There have been two important developments recently in relation to data protection, namely a new EU-US Privacy Shield and agreement on an EU General Data Protection Regulation.
In October 2015 we reported that the European Court of Justice had declared that the US Safe Harbor regime, which allowed the transfer of personal data from the EU to the US, was invalid. After months of intense negotiations, the European Commission and the US Government announced their agreement on an EU-US Privacy Shield intended to replace the Safe Harbor regime.
The European Commission has now published a draft adequacy decision and related documents that are intended to implement the Privacy Shield. Click <here> for an overview of the Privacy Shield and its framework, together with a summary of the major obligations and protections it will provide.
EU General Data Protection Regulation
On 15 December 2015, the EU General Data Protection Regulation ("GDPR") was agreed. In or around March 2018 it will begin to apply directly in each of the 28 EU Member States. The GDPR will apply both to the data processing activities of EU-based businesses and to various data processing activities of businesses not established in the EU to the extent they target EU data subjects.
Key provisions of the GDPR which will be of relevance (and potentially significant concern) in the HR field include the following:
- Enforcement - Supervisory authorities will have broad enforcement powers.Fines for non-compliance will be substantial, with a maximum fine of the greater of EUR20 million or 4% of annual worldwide turnover for some breaches (as compared with the current maximum of GBP500k in the UK).
- Reporting breaches - Data security breaches must be notified to the relevant supervising authority without undue delay (and where feasible within 72 hours after becoming aware of it) unless the breach is unlikely to result in a risk for the rights and freedoms of individuals.Subject to limited exceptions, the controller must also communicate the personal data breach to the data subjects without undue delay.
- Access to data - Data controllers must enable data subjects to request and obtain access to data free of charge, unless requests are manifestly unfounded or excessive.A controller is obliged to respond to such requests without undue delay and in any event, within one month (as compared with the current 40 days).This period may be extended for a maximum of two further months when necessary, taking account of the complexity and number of requests.