17 December 2015
The new data protection legislation will be put to a vote today in the European Parliament’s Civil Liberties committee. Timothy Kirkhope, the ECR Group's lead negotiator on the package, will support the agreement on the regulation and the directive, but now believes the European Commission has some work ahead to ensure business is clear on its rights and responsibilities under the new regime.
The new data protection legislation will be put to a vote today in the European Parliament’s Civil Liberties committee. Timothy Kirkhope, the European Conservatives and Reformists Group lead negotiator on the package, will support the agreement on the regulation and the directive, but now believes the European Commission has some work ahead to ensure business is clear on its rights and responsibilities under the new regime.
Mr Kirkhope said:
“The key to whether this legislation succeeds or fails will be how the European Commission implements it. If the commission can make sure that businesses have a clear understanding of how the principles affect them, and the actions they must take, then it can have a positive effect.
“What has come out of the process is a significant improvement on previous proposals, with a more reasonable approach to fines and protection for medical and scientific research. The regulation takes more of a risk-based approach and we were also pleased to be able to ensure countries that want lower ages for parental consent on social media have been accommodated.
“The big multinationals have vast compliance departments for unravelling what this law means for them. Now we need for the European Commission to be clear in how it implements the law so that smaller businesses are clear on how this law will affect them, and how they can prepare for it.
“If the European Commission implements this law correctly then it should bring real benefits to how people can take control over their data. If they mishandle the implementation, it will become a burden for businesses.”
Key aspects of the regulation are:
Consent
The text removes the vague concept that ‘unambiguous consent’ is needed for processing data, replacing it with ‘consent’ that can take the form of any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by written, electronic, or oral statement, or if required by specific circumstances, by any other clear, affirmative or unambiguous action by the data subject. This could include ticking a box (not pre ticked boxes), or any other statement or conduct which indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence will not constitute consent. Processing sensitive data such as ethnic or racial origin or political opinion will be dealt with separately.
Consent for children
The rules will require parental consent for processing personal data for under 16s, but if national law applies that age can be lowered to 13. In some countries the 16 year old age of consent will lower the age, whilst other countries with lower ages can continue to apply them.
Right to rectification
Data subjects shall have the right to obtain from the controller without undue delay the rectification of personal data concerning him or her which are inaccurate.
Data breaches
Data breaches will have to be notified to the supervisory authority within 72 hours and where such a breach is likely to result in a high risk for the rights and freedoms of individuals, they should be notified without delay.
Data protection officer
Bodies that systematically monitor and process data on a large scale will be required to appoint a data protection officer.
Penalties
There will be a two tier system for higher and lower data breaches.
The lower level maximum fine would include 2% of the previous year’s worldwide turnover for a company, or a maximum fine of 10, 000, 000 Euros. The higher level maximum fine would be 4% of the previous year’s worldwide turnover for a company, or a maximum fine of 20, 000, 000 Euros. Supervisory authorities will take into account the nature, gravity and duration of the infringement before deciding what fine to levy, and lower, more proportionate punishments are possible for minor infringements.
Medical and scientific research and historical records
Medical research, scientific research and historical and statistical data are dealt with separately, when used in the public, scientific or historical interest. It is appropriate to safeguards to ensure data minimisation and to look at other ways of protecting data such as pseudonymisation. Specific national derogations can be applied to ensure public interest around research.