After nearly four years of negotiation and wrangling, European Officials announced yesterday that they had finally reached agreement on the language for the EU’s new General Data Protection Regulation (“Regulation), which will replace the aging 1995 Data Protection Directive (“Directive”).
In many ways, the announcement is welcome news as it will harmonize what had become a patchwork of laws within the EU, because member states were free to enact their own data protection laws that were based on the Directive. Although the final text of the Regulation has not been officially released yet, EU officials have already provided some indications of what it contains in press releases.
The final text of the Regulation still needs to be put to a vote by the EU Parliament’s Civil Liberties Committee, and if approved, by the entire Parliament in January of 2016. If the Regulation is approved in early 2016 as expected, the regulation will come into force in 2018, giving organizations that the regulation affects substantial time to prepare for the inevitable changes to their policies and practices.
Some of the key components of the compromise text of the Regulation that officials have indicated have been agreed upon are:
- “Right to be Forgotten”: Under the Regulation, subject to certain exceptions, EU data subjects will be able to demand that an organization delete all personal data that the organization holds related to them.
- Data Portability: Organizations that have EU customers who want to switch service providers will need to make it easier for such customers to transfer their personal data to another service provider.
- “One-stop-shop”: Fortunately, according to the EU Commission’s press release, businesses subject to the Regulation “will only have to deal with one single supervisory authority.” This is a business-friendly development that should significantly decrease the interactions that multinationals in numerous EU jurisdictions will have with various member states’ data protection authorities (“DPA’s”). Rather, under most circumstances, they will only have to deal with the data protection authority in the member state in which the organization is established. This innovation alone is expected to save companies €2.3 billion annually.
- Elimination of Notifications. Another business friendly development is that organizations subject to the Regulation will no longer need to make costly and time consuming notices to DPA’s regarding their processing of personal data. Such notices will be “scrapped” and the EU Commission estimates this will save companies approximately €130 million per year.
- Heavy Fines for Noncompliance. According to Jan Phillipp Albrecht, the EU Parliament’s lead negotiator on the Regulation, companies may be fined up to 4% of their annual global revenue for violations of the Regulation, although such heavy fines would only be reserved for cases of repeated and egregious violations. This development was not unexpected, as various EU stakeholders had debated whether the maximum fine should be 5%, or instead 2%. It appears that a compromise was reached at 4%.
- Age of Consent for Children. Although the EU Parliament had been advocating that the age of parental consent for children to use social media be set at 13 years old in the Regulation, Mr. Albrecht also reported that a compromise was reached which enables member states to set their own age of consent for children to use social media, so long that the limit is between 13 and 16 years of age.
The news of a final agreement on the contours of the Regulation after four years of negotiations is certainly welcome.