Are you aware of the new Data Protection Rules?
As of 2018, a new law gives authorities permission to access the online history of all citizens of the EU.
A series of measures will bind telecommunications operators to keep personal data for a year. They are related to the fight against terrorism.
Where is the right to privacy?
According to the Data Protection Network “Unsurprisingly, organisations told to hurry up and prepare for May 2018 are frustrated; consent is a crucial issue. A draft is a draft and subject to change and any alterations could have a significant impact.”
Until May 25, 2018, Law 67/98 should continue to be in force.
After that date, GDPR will be in effect. EU governments and/or parliaments will take measures to avoid conflicts between the new regulation and national law.
If measures to avoid these conflicts are not taken, the State could be brought before the EU Court of Justice.
The new regulation aims to standardise data protection policies for citizens across the EU. We invited two experts to give some insights and opinions. They are Daniel Reis and Luís Neto Galvão. Daniel is a lawyer with PLMJ, and Luís works with SRS Advogados, as consultant to the Council of Europe in the area of Privacy and Data Protection.
Main changes
According to the analyses of these two specialists, the new regulation will centre around the ‘right to forget’ and data portability.
Right to forget: A citizen can require a company deletes their personal data. This resembles a rule originally applied on the Internet.
Data Portability: The citizen can demand that any data which concerns him is contained in a format that will allow migration to another company.
Luís Neto Galvão explains – “It will have very important reflexes in our lives as consumers. For example, facilitating the change of service providers and improving competition”
‘With this right the changing of service provider will become simpler. Think of the change of bank or insurance company. The citizen exercises this right and will not have to give his personal data to the new service provider again”, Daniel Reis.
Advantages and disadvantages to companies
The new legislation includes the application of new rights for citizens. Additionally, it releases companies from requests for data processing authorisations with the National Data Protection Commission (CNPD). Simultaneously, it defines new requirements in the processing of information.
According to Daniel Reis – “There are a number of rules that benefit companies. For example the prior authorisation mechanism by the local authority (CNPD) will disappear. So companies will not need to wait for authorisation. On the other hand, strengthening citizen rights will mean imposing stricter rules. In that regard the regulations may be more difficult to enforce.
There have been major improvements in corporate accountability. These are now being dispensed with from the current bureaucracies (notifications). However, they will have to keep records on any data processing they perform; conduct audits; and adopt the principles of data protection from design and data protection by default.”
At the level of online customer relations, privacy policies will have to be written in clear and perceptible language. This often does not occur today” says Luís Neto Galvão.
Daniel Reis points out the following requirements: “There are a number of new obligations, such as the obligation to appoint a data protection officer. An obligation to report safety breaches to the authorities and affected citizens. Companies must recognise the need to make impact on data protection (privacy impact assessments). Also, to use technologies such as pseudonymisation and encryption of personal data”
What are the fines?
Fines: Instead of authorisations, the new regulation focuses on supervision and imposing fines on wrongdoers:
“There is a very demanding sanctioning regime. In the case of minor infringements fines possibly reaching 10 million euros, or 2% of the global turnover. Furthermore, in the most serious cases the fine can amount to 20 million euros or 4% of worldwide turnover” said Luís Neto Galvão.
Companies outside the EU also need to be in order
Outside the EU: What influence could the new regulation have on sending data from outside the EU? “These rules apply to the processing of personal data of citizens residing in the EU, even if the company is not established there.” – Daniel Reis
Obviously, this rule protects EU citizens, but is burdensome for foreign companies. The American giants in particular have put a lot of pressure on the EU to remove this rule.
Despite protests, the European Commission’s position is that there is no differentiated treatment. The rules only apply if companies are developing an economic activity within the EU.
Legal use of data: The new regulation does not change how the authorities in each Member State access the data.
“Rules related to the means of obtaining evidence, criminal investigation and international judicial cooperation are not part of the scope of the Regulation” explains Daniel Reis.
Virtues: The regulation aims to adapt the legal landscape to the new technological realities, as Luís Neto Galvão afirms: ‘The final product is not perfect for citizens or companies.However, the overall figure is quite positive and reflects the relevance of data protection more recently with the Treaty of Lisbon and the Charter of Fundamental Rights of the European Union and with the case law of the Court of Justice of the European Union’.
(Translate from Exame Informatica)