Strict new EU data protection rules target “Big Data”

Citizens are given control of their own data – significant new responsibilities conferred upon businesses processing personal data.

The EU institutions recently reached agreement on a data protection reform package that is likely to enter into force in March 2018. It must, however, be expected that the legislation will affect the current enforcement of the Norwegian Data Protection Agency, thus making an immediate impact. The corner stone of the package is a regulation on data protection. It is expected to be incorporated into the EEA Agreement and thus in practice be given similar legal effects in the EEA as in the EU. The reform package is the biggest change of EU/EEA data protection rules since the mid-nineties.

Key changes

Citizens are given control over their own personal data by providing them with the right to:

  • Oppose the processing of a certain category personal data. It will no longer only be an all or nothing choice for the users.
  • Dataportability; i.e. the ability to move their personal data between applications and platforms (also facilitating competition between information providers)
  • Oppose “cookies” or profiling for marketing purposes or by public authorities
  • Be forgotten and to have personal data deleted, also in situations when a processing consent is withdrawn.
  • Easier access to own data and to know when your data has been hacked.
  • A more accessible, clear and unambiguous consent procedure, e.g. by requiring a positive/active citizen consent before personal data are processed for profiling/marketing purposes, including “cookies” and automatic decisions.

The Regulation will bring significant new responsibilities for businesses processing personal data:

  • The requirement to obtain the citizen`s consent will in reality imply dependence upon businesses at earlier stages of the chain. The latter must have obtained consent covering also later stages, ensuring at every stage of the chain that the processing is covered by the consent and within the data collection objective.
  • Mechanisms to pass on the citizen`s consent to later stages of the chain will have to be developed, typically more or less standardized agreements between data processing businesses at different stages of the data distribution chain.
  • The regulation will be binding also for businesses operating from outside the EU/EEA when offering goods and services to EU/EEA citizens.
  • More businesses than today will be obliged to have a designated data protection officer, e.g. public authorities and businesses where personal data processing is a core activity of the undertaking, even if the business is small or medium-sized.
  • Infringements of the Regulation may result in penalties of up to 4 % of the undertaking`s turnover.

EU law makers state the regulation will create positive effects for businesses, pointing both at synergies flowing from a higher level of harmonization and from simplified administrative procedures. However, several noteworthy and highly practical questions are left unresolved in the general legislation. Individual adaptations on the basis of the facts of each case, remains highly advisable until more general guidelines have been established and tested.


Partner Aksel J. Hageler
+47 480 23 834

Senior Lawyer Lennart Garnes
+47 911 07 042

Senior Lawyer Ketil Sellæg Ramberg
+47 480 16 549

The Author

Lennart Garnes
Lennart Garnes Garnes is an expert in the fields of EU/EEA and competition law. I addition he has heavy experience and knowledge within national public administrative law. In particular he works on cases concerning regulatory or competition related obstacles for market access and the exercise of business activities (based on EU/EEA free flow rules and secondary legislation and competition law). With experience from national and European administrative bodies, he has first-hand insight into the political and legal processes of which legislation is adopted and applied. Garnes assists in processes towards, national authorities, the EFA Surveillance Authority and the European Commission. Within his fields of practice he is regularly involved in litigation processes. At Steenstrup Stordrange Garnes has been working with several highly principal cases concerning port access and the pricing of port services. Together with his earlier experiences from the transport area, he has gained particular knowledge in issues concerning access to and pricing of infrastructure and transport markets.

Comments are closed.