Key Notes:

  • EU overhauls data protection regime to harmonize patchwork of laws.
  • Individuals given greater power over personal data.
  • Companies face new significant compliance obligations and hefty fines for noncompliance.

On December 15 EU officials approved a set of long-awaited data protection regulations that provide consumers with more power over how their personal data is processed and impose stiffer penalties on companies for noncompliance. The 28 EU member countries must modify their national laws to comply with the new regulations within two years from the new regulations’ official publication, which is expected to occur in early 2016.

Europe’s current data protection regime was set out in a 1995 directive that required each EU member state to enact national laws consistent with its requirements. The European Commission (the executive arm of the European Union) in 2010 announced plans to modernize the directive as part of a general desire to enhance and protect citizens’ rights, respond to new technological challenges and harmonize a data protection framework across the EU. The Commission in 2012 proposed new regulations to replace the directive aimed at addressing those very issues. After years of negotiation, the new rules were approved on Tuesday at a meeting of representatives from the European Commission, European Parliament and EU member states. Europe’s national governments and the European Parliament are generally expected to officially back the regulations later this week, a step that is necessary for the new rules to become effective.

While the actual text of the new data protection regulations has yet to be published, key policies approved on Tuesday include:

  • Enhanced fines. Potential financial penalties for noncompliance with the new regulations are significant – a company may be fined up to 4 percent of its global revenue for breaches.
  • “One-stop shop” regulatory structure. The new regulations establish a single, pan-European law for data protection designed to replace the patchwork of country-specific laws currently in place. Furthermore, companies generally will only have to deal with a single supervisory authority (rather than all 28).
  • Broadened territorial scope. The new regulations expand the territorial scope of the current regime by covering companies doing business in the EU, even if the company is not physically located in Europe.
  • Newly required data protection officer. Under the new regulations, any company that employs at least 250 people or processes personal data as a core function must appoint a Data Protection Officer to oversee the company’s data protection efforts.
  • Processors may now be liable. Currently, only data controllers (persons who determine the purpose and means of processing personal data) are directly liable under the directive. Data processors (persons who process personal data as directed by the controller) are not. Under the new regulations, both data controllers and data processors can be held liable for certain breaches.
  • New “right to be forgotten.” Under the new regulations, individuals will have the right to require that companies completely remove data about them (such as when stale or no longer relevant), and companies would be required to do so promptly unless there is a legitimate reason not to do so.
  • New breach notification requirements. The directive did not impose any formal data breach notification requirements on companies. Under the new regulations, companies must inform national regulators within three days of any reported data breach, a more stringent requirement than that currently required under U.S. federal or state law.
  • Higher age of consent for data processing. Under the new regulations, anyone under the age of 16 must obtain parental consent before using social media platforms like Facebook, unless any national government lowers the age to 13. Currently, many U.S. social media companies impose an age of consent of 13, consistent with the requirements of the U.S. federal Children’s Online Privacy Protection Act.

The new data protection regulations are likely to substantially affect the practices of many companies doing business in Europe. We will continue to monitor the status of the new regulations and update you as needed once the rules are finalized.