New Data Protection Regulation (Finally) Agreed

The European Commission first outlined its proposal for a radical overhaul of Europe’s data protection legal framework on 25 January 2012. Almost four years later, agreement has finally been reached on the new General Data Protection Regulation (the “GDPR”). The draft GDPR was agreed by the Commission, the European Parliament and the EU Council late on 15 December and was also passed by a vote of the Committee on Civil Liberties, Justice and Home Affairs on 17 December. The final text will be formally adopted by the European
Parliament and Council in early 2016 and businesses will have a two year window before the GDPR becomes applicable across Europe in 2018.

We continue to await the final text early next year, but from the current consolidated draft text, weighing in at over 200 pages, and from press releases issued by the Commission and Parliament, organisations can expect the following key features:

• Significantly increased fines: Earlier versions of the draft GDPR proposed maximum fines of 5% or 2%. This difference has been resolved and companies can be fined up to €20 million or 4% of annual global turnover for breaches of data protection law. The level of fine imposed will depend on the seriousness or repeated nature of a breach.
• Enhanced definition of consent: The European Parliament’s press release highlights the GDPR’s provisions on clear and affirmative consent to the processing of private data by the person concerned, so as to give consumers more control over their private data. This could, for example, mean ticking a box when visiting an Internet website or by another statement or action clearly indicating acceptance of the proposed processing of the personal data. Silence, pre-ticked boxes, or inactivity will thus not constitute consent. It should also be as easy for a consumer to withdraw consent as to give it. The new GDPR also puts an end to “small print” privacy policies and information now should be given in clear language before the data is collected.
• One stop shop: The initial Commission proposal of a one stop shop mechanism was expected to be watered down considerably and the current state of play is that multinationals who have multiple establishments across Europe will deal with the supervisory authority of the Member State in which the company has its “main establishment.” There are circumstances, however, in which the lead supervisory authority will be required to consult and co-operate with authorities within other affected Member States.
• Data Protection Officers: Entities will be obliged to appoint a Data Protection Officer (DPO) where, on a large scale and as part of their core activities, they regularly and systematically monitor data subjects or process sensitive personal data. SMEs will be exempt where data processing is not their core business activity.
• Mandatory breach reporting: The GDPR imposes a requirement on data controllers to notify data breaches without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.
• Data portability: Individuals will be entitled to easier mechanisms for the transfer of their personal data between service providers. Concerns have been raised as to the administrative burden that this may place on data controllers.
• Right to be forgotten: Data subjects will have the right to have their information erased from the databases of companies holding their personal data subject to there being no legitimate grounds for retaining it.
• Data access requests: The statutory fee of €6.35 for an access request will be abolished however, organisations will welcome a new provision where requests are received that are manifestly unfounded or excessive, in which case the controller may charge a reasonable fee or may refuse to act on the request.

Conclusion:

The new GDPR is the most significant development in the area of data privacy for 20 years and will affect organisations globally, given the broad territorial application of the GDPR which catches organisations outside Europe which offer services into the EEA. Businesses have a significant lead in time to consider and implement the provisions of the GDPR during the two year transition period. Once the final text is approved, organisations should audit their existing data practices and policies and put in place timelines for implementation of the new changes. The European Commission has also stated it will work closely with Member States Data Protection Authorities to ensure a uniform application of the new rules and will work to inform citizens about their rights and companies about their obligations.

Ronan Daly Jermyn’s Data Protection Team will provide an analysis on the full implications of the new GDPR when the final text is released in spring 2016.