European Council approves EU General Data Protection Regulation draft; final approval may come by end of 2015
The European Council approved its version of the General Data Protection Regulation (GDPR) on 15th June 2015.
The next stage is for the European Commission, European Parliament and European Council (each has its own preferred version of the regulation) to jointly agree on the final text of the regulation. These discussions will commence officially on June 24, 2015, and are currently scheduled to produce the final version of the GDPR by December 2015.
Some of the key points in the approved Council draft include:
- the GDPR will come into force two years after the date of publication. The Data Protection Directive (95/46/EC) will be repealed when the final GDPR is officially published. However, the legislation member states enacted to implement the Directive will not be repealed by the GDPR. That legislation will remain in force most likely until the GDPR comes into force;
- the maximum administrative fines are set at the higher of 2% of an enterprise’s worldwide turnover or €1m, and infractions are grouped into tiers attracting different maximum fine levels;
- the GDPR’s jurisdiction will reach outside the EU, with extraterritorial jurisdiction tied to the offering of goods or services to, or the monitoring of, data subjects in the EU. Non-EU controllers that satisfy this jurisdictional nexus will need to appoint an EU representative “unless the processing is occasional and unlikely to result in a risk for the rights and freedoms of individuals”;
- the “one stop shop” that provides for Supervisory Authority enforcement in a single EU Member State has been watered down. Specifically, in multi-jurisdictional breaches, relevant Supervisory Authorities will need to be consulted and will able to challenge the lead authority’s decision (and where only one jurisdiction is at issue, the Supervisory Authority in that jurisdiction will have control over the breach, and not the lead Supervisory Authority, as determined by the “one stop shop” principle);
- the European Data Protection Board (a reincarnation of the Article 29 Working Party) is established as a significant decision-making body in the interpretation of the GDPR;
- the GDPR will require that prior to giving consent, data subjects must always be informed of their right to withdraw consent;
- the information that must be provided to data subjects regarding the processing of their personal data remains extensive, including specifying the legitimate interests pursued by the controller or the statutory or contractual requirements that are being relied on to justify processing (if this is the case); data subjects must also receive an explanation of the various rights they have in relation to the data (but none of the Parliament’s icons that signpost data use has been included);
- the right to be forgotten and data portability remain, but with clearer boundaries;
- the profiling (that is, automated individual decision-making) provisions have been significantly shortened, but it remains necessary to notify the individual that profiling is taking place, the significance and consequences of the profiling and the logic involved, and to require human intervention if the individual contests the decision;
- the draft includes a new “Big Data” / further processing provision, setting out the factors to be considered in determining whether the secondary purpose is compatible with the original purpose, and the possibility for processing for incompatible purposes in certain limited circumstances;
- the requirement to notify DPAs of data processing activities appears to be abolished, but controllers and processors now have quite extensive internal data processing record-keeping requirements, duties to implement data protection policies and data protection by design and by default, and to be able to demonstrate that their processing meets the GDPR’s requirements;
- high risk processing activities require a data protection impact assessment, and where adequate mitigating steps are not taken, the controller must consult with the Supervisory Authority before proceeding;
- data protection officers are not mandated by the GDPR, but the regulation expressly allows Member States to introduce such a requirement in their national laws;
- data processors can be directly liable for fines and claims by data subjects; joint and several liability with the controller remains, but it can be rebutted where the processor or controller proves that it was not responsible for the event giving rise to the damage;
- the draft mandates breach notification to Supervisory Authorities and affected individuals; specifically, Supervisory Authorities and affected individuals must be notified of breaches that are likely to result in a high risk for the rights and freedoms of individuals, with notice to Supervisory Authorities due in within 72 hours, and notices to affected individuals due “without undue delay;”
- binding corporate rules will be available for both controllers and processors; and
- transfers by way of existing EU model clauses will remain effective until decided otherwise by the Commission; Supervisory Authorities will not be able to require prior authorisations to transfer on this basis.
Most businesses will need to make some changes to their data processing practices to meet the requirements of the GDPR. Many will have to make extensive changes.