Yesterday (April 14, 2016) the European Parliament approved new rules on personal data — including geolocation — that create a high, uniform level of data protection across the European Union. The measure also sets minimum standards on use of data for policing and judicial purposes.
Parliament’s vote ends more than four years of work on a complete overhaul of EU data protection rules. The reform will replace the current data protection directive, dating back to 1995 when the Internet was still in its infancy, with a general regulation designed to give citizens more control over their own private information in a digitized world of smartphones, social media, and online banking.
“The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share,” said Jan Philipp Albrecht (Greens, Denmark), who steered the legislation through Parliament.
“The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition,” he added.
The regulation includes provisions limiting or prohibiting “profiling,” defined as the “automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
The new rules include provisions that require “clear and affirmative consent” to the processing of private data by the person concerned, ensure that privacy policies are explained in clear and understandable language, and enact stronger enforcement and fines up to four percent of company’s total worldwide annual turnover, as a deterrent to breaking the rules.
The data protection package also includes a directive on data transfers for policing and judicial purposes. It will apply to data transfers across borders within the EU as well as, for the first time, setting minimum standards for data processing for policing purposes within each member state.
The new rules aim to protect individuals, whether victims, criminals or witnesses, by setting out clear rights and limitations on data transfers for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The data protection regulation will enter into force 20 days after its publication in the EU Official Journal, and become directly applicable in all member states two years after this date. Member states will also have two years to transpose the provisions of the directive into their national laws.