Are you aware of the new Data Protection Rules?
A new law gives the green light to the authorities to access the online history of all citizens of the EU.
The fight against terrorism is the basis for a series of measures that bind telecommunications operators to keep personal data for a year.
Where is the right to privacy?
According to the Data Protection Network “Unsurprisingly, organisations told to hurry up and prepare for May 2018 are frustrated; consent is a crucial issue. A draft is a draft and subject to change and any alterations could have a significant impact.”
Until May 25, 2018, Law 67/98 should continue to be in force.
After that date, the EU governments and / or parliaments shall take measures. In order to avoid conflicts between the new regulation and national law.
If it does not take measures to avoid these conflicts, the State is subject to a case before the Court of Justice of the EU.
To explain what is changing with the new regulation aiming to standardise data protection policies, we invited two experts.
Daniel Reis of PLMJ’s lawyer and Luís Neto Galvão, consultant to the Council of Europe in the area of Privacy and Data Protection and Specialist working at SRS Advogados.
These are the changes foreseen for the new regulation, according to the analyses of the two specialists.
Right to forget: A citizen will be able to require a company to delete their personal data. Enforcing a right that resembles a rule that began to be applied on the Internet.
‘The right to forgetfulness is in reality an extension of the right that already existed for the citizen to prevent his personal data from being treated.
Data Portability: The citizen can now demand from a company the data that concerns him in a format that will allow the migration to another company.
“It will have very important reflexes in our lives as consumers, facilitating, for example, the change of service providers and improving competition”, explains Luís Neto Galvão.
‘With this right the change of service provider that treats your personal data will become simpler. Think of the change of bank or insurance company. The citizen exercises this right and will not have to give his personal data to the new service provider again”, Daniel Reis.
Advantages and disadvantages to companies
For companies: In parallel with the application of new rights for citizens, the new regulations release companies from requests for data processing authorisations with the National Data Protection Commission (CNPD), but define new requirements in the processing of information .
“There are a number of rules that benefit companies, for example the prior authorisation mechanism by the local authority (CNPD) will disappear, so companies will not need to wait for the authorisations.
On the other hand, strengthening citizens’ rights will mean imposing stricter rules and, in that regard, more difficult to enforce, “explains Daniel Reis. ‘There have been major improvements in corporate accountability.
These are now being dispensed with from the current bureaucracies (notifications). Although they have to keep records on data processing they perform. Conduct audits, adopt the principles of data protection from design (privacy by design) and data protection by default ( Privacy by default).
At the level of online customer relations, privacy policies will have to be written in clear and perceptible language, which often does not occur today, “says Luís Neto Galvão.
Daniel Reis points out the following requirements: “There are a number of new obligations, such as the obligation to appoint a data protection officer, an obligation to report safety breaches to the authorities and affected citizens, the need To make impact on data protection (privacy impact assessments), to use technologies such as pseudonymisation and encryption of personal data”
What are the fines?
Fines: Instead of authorisations, the new regulation focuses on supervision – and on imposing fines on wrongdoers:
There is a very demanding sanctioning regime with fines in the case of minor infringements may reach 10 million euros. Or 2% Of the global turnover of the group. Which the company operates and in the most serious cases can amount to 20 million euros. Or 4% of worldwide turnover, said Luís Neto Galvão.
Companies outside the EU also need to be in order
Outside the EU: What influence could the new regulation send data from outside the EU? “These rules apply to all processing of personal data of citizens residing in the EU even if the company is not established there.” – Daniel Reis
This rule obviously protects EU citizens but it is burdensome for foreign companies. Including the American giants who have put a lot of pressure to remove this rule.
The European Commission’s position is that there is no differentiated treatment because the rules only apply if companies are developing an economic activity within the EU. ”
Police and spies: The new regulation does not change how the authorities in each Member State access the data.
“Rules related to the means of obtaining evidence, criminal investigation and international judicial cooperation are not part of the scope of the Regulation,” explains Daniel Reis.
Virtues: The regulation aims to adapt the legal landscape to the new technological realities. Luís Neto Galvão afirms: “The final product is not perfect for citizens or companies.
However, the overall figure is quite positive and reflects the relevance of data protection more recently with the Treaty of Lisbon and the Charter of Fundamental Rights of the European Union and with the case law of the Court of Justice of the European Union’.
(Translate from Exame Informatica)