After almost four years of intense negotiations, on December 15, 2015, an informal agreement on the proposed EU Data Protection Regulation was reached between the Council of Ministers and the European Parliament. In the LIBE Committee meeting on December 17, members voted to approve the Regulation by an overwhelming majority. Formal agreement and adoption of the Regulation is likely to be in early 2016 with Member States having two years to implement the Regulation.
The Regulation, which is intended to create a single law on data protection in the EU, will have a significant impact on European companies and, importantly, also on businesses outside of Europe that collect data on Europeans through offering goods or services. Some of the key provisions in the Regulation (based on the text unofficially published on December 16, 2015) include:
- Enforcement — Significant fines for non-compliance of up to the greater of €20 million or 4 percent of annual worldwide turnover (gross revenue). Individuals also have a right to judicial remedy against businesses where the individual considers their rights have been infringed.
- Extraterritorial Application — The new Regulation purports to apply to any company that processes the personal data of Europeans, where the processing is related to the offering of goods or services to Europeans or monitoring of their behavior — even if the company has no physical presence in Europe.
- One-Stop-Shop — A new one-stop-shop mechanism where businesses will be accountable to one single lead data protection authority (DPA) in the EU country where the data controller has its main establishment. The lead DPA is required to cooperate with all “concerned” DPAs to reach a consensus on any decision, and where no consensus can be reached, the case can be referred to the newly formed European Data Protection Board (EDPB) which will issue a binding opinion. In exceptional circumstances, a “concerned” DPA can adopt provisional measures and request an urgent opinion from the EDPB.
- Notice and Consent — New requirements as to the information that should be provided in data protection notices, as well as new consent requirements, including the right for individuals to withdraw their consent at any time, and parental consent required in relation to the offering of internet services for children aged under 16 years (or 13 years if permitted under EU Member State national law).
- Accountability — Enhanced accountability principles including requirements for businesses to implement data protection policies, to maintain a detailed record of processing activities, to conduct privacy impact assessments where data processing uses new technologies and is likely to result in high risk (for example, profiling or the processing of sensitive personal data on a large scale), and to implement data protection by design and by default.
- Data Protection Officers — The obligation for businesses to appoint a data protection officer (DPO) where the processing involves large amounts of sensitive personal data, or regular monitoring of individuals or where a DPO is required by national Member State law. A corporate group can appoint a single DPO, provided they are easily accessible by each business unit.
- Security Breaches — The requirement to report security breaches to the relevant DPA without undue delay and where feasible within 72 hours of becoming aware of the breach, other than where it is unlikely to result in a risk to individuals. Businesses must also report security breaches to affected individuals without undue delay unless, for example, the data is encrypted or subsequent measures have been taken to remove the risk to individuals.
- Pseudonymous Data — A new definition for pseudonymization, which in turn enables certain uses of data, for example, in relation to scientific research, where a business implements appropriate technical and organizational measures to protect against re-identification.
- Right to be Forgotten — A new right for individuals to have their personal data erased without undue delay where, for example, the data is no longer necessary for the purpose for which it was collected or the consent for the processing is withdrawn and there is no other legal basis for the processing. This right to be forgotten is subject to a limited number of exceptions including, for example, where the processing is necessary for scientific research or the defense of legal claims.
- Right to Data Portability — Where personal data is processed in a machine-readable, structured and commonly-used format and the processing of the personal data is based on consent or on the performance of a contract with the individual, the individual has the right to require that such personal data is transferred from one service provider to another.
- Profiling — New restrictions on businesses carrying out profiling which produces legal effects or significantly affects an individual other than where this is necessary for the performance of a contract, is authorized by national Member State law or is conducted with the explicit consent of the individual. Profiling based on sensitive personal data (such as health data) is only permitted in limited circumstances.
- International Transfers — The restrictions on transfers of personal data from the EU continue, but there is statutory recognition of various legal mechanisms that impose EU privacy standards, to permit the international transfer of personal data from the EU, including Binding Corporate Rules, EU Standard Contractual Clauses, codes of conduct approved by the relevant DPA or the EDPB, or certifications issued by the relevant DPA or an approved national certification body. Where there are isolated transfers of personal data concerning a limited number of data subjects, these can also be permitted in certain limited circumstances, however, the relevant DPA and the concerned individual must be informed of the transfer.
- Foreign Data Requests — A new restriction, separate and independent from other provisions on data transfers, that any judgment of a non-EU court or authority requiring the disclosure of personal data will only be recognized or enforceable if it is based on an international agreement (e.g., a mutual legal assistance treaty) between the relevant Member State and the requesting country.
Businesses now need to consider the impact of the Regulation and its stricter requirements. A first step would be to carry out an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning, reviewing existing data protection notices and consents, reviewing current profiling activities and existing data protection and retention policies and procedures, ensuring that privacy impact assessments are carried out and that a data protection officer is appointed where required.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
|William Long||Edward R. McNicholas||Alan Charles Raul|
|+44 20 7360 2061||+1 202 736 8010||+1 202 736 8477|
Sidley Privacy, Data Security & Information Law Practice
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.