After nearly 4 years of negotiations, yesterday evening the EU reached agreement on the final provisions of its new data protection laws. With it, a new era of data protection has been ushered in that will have far reaching consequences for organisations both inside and outside of the EU.
In January 2012, the European Commission put forward its proposals for data protection reform, which included text for a new General Data Protection Regulation. Following negotiations this year with the European Parliament and the Council (the so-called 'trilogues' meetings), the three institutions reached final agreement on the Regulation's provisions late last night.
Key issues are:
- 4% fines – serious breaches of the Regulation's requirements could result in organisations facing fines of up to 4% of annual worldwide turnover (i.e., gross revenue).
- One continent, one law – the Regulation will establish one set of rules across the EU and replace national laws that fall within its scope (few exceptions will apply). In theory this should reduce some of the administrative burden and costs organisations currently face when navigating the differing privacy laws of the EU's 28 member states.
- International application – companies based outside of Europe will be subject to the Regulation when offering services in the EU.
- Data breach notification – mandatory data breach reporting obligations will apply to a broad array of organizations throughout (and outside) the EU.
- Consent – processing personal data on the basis of a person's consent will become more challenging. To be valid, consent will need to be supported by strong evidence; i.e., clear and unambiguous indication of a data subject's agreement to the processing of their personal data.
- Parental consent – the collection of personal data from children will be more strictly regulated and require parental consent. Unfortunately, agreement could not be reached on the age for which organisations will need to seek parental consent. Each member state will therefore be free to set any age from 13 to 16 as the parental consent trigger.
- Personal Data – the definition of Personal Data is likely to explicitly include online identifiers and location data.
- Data Processors – the Regulation will place requirements in relation to the use and handling of personal data directly on "data processors" (i.e. entities, such as a service provider, that process personal data on behalf of a data controller).
- Increased rights and protections for individuals – organisations will be required to provide more detailed information about how they collect and use personal data. Data subjects will also have increased rights to control their data. For example, they will have rights to require that data be deleted through the "right to be forgotten" and for it to be easier to move data to new service providers through a right to "data portability".
- Greater operational governance and controls – organisations will face increased requirements to implement strong privacy governance controls. This includes, depending on the exact circumstances of the company and proposed data processing, obligations to appoint a Data Protection Officer, undertake Privacy Impact Assessments for products, services and procedures where personal data is collected and obligations to implement privacy-by-design principles into processes.
Following political agreement reached in trilogue, the final text of the Regulation will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will come into force two years thereafter.
For organisations now is the time to start planning for compliance and working effectively over the next two years to be ready for what is a much stricter privacy regime. In particular, US based organisations and other organisations based outside of the EU should start to assess the impact of being subject to the Regulation when offering services in the EU.
Organisations should start their compliance preparation by assessing their existing approach against good industry practice. Those organisations that are already developing privacy programmes or have implemented good privacy frameworks are likely to be well placed to meet the Regulation's requirements.
We will continue to provide specific updates on individual parts of the Regulation.