On December 15, 2015, the European Parliament and the Council of the European Union (Council) reached a political agreement on the future EU data protection legal framework. This is a significant step towards adoption of the new EU General Data Protection Regulation (the "Regulation"). It is now very likely that the Regulation will be officially adopted early next year.
Although the text of the agreement has not yet been released, and minor modifications remain possible, it is certain that the Regulation will have significant impacts on how businesses can collect and process the personal data of EU individuals. This alert provides background and discusses the key elements of the forthcoming Regulation.
Background
After an initial proposal released by the European Commission in 2012, the European Parliament and the Council proposed their own respective versions of the Regulation in 2014 and 2015. During the past months, the final text was negotiated at "Trilogue" meetings—i.e., negotiations between representatives of the Council, the European Commission, and the European Parliament. Today's political agreement was reached at the last of these Trilogue meetings.
Key Rules Under the Regulation
The following are a sampling of the key changes under the Regulation. Complete details will be available once the final text is released.
-
New requirements for businesses. The Regulation will replace the current requirements to notify data protection authorities of data processing activities with new requirements to maintain internal documentation on a company's processing activities. In certain cases, companies will need to conduct privacy impact assessments of their data processing activities. In addition, companies will be required to notify the relevant national supervisory authorities and affected individuals of serious data breaches.
-
New rights for individuals. Among other things, the Regulation will codify that individuals have a "right to be forgotten" and create a right to easily transfer personal data from one service or product to another ("right to data portability").
-
International data transfers. The Regulation will maintain the general prohibition of data transfers to non-EU countries that are not officially recognized as "adequate" by the EU, but stricter conditions will apply for obtaining such "adequate" status. This is in line with the EU Court of Justice's recent Schrems decision, which invalidated the EU-U.S. Safe Harbor framework for lack of "adequate" protection.
-
Application and enforcement of the new rules. The Regulation will apply to virtually any business that offers its products and services in the EU market. In particular, the Regulation will apply to the online activities of non-EU companies that offer goods or services to, or monitor the behavior of, EU individuals. For companies that are active in multiple EU countries, the Regulation will centralize data protection enforcement, to a certain extent, with one competent national data protection authority via a "one-stop shop" mechanism, a complex consistency mechanism and a cooperation procedure. Importantly, the Regulation will allow data protection authorities to impose very substantial fines for non-compliance. The exact level of fines will only be confirmed when the final text is published, but the maximum fines are expected to rise to the greater of €1 million or 4 percent of a company's global annual turnover.
Next Steps
The final text of the Regulation will now be submitted for a vote of the European Parliament and the Council. We expect that the Regulation will be officially adopted by Spring 2016. It will enter into force two years after its adoption—i.e., by Spring 2018. We are monitoring developments closely and will provide you with more analysis in the coming weeks.
