The European Parliament today voted in favour of major reforms to data protection in the EU, first put forward in January 2012 as a replacement for the current rules, which were drawn up in 1995. The new law is done and dusted and will come into action in April 2018.

There are two components to the new law: the General Data Protection Regulation (GDPR), which is designed to give EU citizens better control of their personal data, and the Data Protection Directive, which covers how personal data is used by police in the EU.

General Data Protection Regulation

There are a number of key elements for EU citizens in the GDPR. Under the new rules, individuals will have more information on how their personal data is processed. Data protection must be "by default" and "by design" for products and services, and privacy-friendly default settings will be the norm, for example on social networks or apps.

Under the GDPR, personal data will be portable, so that it can be moved more easily between different online services. The so-called "right to be forgotten"—actually, a right to be removed from the results of search engines—is clarified under the GDPR. Companies and organisations will be obliged to inform national supervisory bodies of serious data breaches so that users can take appropriate measures.

The Greens MEP Jan Philipp Albrecht, who did more than anyone to shepherd the GDPR through the legislative process, said afterwards: "The new rules will give users back the right to decide on their own private data. Businesses that have accessed users' data for a specific purpose would generally not be allowed to transfer the data without the user being asked. Users will have to give clear consent for their data to be used."

Another big benefit for citizens is that the new rules will be backed up by much stronger enforcement: data protection authorities will be able to fine companies that do not comply up to 4 percent of global annual turnover—that could be billions of euros for top US Internet companies. That threat should help to focus corporate minds when it comes to protecting the personal data of EU citizens.

The European Commission claims that the GDPR will also bring benefits for businesses, notably the fact there will be a single, pan-European law for data protection, rather than a confusing patchwork of 28 rules. Small- and medium-sized enterprises will enjoy simplified data protection requirements. For example, they will no longer be required to appoint a special data protection officer nor keep records of all their data processing activities.

Data Protection Directive

The accompanying Data Protection Directive is more concerned with police and criminal justice systems. It is designed to protect your fundamental right to data protection when personal information is being used for criminal law enforcement purposes, whether you are a victim, criminal, or witness. It will also permit law enforcement authorities to exchange data more efficiently and effectively, the European Commission claims. As well as saving time and money, the hope is that this will allow the authorities to "prevent crime under conditions of legal certainty, fully in line with the Charter of Fundamental Rights," as the Commission's FAQ puts it.

The GDPR does not require any further action by the member states. It will come into force in exactly two years: April 2018. The police directive has a two-year implementation period, and member states are required to update their national legal frameworks during this period to bring the new rules into force.

It is a major achievement that the very different views of the European Parliament, European Commission, and member states have been reconciled in a new data protection framework. The rules have been subject to some of the most intense lobbying ever experienced by EU politicians, particularly from US companies.

Albrecht said immediately after the vote: "this adoption of the GDPR is a huge step forward for the EU and fundamental rights. It shows we can deliver a legal framework for the digital age."

DigitalEurope, which represents digital tech companies in Europe, was not so enthusiastic: "we continue to believe that the final text fails to strike the right balance between protecting citizens’ fundamental rights to privacy and the ability for businesses in Europe to become more competitive." However, it went on to say: "it is now time to be pragmatic," and that it was ready to help make the new rules work.

The GDPR has additional importance given the continuing tussle over transatlantic data transfers. As Ars reported yesterday, even if the Privacy Shield agreement goes into force soon, it will need updating in the light of the new GDPR.