The draft of the General Data Protection Regulation (GDPR) took a significant step towards finally becoming European-wide law last week. The European Parliament’s Civil Liberties, Justice & Home Affairs Committee (LIBE) approved the final draft agreed by the European Council and Parliament as part of the trilogue negotiations. The text is available on the website of the European Parliament – under item 3 of the Committee Meeting agenda. The GDPR, which was first published in 2012, has gone through a number of iterations and extensive amendment on its journey to ratification. The final draft, which is expected to be ratified by the European Parliament and Council in Spring 2016, contains a number of compromise positions agreed by the EU institutions in an effort to get the GDPR across the line. Once ratified, there will be a two year period before the GDPR becomes directly applicable in all European Member States.
Here are our top ten highlights from the draft GDPR approved by LIBE:
1. The GDPR will have extra-territorial effect, being applicable to a controller or processor not established in the EU, if the data processed belongs to a data subject in the EU;
2. There are certain cross-border cases which might involve a number of supervisory authorities and the GDPR is implementing a one stop shop approach, which allows an entity which operates in a number of European territories to deal with the supervisory authority in the country of the single or main establishment of the controller/processor entity;
3. The GDPR introduces a two-tier structure for sanctions, with the agreed penalties being of a higher value than initially anticipated, with a potential for fines of up to €20,000,000 or 4% of annual worldwide turnover for the previous year, whichever is greater;
4. Consent must be freely given, specific, informed and unambiguous. Furthermore, if data has been collected for a specific purpose, consent must be obtained for additional processing which is incompatible with the original purpose. Consent may be withdrawn at any time and it must be as easy for a data subject to withdraw their consent as to give it;
5. Should a data breach occur, there is a mandatory obligation to notify the supervisory authority without delay and, where feasible, within 72 hours of the breach. In certain circumstances involving high risk to the data subject due to the breach, the data subject must also be notified without undue delay;
6. The role of Data Protection Officer is a new role conceived by the Regulation, and organisations which are regularly or systemically gathering data, or controllers/processors which process large amounts of sensitive personal data will be required to appoint a Data Protection Officer, to oversee compliance with data protection law;
7. Controllers and processors will be jointly liable for data protection breaches;
8. An individual will have an explicit right to have their personal data removed from a controller/processor’s system and/or online content. This ‘right to be forgotten’ shall apply in a number of listed circumstances and the controller shall be obliged to erase the data without undue delay;
9. The GDPR contains a specific definition of ‘profiling’ and provides that a data subject has the right, subject to limited exceptions, to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that subject or similarly has a significant effect on them; and
10. The GDPR introduces the concept of ‘privacy by design‘, which obliges the controller, taking into account the cost of implementation, the nature and purposes of processing and risks to data subjects’ fundamental freedoms, to implement appropriate technical and organisational measures, both prior to and during the data processing, to ensure the data protection principles are implemented and complied with effectively. The concept aims to create a cultural reform, whereby privacy of data subjects is an inherent and prioritised consideration. Included in this concept is the requirement to carry out a data protection impact assessment to anticipate the impact of processing operations which would be classified as a high risk for data subjects.
The GDPR leaves some areas open to Member States’ determination (such as the minimum age for consent to the processing of data), but it is now virtually certain that there will be a new dawn for European data protection regulation in 2018.