After years in the offing, the EU Parliament, Council and Commission representatives have reached political agreement on the drafting of the new EU data protection framework.

Although minor modifications do remain possible, it is highly likely that the final processes will be completed early in 2016, with the General Data Protection Regulation (“GDPR”) coming into force 2 years after final adoption, so likely to be spring 2018. 

The GDPR will have significant impacts on how businesses collect and process the personal data of individuals. This briefing highlights some key aspects we are likely to see in the final version.

Key Changes

The final text is yet to be formally released but the following is expected:

  • There will be mandatory data security breach reporting and heightened security requirements both for companies that control the data and their data processors.  Companies will be required to notify the relevant national data protection authorities and affected individuals of data breaches within 72 hours of awareness unless it is unlikely to result in risk to the rights and freedoms of the individuals.  Individuals will have to be notified without undue delay if there is a high risk to their rights & freedoms.  It will be a big challenge to observe these rules in practice.
  • As has been much publicised, the GDPR will allow data protection authorities to impose substantial fines for non-compliance. A two tier structure has emerged. Maximum fines rise to the greater of €20,000,000 or 4 percent of a global annual turnover for breaches of specific sections such as failure to have a lawful reason for processing.  A second lower tier of €20,000,000 or 2% applies for some of the processor, security and admin related breaches, a higher level than many speculated it would end up at.
  • Consent to processing must be freely-given, specific, informed and unambiguous and must be confirmed by a statement or affirmative action which is “demonstrable, easily accessible and intelligible”.  The content of notices regarding the circumstances in which data may be processed will need to be more specific.  Also, the circumstances in which an employer may rely upon its own legitimate interests to permit data processing will be qualified by specific and explicit notice requirements.
  • Post the ECJ Safe Harbor case, the GDPR will maintain the general prohibition of data transfers to non-EU countries that are not officially recognised as "adequate" by the EU, but with stricter conditions applying for obtaining such "adequate" status.   New mechanisms like privacy seals will be considered and binding corporate rules endorsed.
  • The current requirements to notify data protection authorities of data processing activities will be largely replaced with new requirements to maintain internal documentation – quite a lot of it - on a company's processing activities and controls, both to record what processing they do and also how they achieve compliance. Privacy by design and default remains and, in certain cases, companies will need to conduct privacy impact assessments of their data processing activities. Accountability will be a key theme of GDPR.  Lots more record keeping, auditing and training etc. are likely to see internal resource requirements increase. 
  • The much debated requirement for companies to appoint a data protection officer appears to have been limited so that it only applies to those companies that either process large quantities of sensitive personal data or those that process personal data and engage in systematic monitoring on a large scale. “Large” is undefined of course. There will be far reaching consequences for several sectors, including retailers, mobile providers, insurance providers. 
  • Individuals will get more extensive rights including on erasure, objection, portability and access.
  • Member states can enhance rules around employee data processing.
  • The GDPR will apply to virtually any business that offers its products and services in the EU market, reflecting moves in that direction under recent ECJ case law.  This is a significant change to the prior establishment limits.  In particular, it will apply to the online activities of non-EU companies that offer goods or services to, or monitor the behaviour of, EU individuals. 
  • The much-debated process to centralise data protection enforcement will be achieved to a certain extent by the emergence of a single competent national data protection authority. However, the viability and/or success of such an authority remains to be seen.