After four years of negotiation of and amendments to the initial proposal issued by the European Commission in 2012, the new European General Data Protection Regulation (GDPR) is about to become a reality. It will replace a framework that dates back to 1995 and that is inevitably outdated for the digital age. However, practical implementation will be tricky in many respects and the new rules might not be as effective as is hoped. Businesses will have to deal with a framework oriented more to consumer protection, although they should be happy with the one-stop-shop principle, which could lead to significant compliance cost savings.
These rules might already be outdated for the IoT era
It has been a long time coming, but the new EU GDPR is finally set to see the light of day. It will still require a vote of the EU Parliament on the text agreed through negotiations between the European Commission, the European Council, and the EU Parliament itself, but Ovum expects the text to be adopted in the coming months. The vote will mean the passing of an unprecedented set of data protection rules – the first of the digital age, replacing a directive that is now 20 years old and was conceived when the Internet was in a very early stage of development. The old rules inevitably failed to capture the evolution in technology and user behavior and the new directive makes significant efforts to strengthen the protection of end users. These users are paying increasing attention to privacy issues and are ever more often worried about the personal data they share online.
Businesses will face much tougher sanctions than under the current framework – up to 4% of their annual worldwide turnover, which could in many cases amount to billions. However, they should be happy with the presence of the promised one-stop-shop mechanism. This should reduce the impact of compliance, because companies will mainly need to liaise with just one data protection authority for the whole EU.
However, many aspects of the new rules will be difficult to put into practice. One example is the issue of unambiguous consent. Policy-makers fail to define this clearly and it might be incredibly difficult to obtain in a few years’ time when IoT applications have become more widespread and originate an almost uncontrolled flow of personal data. Other aspects will still require individual authorities in each country to enforce the rules in detail, effectively retaining some of the inconsistencies of the current framework. For example, the age limit relating to parental consent for the use of “information society” services (i.e., social media and similar) will be set by each member state at between 13 and 16 years old. This is likely to be disruptive for both online companies and young users.
Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)
Current Status and Future Developments in Data Protection, TE0007-000812 (August 2014)
Luca Schiavoni, Senior Analyst, Regulation