Since the first draft comprehensive regulation to govern cybersecurity in the European Union (“EU”) was issued by the European Commission in January 2012 (click here), the European Commission, the European Council, and the European Parliament have been working together to update and supersede the existing EU Directive (95/46/EC) in order to bring it up to date and in line with recent sweeping advances in technology and technological globalization. (EU Privacy Regulations: Who Will Own Your Data Now?, Corporate Counsel, July 8, 2015, Frances McLeod) On June 11, 2015, the European Council issued its own Proposal for a European General Data Protection Regulation (“GPDR”) for review and consideration (click here).
The objective of the European Commission, the European Council, and the European Parliament is to issue a final proposed comprehensive regulation for the EU by the end of 2015, with final approval and adoption thereof to occur by the Spring of 2016. (European Council approves EU General Data Protection Regulation draft; final approval may come by end of 2015, Data Protection Report, June 15, 2015, Marcus Evans; European Union data protection reform: What should businesses be doing now to get ready?, Data Protection Report, Kimberly Gold) When this new comprehensive regulation is adopted by the EU, not only will EU Directive (95/46/EC) be superseded and replaced, but also sweeping changes will be implemented relative to companies with operations in the EU or doing business in the EU.
Now is the time for companies to start readying themselves for these significant forthcoming regulations. (As of this writing, the U.S. Congress has not yet adopted a comprehensive and preemptive law regulating cybersecurity in the U.S., thus leaving U.S. companies to be cognizant of at least 47 separate and differing state notification laws.)
Some highlights of the proposed EU GPDR include:
- Applicability to EU citizens’ personal data (even if such data is processed outside of the EU);
- Explicit informed consent required to be given by data subjects to any entity that processes or analyzes personal data, with the ability to easily withdraw such consent (this could be particularly onerous and expensive to implement in connection with the entity’s employees);
- Right to compensation for monetary damages in the event that unlawful data processing occurs;
- Imposition of fines as high as 1 million Euros, or two percent of a company’s “total worldwide annual turnover of the preceding financial year” (in particular cases), for non-compliance;
- Mandatory risk assessments and in-house data protection officers for larger companies; and
- In the context of cloud-based systems, direct accountability and reporting requirements for every person or entity that is part of the cloud “supply chain”.
(Privacy Regulations: Who Will Own Your Data Now?, Corporate Counsel, supra)
The obvious implications of these, and other, potentially forthcoming EU regulations is that companies without a data protection policy need to obtain a data risk assessment now, and those with existing data protection policies should reevaluate such policies immediately. (Id.)