European Parliament officially adopts new privacy regulation

The European Parliament has passed a new European law on privacy protection by a large majority. The legislative process of the General Data Protection Regulation is thus officially closed.

The regulation replaces the patchwork of privacy legislation in the member states of the European Union, which resulted from the different implementations of the data protection directive from 1995. A first proposal of the regulation was submitted in 2012. A regulation applies in the same way to all Member States and has direct effect, so that it can be invoked directly by anyone.

The General Data Protection Regulation brings a number of important changes. For example, EU citizens should be better informed about the processing of their personal data, for example in which cases it is transferred to a third party. In addition, the right to be forgotten is strengthened and clarified. This right arose from a ruling by the Court of Justice and includes that search engines must remove search results related to persons on request if they are no longer relevant or are no longer correct.

In addition, privacy regulators will be given more powers and they can impose a fine on organizations up to four percent of the annual turnover, which should make effective enforcement possible. Users are given the option to transfer their personal data from one service provider to another through data portability rules. Finally, companies must appoint a ‘Data Protection Officer’ and a European form of the obligation to report data breaches has been introduced.

European Commissioner for the Digital Market Andrus Ansip calls this step an ‘important achievement’, which guarantees the right to protection of personal data for all EU citizens. The regulation will come into force in two years’ time, giving Member States time to prepare for the new rules.