After almost four years of heated debate, the EU Parliament, Council, and Commission have reached an agreement on the final form of the General Data Protection Regulation ("GDPR"), the most comprehensive reform of data protection law ever envisaged in the EU's history. It is not an exaggeration to say that with the GDPR, a new era of European data protection law will begin. The GDPR will significantly update and modify European data protection law, extend its application to a wider range of non-EU entities, harmonize data protection rules across EU member states, give data subjects important new rights, and significantly increase penalties for noncompliance.
The agreement closes a protracted legislative process that had started in January 2012 with the EU Commission's GDPR proposal. While political agreement has been reached, the final text of the GDPR will still need to go through legal and linguistic reviews and is planned to be formally adopted early 2016. The new rules will become applicable two years after the publication of the final GDPR text. In the meantime, the Commission is expected to work with national data protection authorities to adopt several guidelines for ensuring uniform application.
The key elements of the final GDPR are the following.
A Single European Data Protection Law
The GDPR will take effect as a regulation and in principle will be directly applicable in all EU Member States without the need for national legislation. However, there will be some limited exceptions where Member States are entitled to adopt specific legislation, such as for processing data in the employment context, national ID numbers, and professional secrecy obligations. The use of a regulation will nevertheless reduce the risk of inconsistent or conflicting obligations between different countries, simplify regulatory compliance, and help reduce costs of international business. On the other hand, this direct EU-wide application of common data protection rules is likely to result in an increased burden for businesses currently regulated by authorities in jurisdictions that take a relatively more relaxed view of current data protection obligations. For these companies, there will be significant change in important areas, such as what can constitute "consent" and what processing can be justified as being in a person's "legitimate interests."
The GDPR will apply a "one-stop shop" approach to regulation in which a single national authority should effectively regulate all the processing activities of a business across the EU. Identifying the responsible authority will typically depend on the relevant "main establishment" of the controller and/or processor, but data subjects will remain able to complain to their home regulatory authorities. A new European Data Protection Board will be tasked with resolving differences between national authorities, and there will be an explicit "consistency mechanism" to help ensure standardized enforcement throughout the EU.
Extension of the International Reach of the EU Data Protection Rules
The new rules will apply to non-EU based companies offering goods or services (for free or for a payment) to EU residents or monitoring their behavior. Currently, non-EU entities are regulated only if they use EU-located means of processing, although the recent Google Spain decision has already started to expand the jurisdiction of the EU rules.
The Meaning of "Personal Data"
The GDPR sets out a broad definition of what is considered "personal data," expanding the current concept of identification to cover situations where an individual is likely to be "singled out," whether directly or indirectly. The definition likely protects cookies and IP addresses as well. Genetic data will be expressly included as personal data and will have the additional protection given to "sensitive personal data," which will also be extended to cover biometric data that uniquely identifies a person and data concerning sexual orientation.
Conditions for Processing
The GDPR clarifies that "unambiguous" consent requires a "clear affirmative action." This could include ticking a box on an internet website, choosing technical settings or by any other statement or conduct that clearly indicates in this context the data subject's acceptance of the data processing. Silence, pre-ticked boxes or inactivity do not constitute consent. In relation to the offering of information held by society services, consent of the holder of parental responsibility is required for the processing of data of a child below the age of 16 years, or a lower age set at a national level (not below 13 years, however). Consent has to be "explicit" for sensitive data.
"Privacy by Design"
Businesses must consider data protection and privacy in planning and carrying out all processing activities. Data Protection Impact Assessments must be carried out when processing triggers a high risk for the rights and freedom of the individuals. Such processing will be listed by the various national regulatory authorities. It includes systematic and extensive profiling that affects the individual, large-scale processing of sensitive data and systematic monitoring of a publicly accessible area on a large scale.
New Data Subject Rights
The GDPR gives data subjects a right "to be forgotten," to data portability, and to object to profiling.
International Data Transfers
The "white list" of countries that the EU Commission has decided have adequate protection and the approved standard contractual clauses will remain valid under the GDPR. However, the GDPR expressly states that the EU Commission, on an ongoing basis, needs to monitor developments in third countries that could affect its adequacy decisions. This can be seen as a reaction to the recent ruling of the European Court of Justice by which the EU–US data protection safe harbor was invalidated. Judgments of courts or decisions of administrative authorities of third countries requiring the transfer of personal data will be enforceable only if based upon an international agreement, such as a mutual legal assistance treaty. This can be interpreted as a clear sign against the extraterritorial application of foreign law, especially US law.
Accountability Obligations for Data Processors
For the first time, the GDPR imposes direct regulatory obligations on data processors, including obligations to maintain records, inform controllers of breaches, and comply with data transfer obligations.
Data Protection Officers
Controllers and processors must appoint a data protection officer if the processing is carried out by a public authority or body (except judicial courts), or if its "core activities" (i.e., its "primary activities" as opposed to "ancillary activities") consist of (i) processing that requires "regular and systematic monitoring" of data subjects "on large scale," or (ii) large-scale processing of sensitive data.
Data Breach Notification
Other than the current European Data Protection Directive, the GDPR imposes a general obligation to notify the relevant authority of a data breach, and where the breach is likely to result in a high risk for the rights and freedom of individuals, data subjects have to be informed as well. Notification of an authority must take place within 72 hours of discovery of the breach.
In the case of undertakings, the GDPR provides for maximum administrative fines for breach of 2 percent or 4 percent of the controller's worldwide annual turnover, depending on the infringement at stake. The fines can be imposed directly by national data protection authorities.