The EU Commission has recently overhauled data protection legislation which means significant changes will be implemented over the next 12 to 24 months.
Individuals have a right to protection of their personal data, and the new legislation standardises data protection across the EU. It offers a high level of protection for personal data to individuals who will be permitted to make claims against companies that mishandle personal data.
Fines for noncompliance are steep and can run up to the larger of €100 million or 5% of annual income. Businesses and marketing firms which collect personal data will need to change their practices in a relatively short period of time to comply. All terms and conditions, and opt-in procedures are likely to need reviewing and updating.
New Requirements Under the EU Data Protection Act
The EU Data Protection reforms bring several new requirements for collecting personal data from customers with much of the regulation centering around obtaining consent from the individual regarding how the data is used.
Consent must be ‘specific’ and ‘informed’ with information explained in an easily understood manner; implied consent is not sufficient. For instance, a customer must be offered the right to be forgotten or to have their personal data deleted and must be told of this upfront to prove consent as well be offered options for contact. This applies to existing customers as well, who must be notified in a clear way to demonstrate specific consent for how their data is used.
All B2B marketing that contains names and addresses, whether home or business, will fall under the consent requirement, and third party businesses that might purchase personal data should thoroughly ensure that proper and explicit consent and opt-in was received from the individuals in order to avoid liability.
Controversy Over the New Data Protection Requirements
The new legislation has not come without controversy.
The European Court of Justice recently ordered Google to delete personal data from its search engine based on an individual’s argument that the data was no longer accurate or representative. While some perceived this as a judicial solidification of the right to be forgotten, civil liberties groups are still concerned about censorship and that private companies, and not courts, will begin to make internal decisions regarding data in order to avoid financial liability or lengthy litigation.
Google is now reporting requests to watchdogs and has so far received 91,000 requests on 328,000 links. However, websites have been set up to list examples of deleted data, and this 'knock-on effect' response to perceived censorship by companies may challenge enforcement and effectiveness. Nevertheless, companies dealing with any personal data need to comply with the consent and ‘right to be forgotten’ orders within the allotted timeframe.