignty."
