New EU data protection rules take effect on Friday
- Citizens will have better control over their personal data
- One set of rules across the EU will guarantee certainty for companies
- Stronger enforcement through fines
New EU data protection rules strengthening citizens' rights and simplifying rules for companies in the digital age will take effect on Friday.
The General Data Protection Regulation (GDPR), adopted in April 2016, will apply fully as of Friday 25 May 2018. The rules aim to protect all EU citizens from privacy and data breaches in an increasingly data-driven world, while creating a clearer and more consistent framework for businesses.
New rights for citizens:
- a citizen has to give their "clear and affirmative consent" for their data to be processed;
- the right to receive clear and understandable information about who is processing the data, what data and why;
- the right to be forgotten: a citizen can ask for his/her data to be deleted;
- the right to transfer data to another service provider (e.g. when switching from one social network to another);
- the right to know when data has been hacked.
Wider scope and more efficient enforcement
The new rules apply to all companies operating in the EU, even if these companies are based outside of the EU.
Furthermore, it will be possible to impose corrective measures, such as warnings and orders, or fines on firms that are breaking the new rules. The maximum ceiling for fines in the most serious infringement cases is 4 % of the company’s total worldwide annual turnover.
Rapporteur Jan Albrecht (Greens/EFA, DE) said: “With the General Data Protection Regulation, the European Union sets a global standard and ensures that fundamental rights, consumer protection and fair competition are strengthened. For the first time, the same high level of data protection rules apply to everyone in the European Union; the new EU-wide rules replace a patchwork of 28 different national regulations.”
The General Data Protection Regulation will replace the EU data protection directive, which dates back to 1995. The GDPR was adopted in April 2016 as part of a wide-ranging reform package, which also includes a directive on data processing for law enforcement purposes. A set of new rules on e-Privacy is also currently being considered.