On December 17, 2015, following four years of sometimes acrimonious debate, the EU Parliament and Council of the European Union informally agreed on the final draft of the General Data Protection Regulation (“GDPR”). The GDPR will replace what privacy experts refer to simply as “95/48” –or the 1995 law known as EU Data Protection Directive— once officially adopted by the Parliament and Council of the EU. It will go into effect two years from passage.
Multinational companies should use the next two years to begin aligning privacy policies and practices with the principles in the new regulation. Key elements of the GDPR include:
- One Law/One Rule: Unlike 95/46, which was enacted by EU individual member states, the GDPR applies to all EU member nations and is intended to create more consistency across the EU regarding data protection. A business that operates in more than one member state will now deal only with the Data Protection Authority (“DPA”) in the country where the business is most established. This lead DPA will handle cross border data transfers.
- Broader Brush: The GDPR is expressly extra-territorial. It applies on its face to data controllers and processors outside the EU where their data processing activities affect EU residents. Also, the definition of “personal data” has been expanded to include information related to a data subject’s physical, physiological, genetic, mental, economic cultural or social identity.
- Consent Rules: Consent remains a valid basis upon which to process data, though likely not in the employment context. Under the GDPR, consent must be freely given, specific, informed and constitute an unambiguous indication of the data subject’s agreement to the processing of the data subject’s personal data.
- Data Breach Notification: The GDPR establishes a uniform data breach notification requirement applicable to all data controllers. In the event of a data breach leading to the loss, access or disclosure of personal data, controllers must notify the appropriate DPA “without undue delay,” and, where feasible, within 72 hours. Like many US data breach notification laws, GDPR contains a notice exception where the data is encrypted or where it is unlikely the data subject will be harmed.
- Required Data Protection Officers: The GDPR requires data controllers and processors to appoint a data protection officer (“DPO”) if the business’s “core activities” consist of regular and systematic data subject monitoring or the processing of sensitive personal data (relating to, e.g., health, ethnicity, trade union membership) or data relating to criminal convictions and offenses.
- Rules on Data Transfer: Binding Corporate Rules are recognized as the “gold standard” for data transfer. Also, data transfer out of the EU will be allowed where the European Commission has issued a decision affirming the adequacy of the level of data protection in the country where the data is being transferred. DPAs will not have to approve EU Model Contract Clauses, which remain valid under the GDPR.
- Sanctions: GDPR gives data subjects a private right of action in EU courts. Data subjects will have a right to money damages from either controllers or processors for harm caused by processing personal data. DPAs will have enforcement authority similar to US regulators. A European Data Protection Board will issue opinions, adopt binding decisions and otherwise oversee data protection processes.