On 15 December 2015, following several years of deliberation, the European Parliament and the Council of the European Union (EU), which represents the governments of the 28 EU member states, reached a general agreement to move forward with the European Commission’s proposal for the General Data Protection Regulation (the Regulation). The Regulation is expected to be formally adopted early in 2016, and if that occurs, it will take effect in early 2018.
The Regulation is designed to replace the existing Data Protection Directive 95/46/EC, which was introduced to remove the trade barriers within the EU caused by the protectionist effects of individual member states’ personal data protection laws. The Directive helped to level the playing field by allowing the free movement of personal data throughout the EU, but barriers still remain. This has prompted the EU to consider how the remaining obstacles can be removed, and the proposed Regulation is the product of that consideration and years of deliberation and negotiation.
If adopted, the Regulation will overhaul the current data protection landscape by creating a single set of rules without the need for individual EU member states to introduce their own (and often different) implementing legislation. This should mean a pan-EU fully harmonised data protection regime. The key changes in the data protection landscape that the Regulation will introduce are:
- Extraterritorial scope: Currently, a company must be “established” in the EU in order to be subject to the EU data protection laws. The term “established” has already been interpreted very broadly at times, and the Regulation will remove this jurisdictional limitation entirely. Thus, it appears that any company, regardless of its operational location, that offers a service or product in the European Economic Area and as a result deals with the personal data of EU citizens, might be subject to the Regulation’s provisions.
- A single, pan-European law: The Regulation will create a single set of personal data protection rules, valid across the entire EU. This will replace the currently inconsistent patchwork of data protection laws, making it simpler and cheaper to do business in the EU. The Commission estimates that this will save businesses a total of €2.3 billion a year.
- Harsher penalties: The powers of each of the EU national data protection authorities will be enhanced. They will have the authority to impose fines of up to €20 million, or 4% global annual turnover, on companies that violate the Regulation.
- Better rights for data subjects: The right of a data subject (an individual whose data is being processed) to be “forgotten” will be reinforced, meaning that individuals who no longer wish for their data to be processed may ask for it to be deleted and, providing there is no legitimate reason for maintaining it, the controller of the data (whomever processes their data and is in control of the processing) must oblige. Data controllers also must inform data subjects within 72 hours if the security of their data has been compromised, such as through a hacking incident, unless there is no likely risk of harm to the data subject. A new right to data portability will be created, which will allow individuals to request their personal data to be transferred between service providers, which will also improve competition between providers.
- Stricter consent requirements: Any collection of data from children under the age of 16 will require parental approval. Individual EU member states may lower this threshold to 13 years of age. For the collection and processing of data from individuals of any age, the subject’s consent must be obtained. Such consent must be freely given, specific, informed, and unambiguous. Any written request for consent must remain separate from any other agreements.
- Default Data Protection Settings: Anyone who designs a product or service that has the ability to collect personal data must ensure that adequate safeguards are woven into the product from its earliest stage of its development. For social networks and mobile apps, this will require standard privacy-friendly default settings.
- Data Protection Officers (DPOs): Companies that process large volumes of sensitive personal data will be required to appoint a DPO, who will be responsible for monitoring compliance and raising awareness.
- Controller - Processor Contracts: Data controllers and processors will be required to enter into contracts to ensure adequate protection of personal data. Adequate protection includes the application of adequate safeguards, including, as appropriate, encryption and pseudonymisation.
- Small- and Medium-Sized Enterprises (SMEs): In earlier versions, the proposed Regulation included provisions that would have cut the red tape for SMEs, including by exempting them from the requirement to notify their relevant data protection authority of any data processing, which could have saved €130 million a year. The recently released Regulation contains no such exemption; however, it does state that associations that represent groups of SMEs should be encouraged to draw up codes of conduct to ensure the aims of the Regulation are met, without compromising the business of the SMEs in question.
The implications for businesses will be wide-reaching. On the one hand, a single pan-EU regulation should be very beneficial in providing uniformity and consistency in the treatment of personal data throughout the EU. On the other hand, the more robust rights for data subjects provided by the Regulation will prove challenging for businesses to implement. Ideally, the two-year period between the adoption of the Regulation and its effective date will provide sufficient time for business adjustments, but almost inevitably, questions will continue to arise about adequate protection both before and after the effective date.