The EU institutions recently reached agreement on a data protection reform package that is likely to enter into force in March 2018. It must, however, be expected that the legislation will affect the current enforcement of the Norwegian Data Protection Agency, thus making an immediate impact. The corner stone of the package is a regulation on data protection. It is expected to be incorporated into the EEA Agreement and thus in practice be given similar legal effects in the EEA as in the EU. The reform package is the biggest change of EU/EEA data protection rules since the mid-nineties.
Citizens are given control over their own personal data by providing them with the right to:
- Oppose the processing of a certain category personal data. It will no longer only be an all or nothing choice for the users.
- Dataportability; i.e. the ability to move their personal data between applications and platforms (also facilitating competition between information providers)
- Oppose “cookies” or profiling for marketing purposes or by public authorities
- Be forgotten and to have personal data deleted, also in situations when a processing consent is withdrawn.
- Easier access to own data and to know when your data has been hacked.
- A more accessible, clear and unambiguous consent procedure, e.g. by requiring a positive/active citizen consent before personal data are processed for profiling/marketing purposes, including “cookies” and automatic decisions.
The Regulation will bring significant new responsibilities for businesses processing personal data:
- The requirement to obtain the citizen`s consent will in reality imply dependence upon businesses at earlier stages of the chain. The latter must have obtained consent covering also later stages, ensuring at every stage of the chain that the processing is covered by the consent and within the data collection objective.
- Mechanisms to pass on the citizen`s consent to later stages of the chain will have to be developed, typically more or less standardized agreements between data processing businesses at different stages of the data distribution chain.
- The regulation will be binding also for businesses operating from outside the EU/EEA when offering goods and services to EU/EEA citizens.
- More businesses than today will be obliged to have a designated data protection officer, e.g. public authorities and businesses where personal data processing is a core activity of the undertaking, even if the business is small or medium-sized.
- Infringements of the Regulation may result in penalties of up to 4 % of the undertaking`s turnover.
EU law makers state the regulation will create positive effects for businesses, pointing both at synergies flowing from a higher level of harmonization and from simplified administrative procedures. However, several noteworthy and highly practical questions are left unresolved in the general legislation. Individual adaptations on the basis of the facts of each case, remains highly advisable until more general guidelines have been established and tested.