In January 2012, the European Commission published a long-awaited reform package for European data protection legislation, which included the General Data Protection Regulation (the Regulation) and a Directive1 . The new legislation has far reaching consequences for companies inside and outside of the EU.
To become law, the new legislation requires approval from the European Parliament and the Council of the European Union (the Council). On 12 March 2014, the first stage of that process was completed when the European Parliament voted overwhelmingly in favour of adopting an amended form of the reform package. Once the Council’s position is clear, negotiations will commence between the two institutions to agree on the final form.
What’s the likely timing for actual adoption? Difficult to say. The Council has not yet stated its position, although the Parliament has stated that it aims to reach an agreement before the end of 2014. The Regulation will have legal effect two years from the date it is formally adopted by the Parliament and the Council. So, mid-2016 at the earliest.
Highlights of the new law (incorporating the European Parliament’s current position):
- Wide territorial scope (potentially covering companies based outside of the EU): Currently, companies with no “establishment” in the EU are not subject to EU data protection laws (even if they offer goods or services to data subjects in the EU). Under the new Regulation, companies based outside of the EU that offer goods/services to data subjects in the EU (irrespective of whether payment is required), or that monitor data subjects in the EU (e.g., tracking website users), will have to comply with EU data protection laws. This could have significant impact on businesses operating outside the EU but which have a customer base in the EU, which will be caught for the first time.
- A single, pan-European law and a “one-stop-shop”: Companies will only have to comply with one EU law, not 28 national EU laws, and companies with offices/ establishments in the EU will only need to deal with one supervisory authority in the country where they have their main establishment (not, as is currently the case, the supervisory authority in each Member State). Annual notifications to national supervisory authorities will also be a thing of the past. All these changes should make it easier and cheaper to do business in the EU.
- Bigger penalties: Companies that do not comply with EU data protection laws may be fined up to the higher of 5% of global annual turnover or €100,000,000 (up from 2% and €1,000,000 in the Commission’s original proposal).
- Better rights for data subjects; more work for data controllers: The Regulation aims to give EU citizens greater control over their personal data (data subjects). They will have a “right to erasure”, meaning they can ask the data controller to permanently delete their personal data from their systems. The controller must comply unless there are legitimate grounds to keep it. Individuals can also request that any links to, copies of and replication of their data is also deleted by third parties to whom the data may have been passed. Data subjects will also have a “right to data portability”, making it easier to transfer their personal data between service providers (e.g., between social network providers or email providers).
- Stricter consent requirements: Where consent is needed, the Regulation says that it must be given explicitly; i.e., by a clear affirmative action such as ticking a box (consent cannot be assumed from silence/lack of objection). Businesses will also need to inform data subjects without undue delay about data breaches that could adversely affect them.
- Data protection first and foremost: This requires businesses to build in data protection safeguards from the earliest stage of development of products and services. Privacy should be the default setting and the norm. There are also new requirements for privacy policies, which must be expressed in clear, concise and plain language (using specified graphic symbols) and the controller should explain to the data subject whether his/her personal information will be transferred to commercial third parties, sold, rented out or encrypted. They should also state whether the personal data are being collected and/or will be retained beyond the minimum time needed for the specific purpose of the processing or for different purposes.
- Data Protection Officers (DPOs): Companies processing the data of more than 5,000 people in a year and organisations whose core activities involve processing sensitive data or systematically monitoring people will be required to appoint a DPO (tasked with, for example, monitoring compliance and raising awareness).
The link to the draft Regulation as proposed by the European Commission (2012/0011 (COD)) is available here, and the link to the amended draft Regulation as adopted by the European Parliament on 12 March 2014 can be found here.