After almost four years of intense negotiations, on 15 December 2015, an informal agreement on the proposed EU Data Protection Regulation was reached between the Council of Ministers and the European Parliament. An extraordinary meeting of the LIBE Committee is scheduled for 17 December 2015 for the 28 EU Member States to vote on the text. Final adoption of the Regulation is likely to be in early 2016.
The proposed Regulation expressly recognizes that “[t]he right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced with other fundamental rights, in accordance with the principle of proportionality.” Other fundamental rights to be taken into account for balancing against data protection include “freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.” However, the proposal does not expressly seek to promote technological innovation.
The Regulation, which is intended to create a single law on data protection in the EU, will have a significant impact on both European companies and importantly also businesses outside of Europe that collect data on Europeans. Some of the key provisions in the Regulation (based on leaked text of the Regulation) include:
- Fines – fines for non-compliance of up to the greater of €20 million or 4% of annual worldwide turnover;
- One Stop Shop – the introduction of a new one stop shop mechanism where businesses will be accountable to one lead data protection authority in the EU country where the data controller has its main establishment;
- Accountability – enhanced accountability principles including requirements on businesses to implement data protection policies, maintain a detailed record of processing activities, conduct privacy impact assessments and implement data protection by design and by default;
- Extraterritorial Application – the new Regulation purports to apply to any company that processes the personal data of Europeans – even if the company has no physical presence in Europe;
- Data Protection Officers – a business will be required to appoint a data protection officer where the processing involves large amounts of sensitive personal data or regular monitoring of individuals or is required by national laws – a corporate group can appoint a single data protection officer;
- Security Breaches – a requirement to report security breaches to the relevant data protection authority within 72 hours and to affected individuals without undue delay unless, for example, the data is encrypted or subsequent measures have been taken to remove the risk to individuals;
- A Right to be Forgotten – a new right for individuals to have their personal data deleted, the so called “Right to be Forgotten” subject to certain limitations like freedom of expression and information;
- Right to Data Portability – a right to require the transfer of personal data from one service provider to another;
- Data Protection Impact Assessment – Where data processing uses new technologies, and is likely to result in high risk, the controller must conduct an assessment of the impact on the protection of personal data;
- Profiling – new restrictions on businesses carrying out profiling which produces legal effects or significantly affects an individual other than where this is necessary for the performance of a contract, is authorized by national Member State law or with the explicit consent of the individuals. Profiling based on sensitive personal data (such as health data) is only permitted in limited circumstances;
- Pseudonymous data – a new definition for pseudonymisation, which in turn enables certain uses of data where a business implements appropriate technical and organizational measures to protect against re-identification.
- Consent – more stringent consent requirements, including a right for individuals to withhold their consent and parental consent required for children aged under 16 years (or 13 years if permitted under national laws);
- International Transfers – statutory recognition of international transfers using Binding Corporate Rules, Model Contracts, approved codes of conduct or certification mechanisms; and
- Foreign Data Requests – a new restriction, separate and independent from other provisions on data transfers, that any judgment of a non-EU court or authority requiring the disclosure of personal data will only be recognized or enforceable if based on an international agreement (e.g., a mutual legal assistance treaty) between the relevant Member State and the requesting country.
Businesses now need to seriously consider the impact of the Regulation and its stricter requirements, and begin planning for 2016 implementation. A first step would be for businesses to consider whether they are subject to the expanded jurisdiction of the Regulation, and if so, carry out an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning, reviewing existing data protection notices and consents, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and appointing a data protection officer.