The European Union passed a directive in May 2016 requiring all member states to update their Data Protection laws. Members of the EU have two years to do this.
The United Kingdom is leaving the EU but when? 2017, 2018 or later? What sort of deal will the United Kingdom agree with the EU? That is a ball in the air. In the meantime the Data Protection changes will certainly impact on the UK. No matter what sort of agreement the UK thrashes out with the EU it is very probable that at least some of these Data Protection changes will remain in British law.
The EU has created a Digital Single Market. The EU says it aims to give citizens greater privacy. However, the EU recognises that the police and other state agencies sometimes need to have access to data about people. The police and other public bodies will sometimes be permitted to view and hold data about people. The Data Protection Directive is the legislation which empowers the police and certain other bodies to look at and retain data information in people.
The General Data Protection Regulation is the key part of this overhaul. This is to be enforced in all EU member states as is. There is no wiggle room here. The G D P R is supposed to be an expression of article 8 of the EU’s Charter of Fundamental Rights. The G D P R is supposed to make the law uniform across all European Union countries. There has already been EU legislation on data protection since 1995.
With regard to the D P D (Data Protection Regulation) member states will transpose this into their national law. They can do it in their own way so long as the objectives mandated by the EU are sufficiently achieved within the specified time period.
The law is supposed to be streamlined and simplified which should make it easier for businesses to be within the law.
WHAT CHANGES ARE COMING IN?
Individuals are supposed to get control of their data. This is why you often have to agree to let people store your name and address. You have to agree to let companies record what you are viewing if you want to use your phone to surf the internet in their premises. This helps them target ads at you.
Consent is to be a core principle. Generally speaking people are only to have data about them captured and transmitted with their say so. Often this is by ticking a box on an app. There may be a lot of small print that people very seldom read. Nevertheless the formality must be adhered to.
The right to be forgotten will be enhanced. This is developed from a Spanish landmark ruling. People can demand that information about them be deleted. Unless there is an overriding reason why this should not be done then the request must be acceded to.
People must be informed if they have been hacked. This notification must be prompt.
People must be informed what data on them is being stored. This must be explained to them in lucid language. You must also make it easy for them to send this data to another organisation.
Data protection must be put into the design stage of future products.
Companies can be fined up to 4% of their global turnover. Note that is turnover not to profit. Furthermore that is the GLOBAL figure – not just for your country or for turnover in the entire EU. It is unlikely that a company will be fined as much as 4%. That would have to be for many very grave breaches of the law.
Parents have responsibility for their children’s data until the age of at least 13. This could be up to the age of 16. It is up to member states to decided at what age a child is responsible for his or her own legislation. So a member state can set the age at 13, 14, 15 or 16 as the state sees fit. This creates some inconsistency. What happens if the age of 13 in one country and 16 in another and someone in the latter country is aged 13 and sends info to the other country? That is imponderable and we have to wait for courts to rule in test cases.
The EU allowing member states to set the age of data adulthood as low as 13 is a recognition of how much teenagers use the internet. Moreover, it also indicates that children often know more than their parents about technology.
There will be a single supervisory authority for the new legislation.
Small companies will be more competitive. Customers can switch over from large companies and transfer all their data. Previously this was laborious and made it difficult for new companies to get into the market.
Small and medium size enterprises no longer need to employ a data protection officer unless their business is mainly about data.
SMEs only have to tell people about data breaches unless these are high risk. High risk would involve a significant chance of theft for example.
Anonymisation is the way forward. Remove any identfitying info from people. Use pseudonyms when possible.
Encrypt messages so that only the intended recipient can read it.
Freedom of expression is not to be unduly curtailed.
Historical research is still permitted as before. Scientific research is still allowed. This does not mean that using confidential medical information without permission is allowed.
These rights only apply to the living! You cannot take legal action if someone accesses data about a dead relative.
The police can send and receive personal details pursuant to criminal investigations. They can also do this with law enforcement bodies outside the EU.
Data is only to be stored and sent for a specific purpose. It cannot be a general trawl through or amassing information for its own sake.
Much of this depends on what courts decided. There will no doubt be test cases in future.
Legislation will kick in on 6 May 2018. However, you are of course entitled to bring yourself into line with it early.