It has been announced today that agreement has been reached on the final text of the EU’s new Data Protection Regulation. This agreement has been reached earlier than many had anticipated given the lengthy delays in the process to date.

The final text has not yet been published, but the press releases issued today suggest that:

  • The maximum fines for data protection breaches will be 4% of global annual turnover;
  • There will be mandatory reporting of serious security breaches to regulators and affected individuals;
  • Where consent is obtained it will have to be “explicit”, and therefore companies will no longer be able to rely on implied consent to justify data processing;
  • Companies which process sensitive data on a large scale or which collect information on a large number of consumers will need to appoint a Data Protection Officer;
  • Companies based outside the EU will be subject to the Regulation when offering services in the EU; and
  • Pan-European businesses will only have to deal with a single regulator (the so called “One Stop Shop”). The precise arrangements for this have been heavily negotiated and so it remains to be seen how workable this will be in practice.

Of course, these are just some of the headline points and we will be fully analysing and reporting on the Regulation once the full text is published.

In terms of timing, the next step is a confirmation vote at the European Parliament’s Civil Liberties Committee on 17 December. The Council and the full Parliament will also have to formally adopt the proposal – this is expected at the beginning 2016. The new Regulation will come into force two years after it is adopted, in early 2018.