News: The new General Data Protection Regulation from the EU, which found a compromise late December, and is expected be finally agreed upon in January 2016, has some good and some bad news.
Some of the good:
- Individuals have clear rights: for example you can demand erasure of all your information if you have left a service, or take away in an easily readable format the data you’ve given a business provider.
- The definition of personal data has been extended and clarified, it now clearly includes IP addresses and location data for example.
- A company can be fined up to 4% of their global turnover for breach of the regulation
- The redress and complaint possibilities are better: privacy and consumer groups will now be able to act on behalf of one or more individuals.
- There is a new right to object to profiling for direct marketing purposes
- Children under 13 will need parent consent. Each country can decide if they want parent consent between 13-16 years.
Privacy International argue for the bad and the ugly:
- The user consent provision is confusingly mixed – defined as ‘unambiguous’, but has to be ‘explicit’ for sensitive data, such as health or political beliefs.
- The very broad and undefined ‘legitimate’ interest provision, including for third parties can still circumvent consent altogether.
- Collective redress is only possible in countries where provisions for collective redress exist in national legislation.
- There is a serious risk of dis-harmonisation, since there are many exceptions allowing Member States to pass their own laws, e.g. Article 21 allowing countries to introduce legal exceptions to this law based on a loosely defined “general public interest”.
The new regulation will, however, be a game changer and be the beginning of a new paradigm. According to CtrlShift, a consultancy agency in London, companies should use the regulation strategically and “accept the spirit of the legislation and to seize it as an opportunity to put data relationships with customers on a new, positive trust-based footing.” They argue that it is a game changer;
- making the right to withdraw consent “as easy as to give it” (Article 7.3)
- the “right to be forgotten” (Article 17)
- the right to know about the existence of profiling (Article 15.1h), and the right to object to it (Article 19.1)
- the right to opt out of direct marketing (Clause 57 of the Introduction)
- tightened provisions about transparency (Article 12)
- tightened definitions of what personal data is (Article 4.1)
- tightened definition of consent itself: freely given, specific, informed and unambiguous” (Article 4.8)
- encouragement of pseudonymised processing of data (Clause 23 of the Introduction)
- encouragement of the use of machine readable icons to communicate policies (Article 12.4)