The EU has reached political agreement on the Data Protection Reform package. This is the biggest change in EU data protection law for 20 years!
The European Parliament LIBE Committee is expected to vote this through tomorrow. The final text will be formally adopted by the European Parliament and Council at the beginning of 2016. The package is a complete overhaul of EU Data Protection rules. It introduces substantial new individual rights and penalties.
The current EU rules are contained in the Data Protection Directive which dates back to 1995. The Commission published its proposal for a new EU-wide Regulation in January 2012. Since then, we have been through many drafts and over 4,000 amendments. Today's announcement is that political agreement has been reached by the EU institutions. This is very significant. It looks like a "done deal". The new rules will come into force in two years.
What is the package?
The Reform package consists of two instruments:
- The General Data Protection Regulation: this overhauls the data protection rules and this is the big issue for business.
- A new Data Protection Directive: this is a new Directive for the police and criminal justice sector.
What does this mean for business?
The EU Commission's Press Release contains lots of warm words about this being a major step towards a Digital Single Market and benefits for business and consumers. We all know, however, that this is a big change from the current position and will require substantial work to assess the risk and implement the rules.
What does the new Regulation say?
The Commission Press Release summarises the new rules. You will be familiar with most of them including:
- New individual rights: to access information, a right to data portability and the clarified "right to be forgotten" as well as a right to know when your data has been hacked.
- Regulatory changes: a "one continent, one law" and "one-stop-shop" regulatory model (in theory!). In practice, it won't be so clear cut.
- "European rules on European soil": so companies outside Europe have to comply when offering services to EU citizens.
- Risk-based approach: this is the formal launch of Privacy by Design.
- Local registrations: (sometimes called "notifications") will be trashed.
- Data protection officers: new obligation to appoint DPO.
- Control framework: policies, procedures will be required to manage privacy risk.
- Digital consent: new agreement that parental consent should be required for those below the age of 16 but individual Member States can allow lower age limits.
- New fining powers: up to 4% of annual worldwide turnover.
The new Regulation maintains the prohibition on exports of personal data from Europe. So we await developments on negotiation of a "Safe Harbor 2.0". In the meantime, many companies are putting model contracts in place intra-group and with vendors as a stop gap.
The new Regulation comes into force in two years. But this isn't long to plan and implement a compliance programme to meet the substantial change in the rules and the additional documentation required.