Yesterday, December 15th, European policy makers reached political agreement on European data protection reform and the terms of the forthcoming General Data Protection Regulation (GDPR). The final text will be formally adopted in the next few days and will take effect early 2018.

After many years of heated debates, the GDPR, formally known as the “Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data“, will be replacing the European Data Protection Directive adopted in 2015.

The press release of the European Commission can be consulted here.

The key changes include:

  • One single law for all 28 European Union Member States: A single set of rules on data protection, directly applicable in all EU Member States
  • Applicable to companies inside and outside of EU: EU rules will apply even if personal data is processed outside the EU by companies established outside the EU, as long as they are active in the EU market and offer their products and services to EU citizens
  • One Stop Shop: Data controllers will be accountable to a single national data protection authority in the EU country where the controller has its main establishment. Individuals can also refer to the data protection authority in their country, even when their data is processed by a company outside the EU
  • DPOs: Companies will have to appoint a Data Protection Officer when they are, for example, intensively involved in data processing activities.
  • Accountability: Increased responsibility and accountability for those controlling and processing personal data, for example through privacy impact assessments and notifying data subjects of serious data breaches as soon as possible
  • Explicit consent: Wherever consent is required for data to be processed, this must be in a form that is explicit, rather than implied
  • Data Portability Right: Users will have easier access to their own data and be able to easily transfer personal data from one service provider to another
  • Right to be forgotten: A more explicit ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to require third parties to delete personal data if there are no legitimate grounds for retaining it
  • Stronger Authorities: Independent national data protection authorities will be strengthened and empowered so they can better enforce the EU rules in their local jurisdictions
  • Heavier Sanctions: Non-compliance could lead to heavier sanctions; it is anticipated that the Regulation will permit fines up to 4% of the annual worldwide turnover of the enterprise