EU data protection law gets much needed update

PRESS STATEMENT - 16.12.2015

Key points:

  • BEUC welcomes the agreement to update the 1995 EU law on personal data protection
  • Although imperfect it will strengthen consumers’ fundamental right to the protection of their personal data
  • Strong monitoring and enforcement by national supervisors to ensure companies abide by the rules will be crucial for the law’s success

In reaction to the agreement reached by Member States, European Parliament and European Commission on a General Data Protection Regulation Monique Goyens, Director General of The European Consumer Organisation (BEUC) said:

“Consumers’ personal data is a gold mine for many business sectors. The way the internet works means the potential to acquire, scour and use our data is enormous. To update this pre-Internet privacy law was much-needed and long overdue.

“It is a false bargain if consumers have to give away their personal data in exchange for accessing online services. This new EU law will give stronger rights to consumers to claim back ownership of their data.

“National data protection bodies will have a key role in making this regulation work for consumers. Vague formulations require further clarification. Businesses might try to misuse broad concepts such as “legitimate interest” to process data without consumer consent. The strength of this new law will hinge on how supervisors do their job and force business to abide by the rules.”

Consumer gains include:

  • Consumers will have more control over their data. A new ‘right to data portability’ will allow consumers to carry their personal data over to another provider. Existing rights such as the right to ask for the erasure of one’s personal data have been upgraded.
  • Companies will be obliged to be more transparent regarding how they use their customer’s data, making it easier for consumers to know what is happening with their data.
  • All Europeans will in principle enjoy the same rights regardless of their place of residence or the origin of the company they are dealing with.
  • Consumer organisations will be able to play a more active role to defend consumers’ privacy. They will for instance have the possibility to act on behalf of consumers to claim compensation when their data protection rights have been breached. (This will depend on specific member states arrangements.)

Shortcomings include:

  • Vague formulations will require extensive guidance by supervisors and courts e.g. as regards what processing practices of the company collecting the data are deemed legitimate.
  • Companies can use broad exceptions to avoid telling their customers that their data has been hacked.

The agreement will need to be formally approved by the Council and European Parliament. This will likely happen in January 2016. The Regulation will be effectively applicable two years after its entry into force.