On December 17, 2015, after three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the final draft of the EU General Data Protection Regulation (the “Regulation”), which is backed by the Committee on Civil Liberties, Justice and Home Affairs.
The Regulation replaces Directive 95/46/EC (the “Directive”), which was enacted in 1995, and will significantly change EU data protection laws. Once officially adopted by the European Parliament and the Council of the European Union, it will apply in EU Member States after a period of two years.
The Regulation will significantly affect businesses in all industry sectors. Below is a summary of key changes to the EU data protection landscape under the informal text published on December 17:
Harmonization of Legislations
- One-Stop-Shop. Where a business is established in more than one EU Member State, the data protection authority (“DPA”) of the main establishment of the business will act as the lead authority for the business’ cross-border processing. In addition, each DPA will have jurisdiction over complaints and possible violations of the Regulation.
- Reduction of Administrative Burden. National registrations and prior authorization registrations will be abolished by the Regulation. Each controller will have to maintain a record of its data processing activities, however.
- Legitimate Interest. Under the Regulation, throughout the EU, legitimate interest will become a legal ground for lawful processing and in certain circumstances, for international transfers of personal data.
- Territorial Scope. The Regulation will apply to the processing of personal data by controllers or processors established within the EU. The Regulation also will apply to controllers and processors established outside the EU, where their processing activities relate to the offering of goods and services to individuals in the EU or to the monitoring of such individuals’ behavior.
- Definition of Personal Data. The definition of personal data will cover a wider range of data types, including online identifiers or any factors specific to the individual’s physical, physiological, genetic, mental, economic cultural or social identity.
- Consent. Under the Regulation, consent must be freely given, specific, informed and constitute an unambiguous indication of the data subject’s wish to, either by a statement or by a clear affirmative action, agree to the processing of his or her personal data.
- Consent for Children’s Data Processing. Parental consent is required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.
- Mandatory Data Protection Officer. The designation of a data protection officer (“DPO”) will be compulsory where (1) the processing is carried out by a public authority or body, (2) the core activities of the controller or processor require regular and systematic monitoring of individuals on a large scale, or (3) the core activities of the controller or processor include processing certain types of data on a large scale, including data relating to criminal convictions and offenses. In other situations, a DPO may be appointed by the controller or processor on a voluntary basis, or must be appointed where required by EU Member State law.
- Privacy Impact Assessments. Controllers will be required to perform a data Privacy Impact Assessment (“PIA”) where the processing of personal data likely involves high risk to the rights and freedoms of individuals. In particular, a PIA will be required for automated data processing activities, including (1) profiling leading to decisions that produce legal effects for the individual, (2) where the processing includes large scale processing of certain types of data, or (3) systematic monitoring of a publicly accessible area on a large scale.
- Privacy by Design and by Default. Controllers will be required to establish and maintain appropriate technical and organizational measures (e.g., such as pseudonymization) to implement data protection principles in an effective way and to integrate necessary safeguards for data processing. In addition, appropriate technical and organizational measures also must be implemented so that, by default, only data necessary for each specific purpose of processing is collected.
- Data Breach Notification. In the event of a data breach, controllers must notify the competent DPA without undue delay and, where feasible, no later than 72 hours after being aware of the breach, unless the breach is unlikely to result in risk to individuals’ rights and freedoms. Where the breach likely involves high risks to individuals’ rights and freedoms, controllers also must communicate the breach to the individual without undue delay.
- More Obligations on Data Processors. The processing of personal data by a processor must be governed by a contract between the processor and the controller. Furthermore, the processor will directly be liable for the security of personal data during its processing activities.
- Accountability. Controllers must implement “appropriate technical and organizational measures in order to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation.”
Strengthened Individuals Rights
- Information Notices. Controllers must take appropriate measures to provide information regarding the processing of personal data to individuals in a concise, transparent, intelligible and easily accessible form.
- Right to Object. Where a controller relies on the public interest or legitimate interest as legal basis for the data processing, individuals will be allowed to object to that processing “unless the controller demonstrates compelling legitimate grounds for the processing,” which override the rights of the individual. The individual also will be allowed to object to the processing of his or her personal data for direct marketing purposes, including profiling.
- Profiling. Individuals will have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects for them or otherwise significantly affects them. However, profiling will be allowed, if necessary, to enter into a contract between the controller and the data subject, if authorized by the law of a Member State that provides measures to safeguard the data subject’s rights, or when based on the data subject’s explicit consent.
- Data Portability. The Regulation will allow individuals to receive personal data concerning them in a structured, commonly-used and machine-readable format. Individuals also will be able to request, where technically feasible, that the controller send his or her personal data to another controller.
- Right to Erasure. Subject to certain exceptions, individuals will be able to request the erasure of their personal data without undue delay.
Increased Enforcement, Fines and Liability
- Right to a Remedy. The Regulation grants data subjects the right to seek judicial remedies against DPAs, controllers and processors.
- Right to Compensation. Individuals will have the right to obtain compensation for damages resulting from violations of the Regulation by a controller or processor.
- Sanctions for Non-Compliance. Depending on the provision of the Regulation that is violated, companies may be sanctioned with fines up to € 20 million or 4% of annual worldwide turnover.
- Supervisory Authorities Enforcement Powers. DPAs will be given wide-ranging powers to enforce compliance with the Regulation, ranging from the power to order the controller or processor to comply with a data subject’s request, to the power to impose a ban on data processing.
- European Data Protection Board (“EDPB”). The Regulation grants the EDPB the authority to issue opinions, adopt binding decisions on the application of the Regulation, and issue guidelines, recommendations and best practices.
Cross-border Data Transfers
- Data Transfers. Transfers of personal data outside the EU will be allowed where the European Commission has issued an adequacy decision regarding the level of data protection provided in the jurisdiction where the data is transferred. Previous adequacy decisions issued under the Directive will remain in force. In addition, transfers of personal data will be allowed based on legitimate interest if the transfer is not repetitive and concerns only a limited number of individuals.
- EU Model Clauses. Under the Regulation, no specific authorization from DPAs will be required with respect to EU Model Clauses. In addition, EU Model Clauses approved by the European Commission under the Directive will remain valid under the Regulation.
- Binding Corporate Rules (“BCRs”). The Regulation officially recognizes BCRs as a valid mechanism to transfer personal data outside the EU.
The informal agreement will be discussed at the Council level, in the Committee of Permanent Representatives on Friday, December 18, 2015. The Regulation still has to be voted on by the European Parliament in plenary during spring 2016, or if no further discussion is required, by early 2016.
See the European Parliament press release.