EU Data Protection Regulation Update: "personal data" definition widened

European Commission proposed a new “General Data Protection Regulation” that will revisit the previous Directive: the definition of "personal data" will be widened, “right to be forgotten” introduced, fines of up to €1m or 2% of global turnover apply to advertisers.

Background

European Commission proposed a new “General Data Protection Regulation” that will revisit the previous and outdated ’95 Directive by promoting a single harmonized set of rules across Europe. The EU government will now slowly over the next two years move towards a “new era” in data regulation. In the meantime, the online industry is moving forward with their own self-regulation, with most embracing the US opt-out model (www.youronlinechoices.com) in the hope of avoiding more draconian EU mandated measures. In fact, companies like Google are already in the process of implementing a unified data policy across all their properties.

Details

The new proposed regulation introduces quite a few major changes that have to be taken into consideration particularly by data-driven advertising businesses, because it will provide for a stronger data protection regime across EU markets, stricter conditions and heavier fines. Briefly:

• All internet users will have to explicitly give their consent to the processing of personal data for targeted advertising purposes based on a widening of the definition of “personal data” to any information relating to an identified individual or an individual who can be identified Introduces the “right to be forgotten” that will allow people to delete their personal data if there are no legitimate reasons for retaining it. (In its new policy Google seems to have left out the opt-out button, which raised many eyebrows and even more questions)
• There will be a “one-stop-shop”, meaning that businesses will only have to deal with one single data protection authority, which will be in their home base country
• It will strengthen national data protection authorities to better enforce the new rules. This means that the Information Commissioner’s Office has the power to fine companies that violate the new rules of up to €1m or 2% of global turnover.
• Of course the proposed regulation is highly complex and far reaching. Mindshare suggests all clients take some time to digest it thoroughly, and seek your own legal advice over time as it begins to take shape. We will continue to share details as they develop over the next few years.

The European Commission says that the reform will modernize, simplify and strengthen the data protection framework. It also will drastically cut red tape allowing businesses to save up to €2.3 billion per year. Plus, they claim that this change will enable companies to better gain consumer trust. On the other hand, the continued push for explicit consent could cause further headaches. Any further change to cookie use could make targeted brand advertising increasingly difficult and negatively impact on the effectiveness of digital advertising.

Summary
The IAB states that these new proposals are not final and eventually will need to be adopted by the various European institutions. When the final proposals are adopted they will not come into force for another two years. Unlike the recent revised ePrivacy Directive, which needed to be implemented into national laws, these proposals are defined as a “Regulation, which means that once adopted at EU level there is very little flexibility at national level. For now marketers should work with their agencies and the IAB to support the existing self-regulation initiatives while closely monitoring and influencing the new proposed changes.

Useful Links

You can see the press release here

Link to supporting documents, including legislation, the directive and research here