European Union officials finally reached agreement this week on a new European data protection regulation (Regulation) that will essentially tear up existing European laws, introduce a brand new statutory regime and potentially subject companies doing business in Europe (including U.S. businesses) to fines of up to four percent of their annual global revenue.
The idea for new data protection laws in Europe was aired nearly four years ago but, after some fierce debate, only now has agreement been reached between the European Commission, Parliament and Council on the Regulation, which will replace the EU Data Protection Directive 95/46/EC (the Directive).
A key criticism of the Directive is that it was out of date in light of technological advances and the volume and speed with which data flows across borders today. The new law tightens up restrictions on the use and the flow of data whilst empowering EU regulators to levy significantly higher fines for non-compliance.
Importantly, the Regulation will apply directly in each EU Member State without each needing to implement it (as with the Directive) into national law, which can leave room for differences in interpretation.
The agreed-upon text of the Regulation (and what this means for multi-national businesses) will form the basis of a future alert, however, key changes brought about include businesses now only having to deal with a single supervisory authority who will have the power to issue fines of up to four percent of a company’s annual turnover/revenue. Many companies will also now be obliged to appoint data protection officers and to make breach notifications as soon as possible so that data subjects can take appropriate measures.
This significant step forward means that those doing business in Europe can no longer ignore making preparations for the Regulation.
Practically, businesses that deal with data in the EU will need to revisit what they are doing, and what procedures, policies, standards and documents they are using given the new landscape on the horizon. The storm of new laws, new fines and new enforcement should quite rightly fast-track this to the top of Board agendas.
In terms of next steps, the Regulation is expected to be formally adopted by the Parliament and Council early in 2016.