The EU Parliament Committee on Civil Liberties, Justice, and Home Affairs (“LIBE”) finally released the text of the long anticipated new data protection law. While the law has not formally been enacted, its adoption at this point is considered pro forma. Once adopted, its provisions will go into effect in spring of 2018. The hope, and expectation, is that the GDPR will cause the EU to have a much more harmonized approach to data protection.
Here is what companies doing business in the EU need to know about the new General Data Protection Regulation (GDPR or Regulation).
1. ONE LAW
The GDPR will replace the EU Data Protection Directive, which was implemented more than 20 years ago. After the two year transition period, the Regulation will be directly applicable in all EU Member States.
The Regulation will expand its territorial reach and apply to any data controller or processor offering goods or services to data subjects located in the EU as well as to any processing relating to monitoring of data subject’s behavior within the EU. Where a controller or processor is not established in the EU, but is subject to the Regulation, the controller or processor will generally be obliged to designate an EU representative by written mandate.
Consent requirements will be more precise. A data subject’s consent to the processing of their personal information must be informed, freely given, specific, and unambiguously shown either by a statement or a clear affirmative action. Silence, pre-ticked boxes, or inactivity shall not constitute valid consent.
4. DATA PROCESSOR LIABILITY
Data processors will have limited but direct obligations under the Regulation. This includes, for example, implementing appropriate security measures and issuing notifications in the event of a breach. A processor shall be liable for the damage caused by unlawful data processing only where it has not complied with the Regulation’s obligations which apply directly to data processors or where the processor acted outside or contrary to lawful controller instructions. Data processors may be subject to joint liability in order to ensure effective compensation of the data subject leaving only a claim back entitlement corresponding to the processor’s part of responsibility.
5. DATA PROTECTION OFFICER
Under the GDPR only certain companies will be required to appoint a Data Protection Officer (DPO). It should be noted that this is one area in which a Member State will be permitted to have stricter rules than those that are imposed by the GDPR. The Regulation requires a DPO where the core activities of the controller or processor consist of processing, which by its nature, scope, or purposes, requires regular and systematic monitoring of data subjects on a large scale or the core activities consist of processing special categories of personal data on a large scale.
6. BREACH NOTIFICATION
Data controllers will generally be required to report data breaches to national Data Protection Authorities (DPAs) without undue delay and, where feasible, within 72 hours unless the personal data breached is unlikely to risk the rights and freedoms of individuals.
Children’s privacy is now addressed in the Regulation, which was not the case in the context of the EU Directive that is currently in place. Parental consent is required when offering information services directly to a child under the age of 16. Member States may choose to lower the age level to 13.
The penalty scheme for violating the Regulation drastically differs from the type of penalties to which companies are accustomed under the EU Directive. DPAs will have authority to impose fines that are up to the greater of 20,000,000 Euro or 4 % of the total worldwide annual turnover of a company.
9. INTERNATIONAL DATA TRANSFER
The existing mechanisms for international data transfer remain essentially the same. Notably the legal uncertainty caused by the recent Safe Harbor invalidation are not addressed.
The Regulation defines in greater detail the information requirements that have to be met in order to duly inform and notify data subjects about the processing of their personal data.
Under the Regulation controllers and processors will have a diverse set of rules to follow in order to insure and prove accountability. For example, they must abide by rules that concern processing activities, appropriate technical and organizational security measures, data protection impact assessments, provision of the right to be forgotten, data portability, and data protection by design and data protection by default.
12. EMPLOYEE PRIVACY
One area that the Regulation will not change is the current situation where differing national privacy laws define employee privacy rights. The Regulation will impose a minimum threshold for employee privacy, but Member States will still have the authority to make their own rules and standards for privacy around the work place, which will keep companies operating in various Member States in the position of having to identify and adhere to differing national rules and standards.
13. REMOVAL OF ADMINISTRATIVE NOTIFICATION DUTIES
The Directive provided for a general obligation to notify DPAs about the processing of personal data. This requirement was considered by many organizations as burdensome; the Regulation removes the obligation.
14. DATA PROTECTION IMPACT ASSESSMENT
In situations in which processing using new technologies may result in a high risk to data subjects, Data Protection Impact Assessments will become mandatory.