The European Union (EU) has been working to revise its data privacy laws for several years. On December 15, 2015, the EU reached political agreement on the new general data privacy regulation (it is referred to as the "general" data privacy regulation because the EU has sector-specific data privacy rules). The formal adoption of the legislation by the Parliament and Council is expected in early 2016 without any changes.
The main points for U.S. companies doing business in the EU are as follows:
- Regulation instead of Directive. The new legislation is in the form of a regulation instead of a directive. The regulation will replace the current EU data privacy directive adopted in 1995. The significance of this change is greater uniformity among the EU member states. EU directives are guidelines which the member states have to adopt into national law. Consequently, current EU data privacy law is really national law which differs in its text and application in each EU member state. As regulations are law themselves (they do not have to be transposed into national law), the new EU general data privacy regulation will provide a more uniform standard for U.S. companies doing business in the EU.
- Enforcement. The new legislation does not create an EU-level enforcement body. Consequently, enforcement will remain in the hands of the national data protection authorities of the respective member states. In recognition of the inefficiency of this approach, however, the new legislation contains allocation rules which identify a specific national data protection authority with responsibility in the particular case. This will relieve multinational companies from having to deal simultaneously with multiple regulators as under the current EU data privacy law.
- Penalties. One complaint of consumer organizations about the current EU data privacy legislation is that the penalties imposed for violations do not have an appropriate dissuasive effect on large companies. The new legislation attempts to remedy this alleged shortcoming by allowing fines of up to 4 percent of the offending company's worldwide sales. What is important to note is that—similar to EU competition law—the sales of the entire group are used when calculating the fines and not just the sales of the particular legal entity involved in the violation. These increased fines were directed in particular at U.S. companies who were perceived by many Europeans as not doing enough to protect personal data.
- Right to be Forgotten. The new legislation codifies the right to be forgotten which the European Court of Justice recently held was a fundamental right of EU citizens. This means that multinational companies operating in the EU will have to establish mechanisms to allow individuals to request that their personal data be deleted.
- Effectiveness. The new legislation will come into effect two years after its adoption. It is expected to be adopted in the first half of 2016.