Luxembourg, 2017-10-22

In our digitalized world in which almost everyone is connected in social media, technological developments have made a renewal and unification of existing regulations of personal data unavoidable.

The European General Data Protection Regulation, which came into force on May 25, 2016, will be mandatory as of May 25, 2018, in all European member states. Thus, after four years of negotiations the Data Protection Directive (Directive 95/46/EG) from 1995 will be replaced.

The reform package also includes the Data Protection Regulation for police and criminal justice (EU 2016/680 from April 27, 2016, on the protection of individuals with regard to the processing of personal data by competent authorities for the purpose of the prevention, detection and investigation or prosecution of criminal offences or of prosecuting criminal offenses as well as for free movement of such data). The objective of this Regulation is to allow citizens a better control over their data.

In summary, it can be stated that the access to the data is simplified and a strict obligation to inform in the collection of personal data is required. The user is granted a right to clear and easily understandable information on the use of his data. If, for example, personal data are hacked, the responsible persons must inform those having suffered damages of serious violations of the protection of personal data.

Interesting is the user’s right of deletion or “right to be forgotten”: If there is no legitimate reason to process or save a person’s data, these must be deleted upon request. Furthermore, an affected person may request the correction of misinformation and the completion of incomplete personal data.

In theory, the owner of personal data is the user, not the internet service provider concerned with data processing. Upon request, data can be transmitted between different internet providers.

The regulation encourages companies to apply techniques in compliance with data protection, such as, pseudonymisation (if identifying fields in a data set are replaced by one or more artificial identifiers) and encryption (when data is encrypted in such a way that only authorized parties can read them). If needed, authorities and companies must appoint a data protection officer.

Each member state must establish one or more independent supervisory authorities for monitoring the application of the specified regulation. There will be a tougher clampdown regarding violations against the regulation in the future as fines up to four per cent (4%) of the company’s annual sales can be imposed.

Finally, it should be emphasized that the EU regulations also apply to companies from third countries providing goods and services in the EU or monitor the behaviour of persons in Europe. Especially the USA, which until now have only adhered to the US guidelines, must now respect the European rules.

Time will tell how the new General Data Protection Regulation will bring an improvement to the protection of individuals with regard to the processing of personal data for free movement of such data.

Until May 25, 2020, the European Commission will submit a report on the evaluation and examination of this regulation.

Author: Anne-Marie Schmit, Attorney at law

ETUDE ANNE-MARIE SCHMIT