A new EU General Data Protection Regulation is agreed
A new EU General Data Protection Regulation (GDPR) has been agreed. It takes the form of a Regulation, which will replace the current Directive 95/45/EC and will be directly applicable in all the EU Member States with no need of implementing national legislation. Its provisions will be directly applicable two years after the date of release (April 14th 2016). The process of agreeing the GDPR has so far been a long a complex one, but finally after several years of drafting and discussions it is now officially EU law.
Some of the most important provisions of the GDPR are the following:
- Broader scope. In addition to applying to data controllers and processors established in the EU, he GDPR will also apply to those that are established outside the EU whose processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of EU individuals’ behaviour.
- Revised definition of personal data. Under the GDPR, information is treated as personal data whenever individuals can be identified by online identifiers, location data or identification numbers. This way, location data, IP addresses and online identifiers will constitute personal data in most cases as this can be used to identify individuals, specially when combined with unique identifiers.
- Accountability obligations. Companies will have to implement appropriate privacy policies and robust security measures, perform data protection impact assessments in certain cases and appoint a data protection officer under some specific conditions. On the other hand, the GDPR places onerous accountability obligations on data controllers to demonstrate compliance, such as (i) maintain certain documentation, (ii) conduct a data protection impact assessment for more risky processing or (iii) implement data protection by design and by default.
- New obligations. GDPR imposes additional obligations on data processors, controllers and joint controllers. On the other hand, direct obligations will be imposed on data processors for the security of personal data.
- Data breach notification. Data controllers will be required to notify any data breach to the supervisory authority within 72h of discovery, unless they can show the breach is unlikely to pose any risk to individuals.
- One stop shop. For companies active in various EU countries, the GDPR will allow them to have a central point of enforcement through the one-stop mechanism. This way, the supervisory authority of the main establishment will act as the lead supervisory authority, supervising all the processing activities throughout the EU.
- Higher standard for consent. Under GDPR, consent must be unambiguous and communicated by a statement or clear affirmative action. Consent must be freely given, specific and informed or showed either by a statement or a clear affirmative which signifies agreement to the processing. It can be withdrawn and it must be explicit for sensitive data. The new Regulation also provides specific protection in the context of children’s personal data by strengthening the validity conditions of children’s consent.
- Sanctions. Supervisory authorities will be given significantly more powers to enforce compliance with the GDPR. They will have the power to impose fines for some infringements up to 4% of annual worldwide turnover.
- International transfers. The GDPR maintains the general prohibition of data transfers to countries outside the EU that do not provide an adequate level of data protection, and stricter conditions will apply for obtaining an “adequate” status.
- Rights of individuals. The GDPR will expand the rights of individuals. For example, individuals can require the erasure of their personal data without undue delay by the data controller in certain situations (the right to be forgotten). On the other hand, it will strengthen the protection of individuals against possible negative effects of profiling by providing them with the right not be subject to automated decision making, which produces legal effects concerning the individual or significantly affects the individual.
Position of the Council at first reading
EU Council press release:
EU Parliament’s press release:
The EU General Data Protection is finally agreed