After four years of negotiations, the text of the General Data Protection Regulation has been agreed.
What’s the issue?
Four years ago, the European Commission published a data protection package to reform, modernise and harmonise European data protection law. The cornerstone of the package is the General Data Protection Regulation (GDPR) which will replace the 1995 Data Protection Directive and, in the UK, the Data Protection Act 1998.
What’s the development?
The GDPR has been the most lobbied piece of EU legislation to date but towards the end of December 2015, it was announced that political agreement had been reached. The agreed text has been published although it still needs to be formally adopted. This is expected to take place in spring 2016, after which there will be a two year implementation period.
What does this mean for you?
After years of pouring over the various drafts of the legislation, it’s fair to say that there are no huge surprises in the final version. This does not mean the legislation lacks bite, not least in the vastly increased levels of fines for non-compliance (up to 4% of annual global turnover or 20m Euros, whichever is greater). The legislation will bring in a large number of changes and organisations will need to consider it carefully and make sure they are compliant by the time it comes into force in 2018.
We will be covering the GDPR in detail, both in terms of what it covers and its application to particular industries over the coming year on our Global Data Hub but here are some headlines from the GDPR.
- Territorial scope – expansion of territorial scope to include applicability to non-EU organisations offering goods or services to data subjects in the EU or monitoring their behaviour to the extent that the behaviour takes place in the EU;
- Notification – no requirement to notify authorities of data processing but a requirement to keep records of data processing activities (subject to limited exceptions for SMEs);
- One Stop Shop – organisations will be regulated by a single regulator in the place of their main establishment. The main establishment will be the main administrative location in the EU unless the main decisions about data processing are taken in a different Member State in which case that will be the main establishment. Individuals will be able to make complaints in their Member State at which point that regulator will engage in a cooperation procedure which will be settled by the European Data Protection Board in the event of disagreement. Member State regulators will also be able to deal with any issues arising in their own States subject to a cooperation procedure;
- Penalties – maximum penalties of 4% annual global turnover or up to 20m Euros (whichever is higher);
- DPOs – requirement to appoint a data protection officer (DPO) where an organisation’s core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Member States will have discretion to enact national provisions imposing further requirements regarding the appointment of DPOs;
- Breach reporting – breaches must be reported to the relevant regulator without undue delay and, where feasible, within 72 hours of becoming aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Data subjects must be informed without undue delay where the breach is likely to result in a high risk to the data subject’s rights and freedoms unless the data has been rendered unintelligible to any third party (for example by encryption, the data controller has taken steps to ensure the high risk is unlikely to materialise or it would involve disproportionate effort to inform data subjects individually in which case a public announcement can be made. Data processors are required to inform data controllers of any breach without undue delay;
- Consent – organisations relying on consent to process personal data will need to show that the consent is freely given, specific and informed and is an “unambiguous indication” of a data subject’s wishes and expressed either by a statement or a clear affirmative action. Consent will be purpose limited i.e. related to explicitly specified purposes;
- DPIAs – organisations will be required to carry out data protection impact assessments (DPIAs) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals, in particular, through the use of new technologies and in cases of people profiling. If the DPIA reveals a significant risk, organisations must consult with their regulator before beginning the processing.
- Data subject rights – new rights around data portability, the right to be forgotten and to prevent profiling. Continuation of right to object to processing, to rectification and erasure;
- Privacy by design and default – enshrined into statute – controllers are specifically prevented from setting defaults to disclose data to all;
- Purpose limitation – data processing must be carried out for the original purpose(s) for which it was collected unless the new purpose is a compatible one;
- Data export to third countries – similar restrictions on transfers of personal data outside the EU as under current law. Data can be transferred under a Commission adequacy decision (the GDPR contains details of how these should be reached); standard contractual clauses or BCRs for intra-group transfers. In addition, there are limited possibilities to transfer data with consent or where it is necessary for the performance of a contract;
- Data processors – parts of the GDPR will apply directly to data processors who will be subject to compliance requirements and to sanctions for non-compliance;
- Digital consent for minors – while the default age for giving valid consent and using online services is set at 16, Member States will be able to reduce this to as low as 13.