After several years of debates and consultations, the European Union has now promulgated and published in the EU Official Journal a new regime in connection with the protection of natural persons from processing of personal data, in the form of (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “Regulation”), and (b) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (the “Directive”).
While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018. Personal data protection deals with the protection of personal information relating to an individual against unauthorised and illegal collection, recording and further use. It also grants the individual certain rights, such as the right of information, the right of access and gives the possibility to submit to the Office of the Commissioner complaints on breach of personal data protection rules. The Regulation is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market.
A single law will also do away with the current fragmentation and costly administrative burdens. The Directive for the police and criminal justice sector protects citizens' fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism. The reform advanced by the Regulation provides tools for gaining control of one's personal data, the protection of which is a fundamental right in the European Union. The data protection reform will strengthen citizens' rights and build trust. Nine out of ten Europeans have expressed concern about mobile apps collecting their data without their consent, and seven out of ten worry about the potential use that companies may make of the information disclosed.
The new rules address these concerns through: the "right to be forgotten": When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press. Easier access to one's data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers. The right to know when one's data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures. Data protection by design and by default: ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps. Stronger enforcement of the rules: data protection authorities will be able to fine companies who do not comply with EU rules up to 4% of their global annual turnover.
The Regulation will also apply to organisations outside of Europe which are targeting goods and services at or tracking/ profiling individuals in Europe. It will have direct effect although there is still plenty of room allowed by the Regulation for national regulators to set national/sector standards and variances. Salient features of the new regime are the obligation of certain businesses to appoint a Data Protection Officer, conduct data protection assessments to find out what personal data is processed around the business, review and update existing data protection policies, training and privacy notices, obtain consents etc. The processing of personal data in Cyprus is governed by the Processing of Personal Data (Protection of the Individual) Law, which entered into force on 23rd November 2001. It is expected that amendments to this law shall be advanced in the forthcoming months, so as to align the existing protection with the Regulation and the Directive.