Analyst View: EU Data Protection Regulation is a necessary step, but practical implementation will still be problematic

It has been a long time coming, and finally the new EU Data Protection Regulation is set to see the light of day. Here are thoughts from Ovum’s Senior Analyst of Regulation, Luca Schiavoni :

It will still require a vote of the EU Parliament on the text agreed today at the end of the negotiations between European Commission, European Council, and Parliament; however, we can expect the agreed text to be adopted in the coming months. Today’s vote can be seen as a key milestone as it marks the passing of an unprecedented set of data protection rules – the first of the digital age, replacing a Directive which is now 20 years old and was conceived when the internet was barely taking its first steps. It was arguably needed, as the old rules inevitably failed to capture the evolution in technology and users’ behaviour; and it makes significant efforts to strengthen the protection of end users, which have shown to pay increasing attention to privacy issues, and are more and more often worried about the personal data they share online.

Businesses will face much tougher sanctions compared to the current framework – up to 4% of their annual worldwide turnover, which could in many cases amount to billions. However, they should be happy with the presence of the promised one-stop-shop mechanism, which should reduce the impact of compliance as companies will mainly need to liaise with one data protection authority for the whole EU.

Nonetheless, many aspects of the new rules remain difficult to put into practice. One such example is the issue of unambiguous consent, which policymakers fail to define clearly, and might be incredibly difficult to obtain in a few years’ time, when IoT applications will have become more widespread and will originate an almost uncontrolled flow of personal data. Other aspects will still require individual authorities in each country to enforce the rules in detail, effectively retaining some of the inconsistencies of the current framework. For example, the age limit to require parental consent for the use of “information society” services (i.e. social media and similar) will be set by each member state between 13 and 16 years old. This is likely to be disruptive for both online companies and young users.