On Tuesday evening, after some 4 years of negotiations, the final draft of the new General Data Protection Regulation ("GDPR") was finalised. On 17 December 2015, the European Parliament's LIBE Committee voted resoundingly in favour of the GDPR, which will now be ratified by the Council and the Parliament in early January 2016, organisations will then have two years to prepare before the legislation comes into force in early 2018.
This GDPR is the most significant change in data protection legislation in the past 20 years. It is designed to empower European citizens and legislators have said that the GDPR will also enhance business growth by removing unjustified barriers that restrict data flows. The final draft of the GDPR was greeted with disappointment by many in the technology sector with some suggesting it could damage the EU digital single market, the very thing it is meant to be enhancing. There is concern that tech innovators will no longer wish to be based in Europe; however, as the GDPR will also apply to those based outside of Europe wishing to supply goods and services to European citizens, we hope that these concerns will prove to be unfounded.
The GDPR will supposedly create a uniform approach to data protection across Europe, although in the final draft we see that certain areas will be open to member states to determine, such as the minimum age at which an individual can consent to their data being processed (which will range for 13 - 16 across various member states) and the ability for member states to enhance the rules around employee data.
We will be providing detailed analysis of the GDPR in early 2016 once the GDPR has been ratified. Nonetheless, to whet your appetite the following is a summary of some of the most significant issues:
Joint Liability for Data Processors
Under the GDPR, controllers and processors will be jointly liable for data protection breaches. This is a significant change from the current regime, and whilst this will have consequences for all data processors, it will have particular consequences for both cloud providers and those businesses that rely on cloud services.
Increased Fines & Breach Notifications
The final draft of the GDPR contains a fine structure that is even greater than what was first anticipated. It has introduced a two tier structure with maximum fines of up to €20 million or 4% of global annual turnover for breaches of specific provisions such as a breach of the international transfer provisions. A second lower tier of €10 million or 2% of global annual turnover applies for certain administrative and security breaches, such as failure to maintain processing records in accordance with the GDPR.
As well as these increased fines the GDPR contains mandatory requirement to notify breaches to the regulator within 72 hours of the breach and in certain circumstances individuals will also need to be notified of the breach.
Whilst the GDPR has not gone so far as requiring express consent for all data processing it will significantly change the current consent regime. It still states that consent must be unambiguous, the change is around the purpose for which you have obtained consent. If you have collected data for a specific purpose, the individual's express consent will be required if you then want to process the data for a different purpose. Express consent will be required to process sensitive personal data.
Data Protection Officer ("DPO")
It was anticipated that all organisations would be required to have a DPO; however, after lengthy debates on the topic, this requirement has been curtailed. Larger organisations that regularly gather data on individuals or those that process large amounts of sensitive personal data will be required to appoint a DPO.
Many data controllers currently rely on the legitimate interests as the legal basis for processing personal data. The GDPR will seriously restrict organisations' ability to rely on this legal basis as it has imposed a number of restrictions around the situations where this legal basis can be relied upon.
As well as discussing the above in more detail, over the coming weeks we will also be focusing on the various exemptions within the GDPR for the Public Sector and SMEs.
The next two years will be a busy time as we all prepare for the GDPR coming into force. We will begin to get a clearer picture of how each member state plans to enforce the GDPR as regulators and governments begin to release statements on the final draft.