Back in 1995 when the European Commission made directive 95/46/EC, the current set of rules governing data protection across Europe, only one percent of Europe was connected to the Internet and even less worldwide. The reason that the rules are subject to change however is because they do not account for any of the new technologies developed and commonly used today such as cloud technologies and social media.
The new laws announced are designed to create a single pan-European law that should show just how keen the European Commission, European Parliament and various government bodies are in Europe on improving data protection. The European Commission and Parliament and various related bodies met this week to discuss the laws again and most are predicting the law coming into force as soon as 2018.
Greg Iddon, sales engineer at Sophos, explained the benefits during his presentation. The idea is that there should be a single European law, rather than the current five directives, making it very easy to understand and put into action within a company.
The EC intends to act as a one stop shop supervisory authority, in order to avoid confusion over who can legislate on the topic.
All countries in the EU will have the same rules on data protection, not allowing any companies to store data in countries that are less protected, for example.
The benefits for citizens are claimed to include:
- The GDPR is designed to encourage companies to store data better and more securely, they could face huge fines if they don't.
- A lot of the GDPR focuses around getting rid of ambiguous terms and conditions. It will no longer allow for a simple 'tick this box to allow for X'; companies will have to explain exactly what is going to happen with the data, where it's going, how it's stored and who will have access to it.
- Another hot issue which the GDPR will cover is the 'right to be forgotten' and 'right to erasure' - the issue that was first brought to light in ruling C-131/12, when a Spanish man took Google Spain to the European court to force Google to remove search results about him that were no longer applicable, and were affecting his reputation.
- The GDPR wants to put people in control; if a company is collecting data on you, they must explain how long they plan to retain it, how it's encrypted and they are even considering developing a stop light system to tell you whether or not a certain website is a trustworthy place to enter personal details into.
- Finally companies are no longer allowed to transfer data between the EU and US, the European Commission recently ruled that the Safe Harbour laws no longer apply to data stored within the European Union as there is 'no adequate US equivalent'.