On 15 December 2015, trilogue negotiations between the EU Commission, the European Parliament and the EU Council concluded with agreement being reached on the new General Data Protection Regulation (the “GDPR”). Agreement was also reached on a new data protection directive for the police and criminal justice sector (the “Directive”). The new package was first proposed in January 2012 and negotiations have been ongoing since.
The GDPR aims to strengthen protection of fundamental data protection rights across the EU as well as remove barriers for businesses and allow them to make the most of the opportunities of the European Digital Single Market. The GDPR is in the form of a regulation and, as such, will be directly applicable in all EU Member States without the need for national implementing legislation. The key features of the GDPR are as follows:
- One-stop shop – businesses will have a single supervisory authority, which will be that the authority of the jurisdiction where they have their main establishment; Increased territorial application – companies based outside the EU will be subject to the GDPR when offering services in the EU;
- Privacy by design – data protection safeguards must be built into products and services from the outset and apply by default;
- Accountability – controllers will be responsible for demonstrating compliance with data protection rules;
- Proportionality – a risk based approach will apply to implementation of privacy by design, including an obligation to undertake impact assessments in certain circumstances;
- Increased focus on processing activities – the processing activities of both controllers and processors will be subject to increased focus, with greater emphasis on documented procedures and records;
- Data Protection Officers – companies will be required to appoint a dedicated data protection officer, with certain exceptions;
- Data transfers – the focus on the adequacy of protection in the importing jurisdiction, which was the focus of the recent Schrems decision of the European Court of Justice, will be continued;
- Increased fines – companies breaching data protection rules could be fined up to 4% of annual turnover (according to the Parliament website);
- Data portability – data subjects will be given the ability to transfer data easily between service providers;
- Right to be forgotten – the right identified in the Google Spain case will be put on a statutory footing; and
- A duty to report breaches – national supervisory authorities and impacted individuals will have to be informed of serious data breaches.
The new Directive will enable the exchange of information necessary for investigations between law enforcement authorities in EU Member States and apply the principles of necessity, proportionality and legality to all law enforcement processing in the EU.
The draft agreements were passed by the Committee on Civil Liberties, Justice and Home Affairs on Thursday 17 December 2015. The final texts of the GDPR and the Directive are expected to be agreed in early 2016 and should become applicable in Member States in 2018.
What does this mean for your business?
While the GDPR will not come into effect until early 2018, organisations should now start to consider the impact of the GDPR on their businesses. Any review should address both existing data processing activities, and the consequent impact on existing or new policies and procedures. However, the revised approach of “privacy by design” means that the review should address not simply the data protection policies and procedures, but also product and services development procedures, procedures related to consumer and customer interfaces, and corporate governance considerations. Project plans should reflect that data protection can no longer be viewed primarily as an IT or compliance issue, but that appropriate solutions must encompass management, innovation, technical, legal and regulatory considerations. With the significant increase in the financial sanctions arising from data protection breaches, the risk of not implementing appropriate “privacy by design” are considerable, reinforcing the point that ultimate responsibility for data protection compliance rests firmly at management and board level.