Wednesday, December 30, 2015

New EU privacy regulations are coming

The EU's current data protection laws date from 1995, before the internet came into widespread use and mobile phones were not as common.

A lot has changed since 1995: Today mobile phones are common, people access data via their smartphones and tablets, and data is stored in the cloud. Personal data like e.g. name, address, date of birth, telephone numbers and pictures are shared on daily basis, whether to open a bank account, book a flight, apply for a job or to get a fitness card.

Time for an update

On December 15th 2015, the European Union officials have reached an agreement on a new European digital-privacy law, the General Data Protection Regulation (GDPR). 

The texts of the regulation must be definitively approved by the European Parliament and EU and the Regulation is planned to take effect after a transition period of two years.

The regulation is applicable if the data controller (enterprises that own the data) or data processor (e.g. cloud provider) or the data subject (person) is based in the EU.
The Regulation also applies to organizations based outside the European Union if they process personal data of EU residents.

According to the European Commission "personal data" is any information related to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, an email address, bank details, a picture, posts on a social network, medical information, or a computer’s IP address.


Under this new GDPR, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Persons or organizations which collect and manage personal information must protect it from abuse and must respect certain rights of the data owners which are guaranteed by EU law. The new EU regulation will also affect the cloud providers since the data processor also becomes liable for data that is stored on his servers.
Some highlights of the new regulation:
  • Persons are entitled to ask a data controller if he or she is processing personal data about him. He also has the right to receive a copy of this data in intelligible form.
  • The "right to erasure" or "right to be forgotten": when a person no longer wants his data to be processed because the data is not correct or he would like to withdraw his consent, and provided that there are no legitimate grounds for retaining it, the data needs to be erased by the data controller without undue delay.
  • Data Portability: Organizations that have EU customers who want to switch service providers will need to make it easier for such customers to transfer their personal data to another service provider.
  • The right to know when your data has been hacked: Organizations are required to inform national regulators as soon as possible of any reported data breach so that users can take appropriate measures.
  • Companies may be fined up to 4% of their annual global revenue for violations of the Regulation. This could mean millions of Euros in fines for large companies that violate the GDPR.
  • Age of Consent for Children. Consent for children under 16 must be given by child’s parent or custodian, and should be verifiable. Member states can lower the age of consent for children to use social media, as long as the limit is between 13 and 16 years of age. Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.


For more information

Press release: