Legal Update: New EU Data Protection Regulation Finally Approved
After almost four years of debates, lobbying, and negotiations, the new EU General Data Protection Regulation (the “GDPR”) was finally agreed between the EU Parliament, Commission, and Council on 15 December 2015. The GDPR will mean a new era for the legal framework for data protection in the EU as it will replace the inevitably outdated EU Data Protection Directive 46/95/1995 (the “Directive”). We have presented certain key components of the new GDPR below.
- One common regulation. The GDPR will establish one set of rules across the EU as the GDPR will replace the national laws that implemented the previous Directive. Due to the form of the legal instrument (a regulation instead of a directive) no substantive national implementation measures will be required. In theory, this may reduce companies’ administrative burden and costs as they no longer need to navigate through the somewhat different data protection laws of each of the 28 EU Member States. However, the GDPR does not entirely remove the differences between the Member States as the GDPR does not exclude Member State law that “defines the circumstances of specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful”.
- “One stop shop”. Data controllers no longer need to deal with the data protection authorities of each Member State they operate in, but instead they will be accountable to a single national data protection authority in the EU Member State in which the controller has its main establishment.
- Broader scope of applicability. The GDPR will also contain requirements in relation to the processing of personal data directly by a data processor, i.e. entities, such as service providers, that process personal data on behalf of a data controller. The former Directive imposed obligations only on data controllers.
- Extra-territorial effect. The GDPR will apply not only to EU-based companies, but also to companies outside the EU offering their products or services to EU citizens. Furthermore, the GDPR will also apply to non-EU companies that monitor the behaviour of data subjects, insofar as the behaviour takes place within the European Union.
- New consent requirements. In order to be regarded as a valid consent, the consent for the processing of personal data must be a clear and unambiguous indication of the data subject’s agreement to the processing of their personal data. Thus, an implied consent will no longer be sufficient. In addition, the GDPR contains new rules on parental consent for the collection and processing of children’s data . The EU Member States are allowed to set their own age limits for parental consent provided that the limit is between 13 and 16 years of age.
- Obligation to appoint a data protection officer. The controller and the processor shall designate a data protection officer, inter alia, if the processing is carried out by a public authority; if the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or if sensitive data is processed on a large scale. The agreed wording of the GDPR does not contain any quantitative thresholds (e.g. in terms of the number of employees or data subjects) with respect to the obligation to appoint a data protection officer.
- New data breach notification requirements. The GDPR contains a new mandatory notification obligation requiring data controllers to notify the authorities about any data breach without undue delay and, where feasible, no later than 72 hours after having become aware of the breach. The data controller will also be obliged to inform the affected data subjects about the data breach if the personal data breach is likely to result in a high risk to the rights and freedoms of individuals.
- New rights and protections for individuals. Under the GDPR, companies will be required to provide more detailed information to the data subjects about the processing. Data subjects will also have increased control over their data as they will have the right to require their personal data to be deleted if there are no legitimate grounds for retaining it (the “right to be forgotten”) and they will also have the right to transfer data to new service providers (“data portability“).
- Substantial fines for non-compliance. The most severe breaches of the GDPR could result in administrative fines of up to 4% of the annual worldwide turnover of the company.
The above-mentioned are merely some of the headline points. In fact, we will conduct a full analysis of the GDPR when the full finalised text is published and provide a report on the GDPR and its contents by means of our legal updates and our HS Technology newsletter.
The European Parliament’s Civil Liberties Committee confirmed the agreed text in its voting of 17 December 2015. As to the next steps, the Council and the full Parliament will also have to formally approve the text, which is expected to take place at the beginning of 2016. Once the GDPR is formally approved, it will become enforceable in early 2018 after a two-year transition period.
Please feel free to contact our data protection & privacy specialists in case you have any questions about the GDPR.