Originating in 1984 and seeing several revisions over the years to consolidate new Acts and EU law, the Data Protection Act forms the legal foundation of what information firms can and can't store in relation to a person and how they can handle that information.
Currently the act sets the following core principals:
- Firms may not store data other than for a specific purpose.
- Firms may not pass data along to a third party without consent.
- Individuals have the right to request what data is held about them (with exceptions such as data that may prevent a crime).
- Personal information may not be stored for longer than necessary and must be kept up to date.
- Personal information may not be sent outside the EU without consent or adequate protection.
- Larger organisations with complex data processing must register with the Information Commissioner's office.
- Company departments must have adequate security in place (both actual and organisational).
- Subjects have the right to have factually incorrect information corrected.
For example, these principals and requirements prevent firms from passing your information along to advertising and marketing firms without consent and should ensure that your personal information is only kept as long as there is a need i.e. as long as you have an account with X company.
Tomorrow, the EU is to propose a new change to its data protection directives, which were formed in 1995 and further enhanced by directives such as the Privacy and Electronic Communications directive formed in 2003. The new directive would enable internet users to request that firms delete data about themselves unless there are "legitimate" grounds to retain it. This proposal was apparently brought about by the wish to help teenagers and young adults manage their online reputations, "These rules are particularly aimed at young people as they are not always as aware as they could be about the consequence of putting photos and other information on social network websites, or about the various privacy settings available," stated an EU spokesman.
If one were to take a gander at the above list, you would note that the right to data removal already exists, however, in its current form it is limited and but a principal, the new law intends to make the removal of data "a right".
Other changes forming part of tomorrow's proposed directive are the requirement for firms to notify users and authorities of data loss through hacking or other breaches as soon as possible, with a suggestion that under normal circumstances, this would mean within 24 hours. The new directive would also require firms to never assume consent to use data and must explicitly seek permission; with any luck, gone are the days of having to un-tick that check-box when registering a new account on the internet. Much like recent UK law, websites would be required to inform users of when and why data is being collected, for example in the form of cookies.
Justice Commissioner, Viviane Reding, did state that there would be reasonable exceptions to the "right to be forgotten", citing the removal of information from newspaper archives as an example where the right would be inappropriate, "It is clear that the right to be forgotten cannot amount to a right of the total erasure of history," she stated.
These new rules look to cover all EU member states for the first time, seeing firms who violate the provisions set out in the directive opening themselves up to a fine of up to one per cent of their global revenue.
We think it's great that the EU is taking a modern stance on data protection, we wonder what our readers think and if perhaps the EU may have left anything important off its list?
