On this Privacy Monday, we can definitely say that the long winter of our discontent (at least for some of our readers) is over. Happy spring!

In case you missed it,  last Wednesday we presented the fourth in our Wednesday Webinar series on the progress of the EU draft Data Protection Regulation and what we might expect.

The EU’s draft General Data Protection Regulation is moving towards its final form now that the Council of the European Union has provided its views on most of its provisions.  Although the Council, Parliament and Commission need to negotiate the final form of the Regulation through the “trilogue” process, the overall outline of the Regulation is fairly clear.  Subject to the trilogue process, here’s a re-cap of what we expect to see:

The new Regulation will have a broader definition of personal data and will apply directly to data processors as well as data controllers.  Organizations based outside the EU will be covered if:

  • the data processing relates to an offer of goods or services to people in the EU (including free goods or services) OR
  • the data processing is aimed at monitoring people in the EU.

The Regulation will most likely include the following features:

  • Risk of very high fines based on a multiple of group global turnover
  • Mandatory appointment of Data Protection Officers in some or most circumstances
  • Privacy Impact Assessments
  • Data Breach Notification (stringency under negotiation)
  • New super-regulator: European Data Protection Board
  • One-Stop Shop (potentially with significant modification per the Council draft)
  • Non-EEA “adequacy” determinations can be sector-specific
  • COPPA-like parental consent for kids
  • Privacy Seals/Certifications promoted as a way to help companies show compliance with the law
  • Right to Erasure/Right to be Forgotten
  • Data portability
  • No more registration with national data protection authorities

To access the webinar recording, please click here.