The EU’s data protection reforms have been published in the Official Journal and the countdown to compliance has officially begun.
What’s the issue?
We have been talking about the reform of EU data protection law for over four years now. It has generally been agreed that the law needed updating to make it fit for purpose given the technological developments since the Data Protection Directive in 1995. It has taken took a long time to reach agreement on exactly what form the changes should take, making the new General Data Protection Regulation (GDPR) the most lobbied piece of EU legislation to date.
What’s the development?
After years of speculation, we now know that the GDPR will apply from 25 May 2018, following its publication in the EU’s Official Journal. The GDPR was published together with the other element of the reform package, the Directive for the police and criminal justice sector. This entered into force immediately on 5 May 2016 and Member States must transpose it into national law and implement it from 6 May 2018.
What does this mean for you?
The GDPR will bring in a large number of changes and organisations will need to consider it carefully and make sure they are compliant by the time it comes into effect on 25 May 2018. Issues which are attracting particular focus include consent, increased administrative requirements and the need to provide a full audit trail, data exports and the new obligations on data processors.
As we count down to compliance, Taylor Wessing will continue to cover the GDPR in detail (both in terms of its contents, and its application to particular industries) on our Global Data Hub which already contains a wealth of information on the incoming legislation. Our monthly webinars and regular seminars complement the material on the Global Data Hub.
Alongside the data protection package, the PNR Directive, which covers the sharing of passenger flight record data, has been published in the Official Journal. It must be implemented by 25 May 2018.
The EC has also published proposals for a Council Decision to give effect to an EU-US umbrella agreement to cover the transfer of personal data between the EU and the US for the purposes of prevention, detection, investigation and prosecution of criminal offences including terrorism. This is distinct from the EU-US Privacy Shield proposals as it covers law enforcement cooperation. The Commission has published the draft proposals and recommends that the Council of Ministers sign the agreement which provides for certain protections to be given to the data and to the right to judicial redress for EU citizens in relation to privacy breaches.
With the finalisation of the data protection package, the EC is turning its attention to a review of the e-Privacy Directive, as part of its Digital Single Market strategy. It has launched a consultation on the Privacy and Electronic Communications Directive. This will be conducted in parallel with a REFIT assessment (regulatory fitness and performance programme). The review of the e-Privacy Directive is likely to consider consistency with the GDPR, fitness for purpose in terms of technological developments, cybersecurity issues, and consistency of application across the EU. The consultation asks whether a new e-Privacy framework is required in light of these issues and whether it should be expanded to apply to ‘over-the-top’ communication providers (e.g. VoIP and instant messaging providers). The consultation closes on 5 July 2016.
Another key piece of legislation in this area has also moved closer to finalisation with the Network Information Security Directive (the Cybersecurity Directive or NISD) having just been adopted by the Council after political agreement was reached in December 2015. We will be looking at this in more detail once the final text is published in the Official Journal (it first needs to be adopted by the EU Parliament at its second reading), but for a recap, see our article from January.