On December 15, the Civil Liberties Committee (LIBE) of the European Parliament issued a press release announcing a provisional political agreement between the European Parliament and Council negotiators on the texts of both the General Data Protection Regulation and the Police & Judicial Cooperation Data Protection Directive. Formal approval by the Council is expected shortly and by the European Parliament in early 2016, after which the legislation will be published in the Official Journal. The new provisions will apply two years later, in the first quarter of 2018.
Although the official text has not been published, based on versions we have seen, key points include the following:
- the maximum administrative fines will be set at the higher of 4% of an undertaking’s worldwide turnover or €20m, with infractions being grouped into tiers attracting different maximum fine levels. Although not at the top end of the scale proposed by the European Parliament, this is at the higher end of expectations;
- the GDPR’s jurisdiction will reach outside the EU, with extraterritorial jurisdiction tied to the offering of goods or services to, or the monitoring of, data subjects in the EU. Non-EU controllers that satisfy this jurisdictional nexus will need to appoint an EU representative “unless the processing is occasional, does not include large scale processing of sensitive personal data or criminal offences and is unlikely to result in a risk for the rights and freedoms of individuals”;
- as expected, the “one stop shop” originally proposed by the Commission, with a single Supervisory Authority having jurisdiction over multinationals operating in different Member States, has been watered down. Specifically, in case of multi-jurisdictional breaches, relevant Supervisory Authorities will need to be consulted and will be able to challenge the lead authority’s decision. Where only one jurisdiction is involved, the lead Supervisory Authority may decide that that jurisdiction’s Supervisory Authority should control the matter instead of itself;
- the European Data Protection Board (a reincarnation of the Article 29 Working Party) will be established as a significant decision-making body in the interpretation of the GDPR;
- the GDPR will require that, prior to giving consent, data subjects must always be informed of their right to withdraw consent;
- in relation to online services, parental consent will be required for children under 16 unless the Member State local law provides for a lower age of consent (which must not be lower than 13);
- the information that must be provided to data subjects regarding the processing of their personal data will be extensive, including specifying the legitimate interests pursued by the controller or the statutory or contractual requirements that are being relied on to justify processing (if this is the case);
- the right to be forgotten and data portability will remain, but with clearer boundaries;
- the automated individual decision-making, or “profiling”, provisions will be significantly shortened, but it will remain necessary to notify the individual that profiling is taking place, the significance and consequences of the profiling and the logic involved, and human intervention will be required if an individual contests the decision;
- a “Big Data” / further processing provision will be included, setting out the factors to be considered in determining whether the secondary purpose is compatible with the original purpose; however, this provision omits the Council’s more permissive clause, which allowed for processing for incompatible purposes in certain limited circumstances;
- the requirement to notify Supervisory Authorities of data processing activities has apparently been dropped, but controllers and processors will now have quite extensive internal data processing record-keeping requirements, duties to implement data protection policies and data protection by design and by default, and to be able to demonstrate that their processing meets the GDPR’s requirements (exemptions are only available to organisations with fewer than 250 employees);
- high-risk processing activities will require a data protection impact assessment; where adequate mitigating steps are not taken, the controller must consult with the Supervisory Authority before proceeding;
- data protection officers will be mandated by the GDPR for public bodies and controllers and processors whose core activities consist of processing which requires large scale and systematic monitoring of data subjects or the large scale processing of sensitive data or criminal offences; in addition, the GDPR allows Member States to stipulate further circumstances where data protection officers are required under their national laws;
- data processors can be directly liable for fines and claims by data subjects; joint and several liability with the controller remains where the processor fails to perform its obligations;
- enterprises must notify Supervisory Authorities and affected individuals of breaches that are likely to result in a high risk for the rights and freedoms of individuals, with notice to Supervisory Authorities due “where feasible” within 72 hours and to affected individuals “without undue delay;”
- binding corporate rules will remain available for both controllers and processors;
- Commission adequacy decisions on the level of data protection in third countries will be reviewed at least every four years, but both country adequacy decisions and decisions approving EU model clauses under the current Data Protection Directive will remain valid until amended or repealed by a new Commission decision; and
- Article 43a on transfers to third countries is unclear: on the one hand, transfers to third countries to meet court or regulatory requirements in that third country are stated to be “only recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty”. On the other, this clause is qualified as being “without prejudice to other grounds for transfer,” which may leave room to argue that more permissive existing interpretations of other grounds covering cross border discovery or investigation are still available.
As we have anticipated for some time, implementing the GDPR will present a significant challenge for most organisations. Fines of up to 4% of worldwide turnover will focus attention on clarifying and improving how enterprises comply with the existing rules, let alone dealing with the GDPR’s new requirements.
Many of the new requirements will be fleshed out through guidance from the European Data Protection Board and national Supervisory Authorities in the next 24 months. Given need to implement solutions by Q1 of 2018, enterprises will need to begin planning before detailed guidance is available.
We will be monitoring the finalisation of the text and will provide further updates.
In September and October, we ran a series of workshops on how the GDPR would affect key processing activities and existing data protection programmes. If you would like to discuss the impact of the GDPR on your business, please contact your local Norton Rose Fulbright data privacy contact, who will be able to access the pan-European team’s analysis and perspective on how the GDPR will be implemented and enforced.