The highly anticipated revisions to the EU legal regime for data protection have now been adopted following the publication of the official texts of the General Data Protection Regulation and Data Protection Directive.
On 04 May 2016, the official texts of the EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "General Data Protection Regulation") and the EU Directive 2016/680 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (the "Data Protection Directive") were published in the EU Official Journal in all the official languages.
This marks an important milestone in the adoption of the General Data Protection Regulation and of the Data Protection Directive as four years have passed since their official first draft release, on 25 January 2012, which promised greater EU personal data protection and a modern and harmonized data protection framework across the European Union. This is also an answer of the E.U. to the Max Schrems case law of the European Court of Justice, generally known as the Europe v. Facebook case.
While the General Data Protection Regulation will enter into force on 24 May 2016, it shall apply with effect from 25 May 2018 and shall be directly applicable to all EU member states without need for national implementing legislation. The Data Protection Directive, however, has entered into force effect on 05 May 2016 and will need to be transposed into national law by the EU Member States by 06 May 2018.
As a consequence of its enforcement, the General Data Protection Regulation shall repeal the current Data Protection Directive officially known as Directive 95/46/EC, which is part of the EU privacy and human rights law.
Here are some of the highlights of the newly published data protection reform instruments:
- A "right to be forgotten": When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted.
- Easier access to one's data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way, making it easier for individuals to transmit personal data between service providers.
- The right to know when one's data has been hacked: Companies and organizations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible.
- Data Protection Officers: Certain data controllers and processors must designate a Data Protection Officer (the DPO) as part of their accountability program.
- Stronger enforcement of the rules: data protection authorities will be able to fine companies which do not comply with EU rules up to 4% of their global annual turnover.
Companies are not required to take any adjusting measures until the enforcement of the General Data Protection Regulation and the Data Protection Directive in 2018, unless national data protections agencies will impose such measures.