On December 17, 2015, after three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the final draft of the EU General Data Protection Regulation (the “Regulation”), which is backed by the Committee on Civil Liberties, Justice and Home Affairs.
The Regulation replaces Directive 95/46/EC (the “Directive”), which was enacted in 1995, and will significantly change EU data protection laws. Once officially adopted by the European Parliament and the Council of the European Union, it will apply in EU Member States after a period of two years.
The Regulation will significantly affect businesses in all industry sectors. Below is a summary of key changes to the EU data protection landscape under the informal text published on December 17:
Harmonization of Legislations
- One-Stop-Shop. Where a business is established in more than one EU Member State, the data protection authority (“DPA”) of the main establishment of the business will act as the lead authority for the business’ cross-border processing. In addition, each DPA will have jurisdiction over complaints and possible violations of the Regulation.
- Reduction of Administrative Burden. National registrations and prior authorization registrations will be abolished by the Regulation. Each controller will have to maintain a record of its data processing activities, however.
- Legitimate Interest. Under the Regulation, throughout the EU, legitimate interest will become a legal ground for lawful processing and in certain circumstances, for international transfers of personal data.
Wider Scope
- Territorial Scope. The Regulation will apply to the processing of personal data by controllers or processors established within the EU. The Regulation also will apply to controllers and processors established outside the EU, where their processing activities relate to the offering of goods and services to individuals in the EU or to the monitoring of such individuals’ behavior.
- Definition of Personal Data. The definition of personal data will cover a wider range of data types, including online identifiers or any factors specific to the individual's physical, physiological, genetic, mental, economic cultural or social identity.
Increased Obligations
- Consent. Under the Regulation, consent must be freely given, specific, informed and constitute an unambiguous indication of the data subject’s wish to, either by a statement or by a clear affirmative action, agree to the processing of his or her personal data.
- Consent for Children’s Data Processing. Parental consent is required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.
- Mandatory Data Protection Officer. The designation of a data protection officer (“DPO”) will be compulsory where (1) the processing is carried out by a public authority or body, (2) the core activities of the controller or processor require regular and systematic monitoring of individuals on a large scale, or (3) the core activities of the controller or processor include processing certain types of data on a large scale, including data relating to criminal convictions and offenses. In other situations, a DPO may be appointed by the controller or processor on a voluntary basis, or must be appointed where required by EU Member State law.
- Privacy Impact Assessments. Controllers will be required to perform a data Privacy Impact Assessment (“PIA”) where the processing of personal data likely involves high risk to the rights and freedoms of individuals. In particular, a PIA will be required for automated data processing activities, including (1) profiling leading to decisions that produce legal effects for the individual, (2) where the processing includes large scale processing of certain types of data, or (3) systematic monitoring of a publicly accessible area on a large scale.
- Privacy by Design and by Default. Controllers will be required to establish and maintain appropriate technical and organizational measures (e.g., such as pseudonymization) to implement data protection principles in an effective way and to integrate necessary safeguards for data processing. In addition, appropriate technical and organizational measures also must be implemented so that, by default, only data necessary for each specific purpose of processing is collected.
- Data Breach Notification. In the event of a data breach, controllers must notify the competent DPA without undue delay and, where feasible, no later than 72 hours after being aware of the breach, unless the breach is unlikely to result in risk to individuals’ rights and freedoms. Where the breach likely involves high risks to individuals’ rights and freedoms, controllers also must communicate the breach to the individual without undue delay.
- More Obligations on Data Processors. The processing of personal data by a processor must be governed by a contract between the processor and the controller. Furthermore, the processor will directly be liable for the security of personal data during its processing activities.
- Accountability. Controllers must implement “appropriate technical and organizational measures in order to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation.”
Strengthened Individuals Rights
- Information Notices. Controllers must take appropriate measures to provide information regarding the processing of personal data to individuals in a concise, transparent, intelligible and easily accessible form.
- Right to Object. Where a controller relies on the public interest or legitimate interest as legal basis for the data processing, individuals will be allowed to object to that processing “unless the controller demonstrates compelling legitimate grounds for the processing,” which override the rights of the individual. The individual also will be allowed to object to the processing of his or her personal data for direct marketing purposes, including profiling.
- Profiling. Individuals will have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects for them or otherwise significantly affects them. However, profiling will be allowed, if necessary, to enter into a contract between the controller and the data subject, if authorized by the law of a Member State that provides measures to safeguard the data subject’s rights, or when based on the data subject’s explicit consent.
- Data Portability. The Regulation will allow individuals to receive personal data concerning them in a structured, commonly-used and machine-readable format. Individuals also will be able to request, where technically feasible, that the controller send his or her personal data to another controller.
- Right to Erasure. Subject to certain exceptions, individuals will be able to request the erasure of their personal data without undue delay.
Increased Enforcement, Fines and Liability
- Right to a Remedy. The Regulation grants data subjects the right to seek judicial remedies against DPAs, controllers and processors.
- Right to Compensation. Individuals will have the right to obtain compensation for damages resulting from violations of the Regulation by a controller or processor.
- Sanctions for Non-Compliance. Depending on the provision of the Regulation that is violated, companies may be sanctioned with fines up to € 20 million or 4% of annual worldwide turnover.
- Supervisory Authorities Enforcement Powers. DPAs will be given wide-ranging powers to enforce compliance with the Regulation, ranging from the power to order the controller or processor to comply with a data subject’s request, to the power to impose a ban on data processing.
- European Data Protection Board (“EDPB”). The Regulation grants the EDPB the authority to issue opinions, adopt binding decisions on the application of the Regulation, and issue guidelines, recommendations and best practices.
Cross-border Data Transfers
- Data Transfers. Transfers of personal data outside the EU will be allowed where the European Commission has issued an adequacy decision regarding the level of data protection provided in the jurisdiction where the data is transferred. Previous adequacy decisions issued under the Directive will remain in force. In addition, transfers of personal data will be allowed based on legitimate interest if the transfer is not repetitive and concerns only a limited number of individuals.
- EU Model Clauses. Under the Regulation, no specific authorization from DPAs will be required with respect to EU Model Clauses. In addition, EU Model Clauses approved by the European Commission under the Directive will remain valid under the Regulation.
- Binding Corporate Rules (“BCRs”). The Regulation officially recognizes BCRs as a valid mechanism to transfer personal data outside the EU.
Next Steps
The informal agreement will be discussed at the Council level, in the Committee of Permanent Representatives on Friday, December 18, 2015. The Regulation still has to be voted on by the European Parliament in plenary during spring 2016, or if no further discussion is required, by early 2016.
See the European Parliament press release.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code