Europe is set to approve stronger pan-European data privacy laws. Last week, negotiators for the European Commission, European Parliament, and the Council of the European Union, announced their agreement upon the laws' final text. The new rules specify strict requirements for data protection compliance and impose heavy fines for nonconformity. Once formally adopted in January 2016, the laws will take effect in early 2018.
The General Data Protection Regulation ("GDPR"), which governs the use and privacy of EU citizens' data, and the Data Protection Directive, which governs the use of EU citizens' data by law enforcement, compose the new data privacy laws. The GDPR is directly applicable to all EU Member States and, significantly, applies to companies outside of the EU, even if personal data is processed outside of Europe. The law applies as long as companies are active in the EU market and offer their products and services to EU citizens.
Notably, the laws provide regulators with new means to deter and punish noncompliance. For instance, companies that violate the rules could face fines as high as four percent of worldwide annual turnover. The GDPR is likely to impact the bottom line due to such fines and other significant changes in the privacy regime, including:
- Expansion of Liability
Currently, only the data controller is liable for data breaches in the EU. Under the GDPR, both the data controller and the data processor will be jointly liable for any damages. The text mandates very detailed requirements for data controllers to impose contractually onto vendors serving as data processors. In addition, any person who has suffered damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered.
- Right to Be Forgotten
The Regulation gives consumers the right to have their personal data corrected if inaccurate, and expands their right to remove irrelevant or outdated information. While this right already exists under European data privacy law, the Regulation strengthens the right. For example, consumers may stop a company from using their personal data when they close an account, and they can stop a third party, such as a marketing company, from building a data profile of them.
- Strict Consent Requirements
Consent is an old, but strengthened, requirement under the new law. Under the GDPR, consent must be a "clear, affirmative action," and can no longer be implied. For example, consent cannot be contained within terms and conditions. Instead, it could, for example, consist of ticking a box when visiting an Internet website or a similar affirmative action. The EU ultimately rejected a push to make it illegal to handle the personal data of anyone aged 16 or under. If consent is given by a parent or guardian, the personal data of a child below the age of 16 may be processed. In addition, each Member State may pass a law permitting the use of the personal data of a child as young as 13 if a parent or guardian consents.
- Centralized Supervisory Authority
Each Member State must maintain a supervisory authority to which companies will report data breaches. The national supervisory authority will enforce the GDPR's requirements, including processing complaints and conducting investigations. The centralized supervisory authority will issue warnings to any company or data processor in violation of the Regulation, impose bans on data processing, and inflict administrative fines, among other enforcement actions.
- Data Protection Officer Requirement
Any public authority which processes data, and any company whose core activity consists of processing, must employ a data protection officer. The contact information of the data protection officer must be shared with the supervisory authority. The officer must also serve as the organization's contact for data subjects who wish to exercise their rights under the Regulation.
These new requirements reflect the increasing importance of data protection. In the two years before the Regulation takes effect, U.S. companies conducting business in Europe should become familiar with its requirements. Companies should review the new breach notification requirements and identify the supervisory authority of each Member State in which it conducts business. Companies should also involve marketing and legal teams in understanding how consumer consent is acquired and tracked, and determine whether any changes are necessary in those processes. Finally, companies should review contracts with data processors and ensure that those contracts conform to the GDPR's specifications by January 2018.
Click here to find the press release (European Commission – Press Release, Agreement on Commission's EU data protection reform will boost Digital Single Market, Brussels, December 15, 2015). Click here to find the text of the General Data Protection Regulation and the Data Protection Directive.