EU's 'Data Protection Reform' Brings Stronger Privacy Rights For Its Citizens

The European Union (EU) finalized its Data Protection legislation for the digital age, which is meant to unify all related laws and make it easier for both EU citizens and companies operating in the EU to comply with them.

The "Data Protection Reform" contains two main parts:

  1. The General Data Protection Regulation, which will enable people to better control their personal data and businesses to cut red tape and to provide more trust in their services.
  2. The Data Protection Directive, which addresses how law enforcement bodies can secure the data of victims, witnesses, and suspects of crimes.

Stronger Privacy Rights

Seven EU citizens out of ten worry that companies may misuse the private information they give them when signing up for an account, according to a recent Eurobarometer survey. The new Data Protection Regulation will strengthen EU citizens’ rights to the protection of their data so they can more freely give away that data, knowing that if it’s abused, the appropriate EU enforcement bodies will punish offenders. The new regulation stipulates that companies could be fined up to four percent of their global revenues if they violate the Data Protection Regulation.

EU citizens will also get a few more benefits, such as:

  1. Easier access to your own data - Companies will have to tell their users how they are processing their data.
  2. A right to data portability - People can take their data to another competing service provider.
  3. A clarified "right to be forgotten" - People have the right to request their data be deleted from a service, as long as there is no “legitimate” reason for the company to retain it.
  4. The right to know when your data has been hacked - This one is also reinforced by the new EU-wide cybersecurity rules, which say that companies have to inform authorities of data breaches. The Data Protection Regulation says the company’s users must be notified, as well.

Unified Rules For Businesses

The regulation will establish a single set of rules for all EU countries, which means it should be less costly for businesses to expand across the EU from their home country. They will also have to deal with only one supervisory authority, which should further cut the red tape for doing business in the EU. Companies that don’t have headquarters in the EU but offer services to EU citizens will have to abide by the same Data Protection Regulation.

One interesting approach that the EU is taking is that it’s encouraging companies to adopt "data protection by design" from the earliest stages of their products or services. This should remove some of the risk with data breaches, for instance, if companies plan for them from the beginning, rather than try to add the protection later on in ways that are incompatible with their products or services.

Small and medium-sized businesses will be exempt from some rules under the new Data Protection Regulation, such as not having to appoint a data protection officer and not having to carry out an impact assessment unless there is high risk involved.

Data Protection In Law Enforcement

The new Directive that applies to law enforcement agencies strengthens the data protection rules for data belonging to anyone that might have to deal with the police or other enforcement bodies, from victims to witnesses to criminals. The rules are also in accordance with the EU’s Fundamental Charter of Rights and with the principles of necessity, proportionality and legality. Oversight will be provided by an independent national data protection authority, as well as by effective judicial remedies.

There will also be clear rules for how to transfer the data of an EU citizen to some other country’s law enforcement authority without undermining the EU citizen’s rights.

The new Data Protection Reform reached agreement between the European Commission (EU executive body), Parliament, and Council (national executive leaders), and it’s expected to be formally adopted at the beginning of next year. The rules will take effect two years later.

Andrus Ansip, Vice-President for the Digital Single Market, said: "Today's agreement is a major step towards a Digital Single Market. It will remove barriers and unlock opportunities. The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information. And they can enjoy all the services and opportunities of a Digital Single Market." He added that, "We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage. Today's agreement builds a strong basis to help Europe develop innovative digital services. Our next step is now to remove unjustified barriers which limit cross-border data flow: local practice and sometimes national law, limiting storage and processing of certain data outside national territory. So let us move ahead and build an open and thriving data economy in the EU – based on the highest data protection standards and without unjustified barriers."


Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Alec Mowat
    When countries like France (and even America now) are pushing to remove encryption, I really wonder how much validity this document is going to have post-Paris attacks. This might be more of a way to keep their privacy out of American hands.
  • Adilaris
    17142062 said:
    When countries like France (and even America now) are pushing to remove encryption, I really wonder how much validity this document is going to have post-Paris attacks. This might be more of a way to keep their privacy out of American hands.

    I believe the French have recently stated that they changed their mind about that.
    The USA on the other hand, are trying to to force their abomination CISA so they can thoroughly screw its citizens by removing what little leash the NSA had.

    Glad to see the EU work out something sensible.
  • Martin_29
    Well. We in my company are pretty muoch screwed up, because of this since halve of the support have been outsorced out of europe.