On December 15, 2015, the European Union reached an agreement on the final text of the new General Data Protection Regulation. The Regulation will replace the 1995 Data Protection Directive, which is currently the basis for national data protection laws of the Member States of the European Union (EU).
It is widely expected that the European Parliament and Council will approve the compromise in the coming weeks. The Regulation will then have full legal effect two years after its publication in the Official Journal of the European Union. Thus, it is likely the Regulation will come into effect in the first quarter of 2018. This would bring to an end a process that started in January 2012 with the publication of the original proposal by the European Commission.
The Regulation will lead to far-reaching changes in European data protection law:
- Change to a Regulation. The new legal instrument will be a Regulation. Regulations have direct effects in the EU Member States and do not require national implementing legislation. This means that one single legal text—the Regulation—will be applicable to most processing activities regarding personal data in the EU Member States. In certain specific areas, e.g. in the employment context, Member States can still pass national legislation, so national data protection law will continue to play a certain role.
- Changes in Territorial Scope. The Regulation will apply to the processing of personal data not only in the context of the activities of an establishment of a controller or a processor in the EU. It will also apply to controllers and processors which are not established in the EU, where the processing activities are related to the offering of goods or services to individuals in the EU, or the monitoring of their behavior as far as this takes place within the EU.
- Risk of Significant Sanctions. The Regulation will significantly increase the range of possible fines for non-compliance. The amounts of administrative fines can be up to the higher of £20 million or 4% of the fined party’s total worldwide annual turnover of the preceding financial year.
- Rights of Data Subjects, “Right to be Forgotten”. Chapter III of the Regulation contains detailed provisions specifying the rights of affected individuals, including a right to erasure (right to be forgotten).
- Supervisory Authorities, One-Stop Shop. The Regulation introduces the concept of a lead supervisory authority for data processing activities with cross-border effects (Chapter VI). This lead supervisory authority will be identified on the basis of the main establishment or the single establishment of a controller or processor. Chapter VII contains detailed provisions regarding the cooperation between the lead supervisory authority and other concerned supervisory authorities.
- Higher Hurdles for Consent. The Regulation will make it more difficult to obtain valid consent from affected individuals. The general definition of consent now requires a freely given, specific, informed and unambiguous indication of an individual’s wishes by which the respective individual, either by a statement or by a clear affirmative action, signifies an agreement to personal data relating to them being processed.
- Breach Notification Obligations. Controllers will be required to report data breaches to the supervisory authority without undue delay, and where feasible, within 72 hours of becoming aware of the breach. There is also a general obligation to report data breaches to affected individuals.
- International Data Flows. Under the Regulation, the transfer of personal data to recipients outside the EU will continue to be subject to restrictions (Chapter V). The legal framework for Binding Corporate Rules is now specified in detail.
- Data Protection Impact Assessments. The Regulations will bring increased obligations to document data processing practices. Data controllers are required to carry out data protection impact assessments whenever the processing of personal data is likely to result in high risks for the rights and freedoms of individuals. In certain situations, data controllers are even required to consult with the supervisory authorities in these circumstances.
The text of the Regulation, as agreed upon on December 15 (available here), is more than 200 pages long, with more than 100 recitals and more than 90 individual articles. Final edits may lead to changes, e.g., in the numbering.