The European Commission yesterday announced that it had reached agreement with the European Parliament and Council on the final text of the proposed new General Data Protection Regulation (GDPR). The GDPR will replace the current Directive and the national laws that implement it in each member state.
It is anticipated that the final text will be formally adopted by the Parliament and Council in early 2016, following which there will be a two year transitional period before the Regulation comes into force in 2018. Whilst the Commission has not yet published the agreed text, a German law firm has published what it believes is the final version.
What will change?
Whilst some changes reduce the administrative burden on data controllers and reduce inconsistent implementation of rules between different member states, others will mean a step-change is required in relation to data protection compliance.
Stricter requirements on consent, rights for data subjects to be able to easily transfer data to another provider, increased “rights to be forgotten” and new rules in relation to breach reporting will require all organisations to review their internal procedures and processes in relation to the collection and handling of personal information.
The emphasis on privacy by design and privacy impact assessments means that privacy issues will need to be considered at the outset of any new project or activity, rather than as an afterthought.
Powers to issue fines of up to 4% worldwide annual turnover or €20,000,000 mean that data protection compliance is an issue that should now be a board level compliance issue. Certain organisations will also be required to appoint a data protection officer.
It’s also notable that the threshold at which parental consent is required for the use of information society services by children was raised at the last minute from 13 to 16, though the leaked final text states that member states can lower this to 13. That change to age 16 is also at odds with the views of a number of internet safety campaigners. Indeed, may well lead to greater privacy intrusion for young people when seeking advice and information about things like abuse and bullying. We’ll blog separately on that.
What about international data transfers and Safe Harbor?
On international data transfers, the Commission’s press release is notably silent on any further progress in relation to discussions with the United States on reform of the now invalid Safe Harbor regime. Last month, the Commission set itself a target of January 2016 for concluding negotiations on a compliant mechanism for US data transfers, and it remains to be seen whether that target will be hit.
We will publish a more detailed analysis of the final text and what it means for data controllers in due course. In the meantime, if you’d like to discuss the new GDPR and what it means for you, please get in touch with me or your usual Brodies contact.
On December 16, 2015