Earlier this week, on December 15, 2015, EU officials approved the text of new data privacy regulations after nearly four years of discussions. The EU-wide bill, which will supersede what is now known as the EU Data Protection Directive, is intended to unify the patchwork of 28 national privacy laws, and bring the rules up to date for the digital age. The text is expected to be approved in early 2016 by the European Parliament and Council before it then goes in effect two years thereafter. The reform measures include the General Data Protection Regulation (GDPR), governing the use and privacy of EU citizen data, as well as the Data Protection Directive, governing the use of EU citizen data by law enforcement.
European Union’s successor privacy legislation: the General Data Protection Regulation.
Supporters of the GDPR praise it as a way for EU citizens to regain control of their personal data. Highlights of the new policies include the following:
- Transparency, consent, access: Access to more information on what data is collected and how it is used; requirement for explicit consent for use of data; notification requirements when data has been compromised;
- Harmonization: Establishment of one single set of rules for the EU for anyone doing business in the EU;
- Onus on data processors: Making data processors, and not just data controllers, liable for breaches and misuse, and requiring companies to appoint a data protection officer if they process sensitive data on a large scale or collect information a large number of consumers;
- Protection of minors: Parental consent for children under 16 using social networking (individual countries may lower this to 13);
- Notification: Requiring companies and organizations to promptly notify the relevant national supervisory authority of serious data breaches;
- Right to be Forgotten: Rendering as law, the so called right to be forgotten so that when an individual requests that a company not process their data, provided there are no legitimate reasons for retaining it, the data must be deleted.
The rules will have significant implications for any business that uses the personal data of EU citizens. Some businesses, such as online advertising and data analytics companies, rely heavily on personal data. Requiring additional consents for data repurposing and profiling will force changes on how many global companies do business in the EU.
Potential sanctions for violations have also garnered attention and concern. Serious breaches to privacy rules could see stiff penalties of up to four percent of a company’s annual global revenue—an act many have criticized as overreaching.
Further, while harmonization was one of the primary goals of the GDPR, individual nations will retain much autonomy. Each country’s national data protection authority will have jurisdiction over companies whose European headquarters reside therein, but negotiations have opened the door for privacy regulators from other countries to initiate enforcement actions. At the same time, a new pan-EU board will have authority to overturn decisions by national regulators. These provisions have confusing effects on the legal certainty that had been promised by the GDPR.
Companies with customers or operations in the EU are advised to monitor the status of the GDPR and review their privacy policies to determine what changes will need to be made to meet compliance standards once the GDPR is in effect.