There’s been a huge amount of noise about the EU’s new General Data Protection Regulation as it gives consumers more power over how their data is handled and demands additional controls (and documentation) from anyone who has data on individuals in the EU.
As the law has gone through its committee stages, there has been a lot of documentation on its impact and some of the views have been conflicting, but one thing has so far been agreed by everyone – organisations will have two years from the date of the law being published before it comes into force, a two-year grace period to get policies, procedures and technology together to ensure you conform.
Well, no more.
As a surprise to almost everyone, one of the countries of the EU has put forward a law that brings in many of the regulations early. France has published the new “Digital Republic” bill, agreed by the National Assembly on 26th January 2016, which is now in the senate, expected to be agreed and come into force this year.
So what does the law say?
The main points are in line with the EU GDPR:
Right to data portability: Users can demand their data kept by the data controllers, this must be supplied in a machine-readable format.
Data Retention policy must be communicated: Data controller must inform the user the length of time that data is retained.
User rights to data rectification, object: Users can demand their data is edited and errors removed.
Right to deletion: data subjects can demand that their data is deleted from the data controller’s systems or object to the data being used.
Class Actions: Users can file a collective action demanding redress for data loss or misuse.
Maximum fine: The maximum fine is increased over a hundred times, from €150,000 to €20,000,000 or 4% of global turnover, whichever is higher.
So, France comes out ahead, and it will be interesting to see what happens – the big question is whether other countries will also drive forward their own laws faster than the EU GDPR. You can’t start planning too soon.