On 15 December 2015, the three main European institutions, the Commission, the Parliament and the Council, agreed on the final text of the General Data Protection Regulation (GDPR) which has been on the table since January 2012. This is a major achievement, given the number of obstacles that still needed to be overcome a few weeks ago in order to meet the end of 2015 deadline for finalizing the GDPR. The GDPR provides a brand new single set of rules for the protection of data within the whole Europe and these rules are very different from those enshrined in the 95/46/CE Directive. Below is a summary of the features of the GDPR which are likely to have the most substantial impact on businesses.
1. One stop shop (Article 51)
Until now, groups of companies established in Europe had to deal with as many Data Protection Authorities as countries where they were operating. The GDPR set up the so-called one-stop shop mechanism which is aimed at simplifying the life of businesses. Indeed, a company established in more than one Member State will have to indicate its main establishment to the supervisory authority (formerly called Data Protection Authorities) where its main establishment is located and will be in touch with such sole supervisory authority, called the “lead supervisory authority”, for all of its data protection issues in Europe.
For the data controller (i.e. the entity that makes the decisions), the main establishment should be the place where the decisions on the purposes and means of the processing of personal data are taken. For the data processor (i.e. the entity that processes the data on behalf of someone else), the main establishment should be the place of its central administration in the Union. This is clearly a business-friendly provision.
On the other hand, European citizens will be allowed to lodge a complaint not only with the lead supervisory authority designated by the defending company but with the supervisory authority in any Member State. The idea behind that is to provide individuals with effective means of redress.
In practice for example, US tech companies that have their European headquarters in Ireland, such as Facebook, Amazon, Google and eBay, will have to deal with the Irish supervisory authority for general data protection matters, but could be sued by individuals in any Member State.
2. Increased fines (Article 79)
The 95/46/CE Directive left it up to the Member States to lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to the Directive which led to a discrepancy in the amount of financial sanctions among Member States. For example in the UK, the maximum fine is £500,000 whereas in France, it is 1.5 million €. The three European institutions agreed to harmonize and increase the maximum amount of financial sanctions up to 4 % of the undertaking worldwide annual turnover. The amount of the fine will depend on several factors such as the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, the number of individuals affected and the actions taken by the infringer to mitigate the damage suffered by the persons concerned.
3. New obligations imposed on companies
a) Data breach notifications (Articles 31 and 32)
Companies will have to notify the supervisory authority of data breaches within 72 hours. And the notification must be documented. In some cases, companies will also have to notify the data breaches in question to the affected individuals without undue delay.
b) Data protection impact assessment (Article 33)
Regarding any processing that represents a risk for the rights and freedoms of individuals, large companies will have to carry out a data protection impact assessment prior to the processing.
c) Data protection officer (Article 35)
Large companies will have to appoint a data protection officer (DPO) with a data protection law expertise. The data protection officer may be employed by the company or fulfill his/her tasks on the basis of a service contract. Individuals will have the right to contact the DPO on all issues related to the processing of their data and to exercise their rights. The DPO’s tasks include advising the company on data protection issues, monitoring compliance with the GDPR and acting as contact point for the supervisory authority.
* * *
The Regulation should be formally adopted in January 2016 by the European Parliament and Council and become enforceable two years thereafter. We will provide a more detailed analysis of the final text once it has been adopted.