On December 15, 2015, the European Commission announced that an agreement has been reached with the European Parliament and the Council (the “trilogue” meetings) regarding the Commission’s sweeping 2012 EU Data Protection Reform proposal.  The legislation was adopted by the European Parliament’s Civil Liberties, Justice and Home Affairs (“LIBE”) committee on December 17. 

The reform package, which consists of a General Data Protection Regulation (“GDPR”) and a Data Protection Directive for Police and Criminal Justice Authorities, updates and replaces the Data Protection Directive (Directive 95/46/EC) and 2008 Framework Decision, and is intended to provide a comprehensive data protection regime for the entire EU.  The reforms will give European consumers new rights and control over their personal information, and impose new obligations on businesses. While some of the new measures will serve to make the system less cumbersome, the broad reach, new restrictions, expanded obligations and enhanced penalties imposed on businesses could more than offset these reductions.  A consolidated version of the GDPR text published by the LIBE committee is available here, and we have summarized the core elements below.

The new rules empower individuals by, among other things, (1) providing easier access to personal data and more information on how data is processed, (2) facilitating data portability, or transfers of personal data between service providers, (3) clarifying the fundamental “right to be forgotten” for individuals who no longer wish for their data to be processed, and (4) requiring expedited notifications to the national supervisory authority by companies that experience a data breach affecting personal data.

The rules will establish a single set of rules and a single supervisory authority for companies doing business in the EU.  This will eliminate conflicting views taken by data protection authorities (DPAs) in different EU Member States and facilitate coordination among the DPAs.  Controllers and processors will be required to document all processing operations and make the documentation available to the DPA upon request.  Notably, the same rules will apply to companies based outside of the EU that offer goods or services to EU citizens or are engaged in monitoring their behavior. New restrictions on children’s privacy will also apply.  Penalties could involve billions of dollars for major global companies.  It is intended that the new rules will reduce costs and administrative burdens for small and medium enterprises (i.e., those with less than 250 employees) by eliminating their data processing notification requirements to DPAs, exempting them from having to appoint a data protection officer and conduct impact assessments in many instances, and permitting them to charge a fee for certain data access requests. 

There are also new rules regarding children’s use of social media; children below a certain age will need to get parental consent to open an account on social media.  Member States are given flexibility to set their own age limits, provided they are between 13 and 16.  The European Parliament had pushed for an EU-wide age limit of 13, but flexibility was ultimately agreed upon at the request of Member States. 

The next step is for the final text of the new rules to be formally adopted by the European Parliament and Council, which is expected at the beginning 2016. The new rules will take effect two years after adoption to allow for a transition period.