Overview

A significant step towards the adoption of the new EU General Data Protection Regulation has been announced. With political agreement reached, the General Data Protection Regulation is likely to be officially adopted early 2016.

Late on 15 December 2015 it was confirmed that the EU Parliament, Council and Commission representatives have reached political agreement on the drafting of the new EU data protection framework.

Although minor modifications do remain possible, it is highly likely that the final processes will be completed early in 2016, with the General Data Protection Regulation (GDPR) coming into force two years after final adoption, so likely to be spring 2018.

The GDPR will have significant impacts on how businesses collect and process the personal data of individuals. This briefing provides background and discusses some key aspects we are likely to see in the final version.

Background

After a very drawn out journey starting with an initial proposal released by the European Commission in 2012, the European Parliament and the Council proposed their own respective versions of the GDPR in 2014 and 2015. The final text was negotiated at so called “Trilogue” meetings i.e. negotiations between representatives of the Council, the European Commission, and the European Parliament.  With even more impetus to get the job done emerging after the ECJ Safe Harbor decision, this political agreement was reached at the last of these scheduled meetings.

It isn’t officially a “done deal” yet.  There is another vote on it by the LIBE Committee of the European Parliament on Thursday, before both the Parliament and the Council then formally vote to adopt it.  Technically minor changes could still be made.  The translators will certainly be busy in the meantime.

Key Changes

The final agreed text is yet to be formally released but the following is expected to emerge:

  • Mandatory data security breach reporting and heightened security requirements both for companies that control the data and their data processors.  Companies will be required to notify the relevant national data protection authorities and affected individuals of data breaches within 72 hours of awareness unless it is unlikely to result in risk to the rights and freedoms of the individuals.  Individuals to be notified without undue delay if there is a high risk to their rights & freedoms?  A big challenge to observe in practice.
  • As much publicised the GDPR will allow data protection authorities to impose substantial fines for non-compliance. A two tier structure has emerged. Maximum fines rise to the greater of €2om or 4% of a global annual turnover for breaches of specific sections such as failure to have a lawful reason for processing.  A second lower tier of €20m or 2% applies for some of the processor, security and admin related breaches A higher level than many speculated it would end up at.
  • Consent must be demonstrable, easily accessible and intelligible. The content of notices more specific. Use of legitimate interest more qualified by specific and explicit notice requirements.  A last minute attempt to raise the consent age threshold for minors in relation to online and other information society services didn’t get the full backing required but the default of 16 has been introduced for that with the ability of members states to lower down to 13. Parental consent then required below that threshold.
  • Post the ECJ Safe Harbor case, the GDPR will maintain the general prohibition of data transfers to non-EU countries that are not officially recognized as “adequate” by the EU, but with stricter conditions applying for obtaining such “adequate” status.   New mechanisms like privacy seals will be considered and binding corporate rules are endorsed.
  • The current requirements to notify data protection authorities of data processing activities are largely replaced with new requirements to maintain internal documentation – quite a lot of it – on a company’s processing activities and controls. Both to record what processing they do and also how they achieve compliance. Privacy by design and default remains and in certain cases, companies will need to conduct privacy impact assessments of their data processing activities. Accountability will be a key theme of GDPR.  Lots more record keeping, auditing and training etc. is likely to see internal resource requirements increase.
  • The much debated requirement for companies to appoint a data protection officer, appears to have been limited so that it only applies to those companies that either process large quantities of sensitive personal data or those that process personal data that engage in systematic monitoring on a large scale. “Large” not being defined of course. Far reaching consequences on several sectors including retailers, mobile providers, insurance providers etc.
  • Individuals get more extensive rights including on erasure, objection, portability and access.
  • Member states can enhance rules around employee data processing.
  • The GDPR will apply to virtually any business that offers its products and services in the EU market.  Reflecting moves in that direction under recent ECJ case law.  This is a significant change to the prior establishment limits.  In particular, it will apply to the online activities of non-EU companies that offer goods or services to, or monitor the behaviour of, EU individuals.
  • The much debated enforcement process to centralize data protection enforcement, to a certain extent, will emerge with one competent national data protection authority via a “one-stop shop” mechanism, a complex consistency mechanism and a cooperation procedure.  Its workability remains to be seen.