The European Parliament informally agreed Tuesday to replace the EU Data Protection Directive from 1995 with new comprehensive privacy legislation called the General Data Protection Regulation backed by 48 votes to 4, with 4 abstentions.
Once ratified, the GDPR will become law in 2018 across all 28 EU Member States and will take over from the current laws EU Member States implemented in order to comply with the data protection requirements set out in the Directive.
The new rules will replace the EU's current data protection laws which date from 1995, when the internet was still in its infancy. Citizens will have more control over their own private information and it is hoped the new legislation will ensure clarity and legal certainty for businesses.
The informal agreement on the regulation will be voted by the full house in spring of 2016 according to the EP. Once ratified, member states will have two years to apply its provisions for the laws.
The main selling point to the new legislation is that users will have to provide clear and affirmative consent to the processing of private data by the company concerned, so as to give consumers more control over their private data.
The national Data Protection Authorities will be empowered to become a first instance body where citizens can complain about data breaches If companies don't behave. Cooperation among the DPAs will also be significantly strengthened to ensure consistency and oversight.
One of the more controversial parts of the GDPR are the fines of up to four percent of firms' total worldwide annual turnover should they suffer a breach. There had been long debate on what percentage this should be, with figures between two and five percent being mooted.
The right to be forgotten is back too. The case brought forward against Google Spain by Spaniard Mario Costeja González has informed the writing of the GDPR, which means consumers will have the "right to be forgotten" or erased from the databases of companies holding their personal data, provided there are no legitimate grounds for retaining it.
The right to know when your data has been hacked is also an integral part of the GDPR. Companies and organisations will be required to notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.
"The new rules will give users back the right to decide on their own private data”, said Parliament's lead MEP on the regulation, Jan Philipp Albrecht (Greens, DE).
"At the same time, the new rules will give businesses legal certainty and chances for competition. It will create one single common data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market", he added.