- Enforcement: significant fines of up to two percent of annual worldwide turnover (gross revenue) for non-compliance with the proposed Regulation (compared to the five percent in the Parliamentary draft).
- One Stop Shop: the lead DPA is required to cooperate with all ‘concerned’ DPAs to reach a consensus on any decision, and any DPA can initiate a procedure in cases it deems “urgent”. Where no consensus can be reached the case can be referred to the European Data Protection Board whose decision will be binding.
- Scope: applies to both businesses established in the EU and to non-EU businesses offering goods or services to individuals within the EU or monitoring their behavior.
- Consent: consent needs to be explicit where processing sensitive personal data. However, further processing is permitted where it is “compatible” with purposes for which the data are collected taking into account factors, such as, the context in which the data are obtained and the nature of the data.
- Privacy Impact Assessments: a privacy impact assessment must be carried out where using new technologies or where the processing is likely to result in high risk for data subjects.
- Profiling: an individual has a right not to be subject to a decision based solely on automated processing (including profiling), which has legal effect or otherwise significantly affects the individual unless, for example, it is necessary for the performance of a contract or with the explicit consent of the individual. The provision does not prohibit creation of a profile as such.
- Right to Erasure: the controller is under an obligation to erase personal data without undue delay where, for example, the data is no longer necessary for the original purpose or the data subject objects, subject to a limited number of exceptions.
- Right to Data Portability: Where personal data is processed in a machine-readable, structured and commonly used format and is based on consent or on a contract, the data subject has the right to transmit these personal data to another controller without hindrance from the original controller.
- Data Protection Officer: the obligation to appoint a data protection officer is voluntary unless otherwise compulsory under national Member State law. This contrasts with the position in each of the Commission and Parliament texts, which make the appointment of a data protection officer mandatory if certain thresholds are met.
- Data Breach Notification: a requirement to notify the data protection authority of a data breach without undue delay and where feasible within 72 hours.
- Requests for Data Pursuant to Non-EU Authorities: Article 43a as included in the proposals by the European Parliament makes judgments of a court or authority in a non-EU country requesting personal data unenforceable and where requests for data are made by a non-EU court or authority authorization must be obtained from the relevant EU DPA. No equivalent provision is included in the Council’s proposal.
- International Transfers: in addition to the use of Binding Corporate Rules, Model Contracts, approved codes of conduct or certification mechanisms, international data transfers are permitted where necessary for the “legitimate interests” of the controller, providing the transfer is not large scale or frequent, the controller has adduced appropriate safeguards and that the interests of the data subject are not overridden.
It is clear that the approach adopted by the Council is risk-based and one which is somewhat less prescriptive than that adopted by the Commission or Parliament, with data controllers being afforded greater discretion in how they manage their data protection compliance obligations. For a comparison of some of the key provisions in the three proposals, please click here.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
|Edward R. McNicholas,
|Alan Charles Raul,
Sidley Privacy, Data Security & Information Law Practice
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.