Last night the European Commission announced final agreement on the General Data Protection Regulation, the EU-wide data protection framework that will replace the current fragmented structure under the nearly 20-year-old Data Protection Directive. The GDPR will govern privacy and data protection compliance and enforcement across all 28 member states in the EU and provide data protection safeguards for Europe’s 500 million citizens. While the text of GDPR still needs to be finalized, the Regulation means that the EU will now have the most extensive data protection laws in the world, setting global standards.

Key elements of the proposed Regulation include:

  • Extraterritorial reach. The Regulation will apply to all companies that collect data on EU data subjects, and will not require the data controller to be “established in the EU.” For example, it may be that a company falls within the jurisdictional scope of the GDPR if it uses tracking technologies on an EU-based device.
  • Increased sanctions, including fines of up to 4 percent of a company’s annual global turnover for companies that violate data protection rules. 
  • A right of action, as well as for compensation, for individuals who suffer data breaches.
  • Enhanced privacy rights for all individuals, including the right of access to and correction of their personal data, as well as the right to be forgotten and the right to data portability.
  • Greater transparency requirements on controllers to provide accessible information to individuals on their data collection and processing practices.
  • Stronger consent requirements (including guidance that the current practice of gaining consent through the use of passive Terms of Service would be inadequate under the GDPR).
  • Breach notification requirements for controllers and processors of personal data.
  • The inclusion of “profiling” — a new category of data processing — with specific limitations on its use.
  • Data processor liability for privacy or security violations or breaches. The Regulation will apply both to “controllers” and to “processors,” meaning service provider businesses (e.g., data hosting or cloud providers, payment processing providers, data analytic vendors) that previously had not been directly subject to EU data protection compliance requirements will find themselves caught by the new rules.
  • Stronger restrictions on the collection and use of data from children, and limits on profiling of children.
  • More companies would need to appoint a data protection officer, including companies in the public sector, large entities and enterprises in which core activities consist of processing operations.
  • More stringent requirements for companies to document that their policies are in compliance with the GDPR.
  • A new framework for the assessment by the Commission of the adequacy of privacy and data protection afforded by other countries for cross-border transfers.

The European Parliament and the Council will need to formally adopt the GDPR (expected in early 2016), and then the new rules will go fully into effect two years after adoption. The overhaul of European privacy rules will have a significant impact on all businesses that process the data of EU citizens, and will require extensive analysis of compliance obligations and the implementation of new privacy procedures and protocols. As the full detail of the Regulation becomes available, we will provide further analysis and suggest practical steps businesses can take to achieve compliance.