Following extensive, multi-annual negotiations the European Parliament and European Council have reached an agreement on a new General Data Protection Regulation modernising a legal framework which dates back to the 1990s
The Regulation gives to national competent authorities (DPAs) greater enforcement powers, strengthening their role. Moreover, it reinforces the rights of the individuals with regards to data protection in the digital era, taking into account the continuous technological developments and the increasing use of internet and mobile applications. ENISA welcomes this development, which is an important step forward for enhancing privacy protection of EU citizens and for promoting privacy and security as core aspects of the European industry. At the same time it recognizes that the Regulation sets a number of challenges. ENISA is ready and well positioned to will assume responsibility to support Member States and the European Commission to tackle these challenges, translating the new legal requirements into practical technical solutions.
Privacy by design
Among the new elements of the Regulation is the introduction of the ‘privacy by design’ concept to online services. Privacy by design is not one technology but rather a combination of different technical and organizational measures at the heart of the design and implementation of systems and services. Following the privacy by design concept, the Regulation asks for the deployment of privacy enhancing technologies in the EU, but it is up to the national competent authorities in synergy with the industry to decide upon the most effective application of such solutions in practice. ENISA has been exploring the role and potential of privacy enhancing technologies for a number of years and is in a very good position to support all involved stakeholders in making the right decisions.
Reporting on data breaches
Another important element of the Regulation, is the notification of personal data breaches. In the new framework, this obligation extends to all sectors, going beyond its current applicability to the telecom operators (under the ePrivacy Directive). This new obligation is in fact an accountability measure for the industry who, on one hand needs to take all the necessary security measures to avoid data breaches and on the other hand has to notify these breaches to the competent authorities and to the affected individuals. ENISA has provided a lot of work in this field in co-operation with national Data Protection Authorities.
The Executive Director of ENISA, Udo Helmbrecht, commented on this agreement: ““Enhancing privacy and data protection policies, mechanisms and tools for EU citizens is an obligation of the EU policy maker. ENISA welcomes the new General Data Protection Regulation, which gives greater role and enforcement powers to national competent authorities and reinforces the EU citizens’ right to data protection. An important element of this agreement, often underestimated, is its potential to provide a competitive advantage to EU industry by adopting privacy and data protection as its core value.”