With the festive season now firmly upon us, there are indications that European Union institutions could soon be delivering an early Christmas present to businesses: the conclusion of trilogue negotiations on the General Data Protection Regulation (‘GDPR’).
The GDPR, according to the latest document to come out of Brussels, aims to “reinforce data protection rights of individuals, facilitate the free flow of personal data in the digital single market and reduce administrative burden.” The EU Commission, Parliament and Council are currently locked in closed-door negotiations to agree to the final text of the GDPR, and while some uncertainty remains over the exact provisions that will be included, the latest available text from the European Presidency indicates that the key changes will be that:
- Sanctions will be enhanced, with maximum fines of €1 million or 2% of annual worldwide turnover, whichever is greater.
- Organisations that are not established in the EU, but which offer goods or services to individuals in the EU or monitor their behaviour, may be subject to the Regulation.
- It will be harder for businesses to obtain valid consent as all consents must be “explicit,” either by way of a statement or a clear affirmative action.
- Organisations with multiple establishments across the EU will only have to deal with one lead supervisory authority in which their ‘main’ establishment is located. This is the controversial “one-stop-shop” principle.
- Data controllers will be under a mandatory obligation to report data breaches to DPAs, and in some circumstances, to the affected individuals.
- Data processors will, for the first time, be subject to direct regulatory obligations. These could include an obligation to inform the data controller immediately upon discovering a data breach, appointment of a Data Protection Officer in certain circumstances, and implementation of appropriate technical and organisational information security measures.
Despite the imminent conclusion of negotiations over the final text, the European Data Coalition (‘EDC’) has urged the trilogue to slow down its discussions. On 1 December 2015, the Coalition (made up of European companies ranging from SMEs to global multinationals and nonprofit organisations), sent a letter to all 28 EU countries warning that “what is being proposed is not fit for purpose, it does not capture the rapidly changing nature of the information society nor the essence of data-based relationships.” The Coalition has called on heads of state and leading EU officials to delay the adoption of the GDPR, and to amend its provisions in line with those outcomes the EDC believes are central to achieving a Digital Single Market.
Once the GDPR is finalised, there will be a two-year transition period until it comes into effect. Organisations should use this time to fully consider the implications of GDPR on their operations, and to implement any changes necessary to ensure compliance with the increasingly long arm of European data protection law.