Privacy & Information Security Law Blog

Hunton & Williams’ EU Privacy and Cybersecurity practice lawyers recently authored The Proposed EU General Data Protection Regulation – A guide for in-house lawyers (the “Guide”), addressing the key impacts of the forthcoming changes to EU data protection law. Current EU data protection law is based on the EU Data Protection Directive 95/46/EC (the “Directive”), which was introduced in 1995. An updated and more harmonized data protection law, in the form of a Regulation, has been proposed by the EU’s legislative bodies to replace the Directive. The Guide is intended to assist in-house lawyers in understanding the likely impact of the Regulation on businesses. While still under negotiation, the Regulation will significantly change the landscape of EU privacy and data protection in several key areas, including:

• substantial new penalties of up to €100 million, or 2-5% of annual worldwide turnover, whichever is greater;
• increased territorial scope, capturing many businesses that do not have compliance obligations under current EU data protection laws;
• tighter requirements for obtaining valid consent to the processing of personal data;
• new restrictions on profiling and targeted advertising;
• data breach reporting obligations that apply across the board;
• direct legal compliance obligations for “data processors;” and
• extended data protection rights for individuals, including the “right to be forgotten.”

It is anticipated that the Regulation will be adopted toward the end of 2015 or in the first half of 2016. However, the Regulation will not come into force until 2017-2018, allowing organizations to adjust their compliance practices in light of the new law.