In 2012, the European Commission published its EU Data Protection Reform as a part of its digital age package. The contents of the proposal have been subject to heavy debate ever since.
Finally yesterday, on 15 December 2015, the Commission announced that it has reached an agreement concerning the content of the reform with the European Parliament and the Council, following final negotiations among the three institutions (so-called 'trilogue' meetings). This long awaited news finalizes the EU data protection "super fall", which started with the Court of Justice of the European Union (CJEU) decisions in Weltimmo and Schrems CJEU, the latter of which declared data transfers to US under the "Safe Harbor" regime invalid.
The final text of the General Data Protection Regulation (GDPR) will be formally adopted by the European Parliament and Council at the beginning of 2016. The new rules will become applicable two years thereafter.
The GDPR will be directly applicable in all EU member states, and it will replace the previous EU Data Protection Directive (95/46/EC) in its entirety. Establishing one single set of rules will hopefully make it simpler and cheaper for companies to do business in the EU. On the other hand, the GDPR does not harmonize sector-specific legislation, e.g., e-communications or employment privacy laws.
The GDPR will raise the bar for data protection in the EU, but it is also likely to influence laws and practices elsewhere. The GDPR will bring many significant changes to all parties involved in data processing, which means that companies must take a careful look at how they process personal data during the transitional period to ensure compliance by 2018.
Here is a high-level description of some of the most significant changes (the list that appears below is based on the European Commission's press release on 15 December 2015 and is thus subject to change upon official publication of the GDPR):
- Expansion of territorial reach ("European rules on European soil"): In addition to EU-based companies that are currently subject to EU data protection legislation, the GDPR will adopt a "consumer law approach" as it will also apply to companies not established in the EU but which offer goods or services to EU residents or monitor EU residents' behavior.
- Directly liability for both data controllers and processors: While the current EU legislation only concerns data controllers, the GDPR will also apply to data processors.
Data subjects' rights
- Definition of Consent: The definition of consent will be stricter by requiring it to be explicit and provided in a statement or by a clear affirmative action. The GDPR will also contain provisions on children's personal data.
- Data Portability: The GDPR will make it easier to transfer personal data between service providers if the right-holder so wishes.
- Data Subjects will be given a Right to be Forgotten: When data subjects no longer want their data to be processed and, provided that there are no legitimate grounds for retaining personal data, personal data must be deleted.
Sanctions and Enforcement
- Raised administrative fines: The maximum fines for data protection violations will increase drastically: Depending on the circumstances, a negligent or intentional violation of the GDPR could according to latest information published by the Council lead to a maximum fine of 2 000 000 € or, in case of an undertaking, 4 % of its total worldwide turnover of the preceding financial year. The 4 % figure was confirmed by European Parliament rapporteur on the data protection regulation Jan Philipp Albrecht yesterday (http://www.greens-efa.eu/eu-data-protection-rules-15003.html).
- One-stop-shop: Businesses will only have to deal with one single supervisory authority in the EU.
- Appointment of a Data Protection Officer: Companies will have to appoint a Data Protection Officer (DPO), who is the main contact for supervisory authorities and who is responsible for compliance with the GDPR. Only SMEs are exempt from the obligation to appoint a data protection officer, insofar as data processing is not their core business activity.
- Data Breach Notifications: Companies must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.
- Privacy by Default and Design: Companies must make privacy a "built-in feature", which means that they have to design new technologies, products and services so that compliance is included in them from the start. Companies will also have to implement mechanisms to ensure by default that data is only processed for the intended purposes and that only the necessary data is collected.
- Obligation to Perform a Data Protection Impact Assessment (DPIA): If the data to be processed presents significant risks to the rights and freedoms of the data subject, the controller (or the processor acting on behalf of the controller) is required to perform a DPIA, which is an assessment of the risks to the data subjects' privacy that may result from processing this particular data. SMEs will not be obligated to carry out a DPIA unless there is a high risk.
The GDPR poses higher non-compliance and reputational risks for companies that process personal data. Furthermore, many of the upcoming changes may also entail significant financial burdens, unless solved in a cost effective, technological way (e.g. the right to be forgotten and data portability). It is therefore essential to perform a comprehensive legal and technical assessment on what personal data is currently being processed and how, as well as how right-holders are informed of the processing.
In this connection it is also important to ascertain the basis for cross-border data transfers and especially of transfers of personal data to the US. Although the new Safe Harbor agreement may be concluded in early 2016, its practical implications are still unclear. Therefore, companies that have previously relied upon the old Safe Harbor regime must implement alternative mechanisms to transfer personal data to the US as soon as possible, as EU data protection authorities are likely to start scrutinizing data transfers by the end of January 2016 at the latest (Roschier Briefing note: Safe Harbor is Invalid and Cross-border Transfers of Personal Data May Be Illegal – Consequences of the CJEU's Landmark Privacy Ruling?).