Following yesterday’s announcement that European officials had agreed on the language of the EU’s new General Data Protection Regulation (“GDPR” or “Regulation”), today the EU Parliament’s Civil Liberties Committee approved the text of the GDPR. The GDPR isn’t law yet, as it still needs to be approved by the EU Parliament next month. However, the Parliament is expected to approve the Regulation, which would then go into force in 2018. Once it becomes effective, the GDPR will replace the twenty-year-old EU Data Protection Directive (the “Directive”) and provide a new omnibus data protection law for the EU.
As officials had indicated previously, the GDPR differs from the Directive in a number of significant ways.
- Data Subjects will have greater control over their personal data. Under Article 18 of the GDPR, data subjects will enjoy a “right to portability,” meaning that they will have the right to transmit any of their personal data from one controller to another. In other words, data subjects will be able to transfer their personal data between service providers. Also, Article 17 sets out the “right to be forgotten,” which gives a data subject the right to order a controller to erase any of the data subject’s personal data in certain situations.
- Companies that violate the GDPR can expect significant fines. Article 79 states that companies may be fined a specific percentage of their annual global turnover for failing to comply with certain provisions of the GDPR. For example, a company that violates data subjects’ rights could face a fine of up to 4% of its annual global turnover which, for some large companies, could mean many millions – or even billions – of dollars.
- Some companies will have to appoint a data protection officer. Article 35 requires certain entities, including those whose “core activities” involve large-scale processing of special categories of data (sensitive data), to appoint a data protection officer. Articles 36 and 37 provide further details on the duties of a data protection officer.