On December 15, 2015, the European Parliament and the Council of the European Union reached a political agreement on the text of the EU General Data Protection Regulation (GDPR).1 This is a major step toward the official adoption of the GDPR, which is now expected in Spring 2016. The GDPR will have a significant impact on how EU and non-EU businesses can collect and process the personal data of EU individuals. This article discusses the key elements of the GDPR.
The review process started four years ago, in January 2012,2 when the European Commission introduced its proposal for the GDPR. Both the European Parliament and the Council proposed their own version of the GDPR (in March 20143 and June 2015,4 respectively) and, on that basis, negotiated a compromise text. This compromise text is now being finalized by the EU’s legal services, meaning that it may still undergo some final changes. However, the version of the GDPR agreed to on December 15, 2015, can be regarded as very close to the final text. We refer to that version in this update.
Key Elements of the GDPR
The GDPR will replace EU Data Protection Directive 95/46/EC, which is currently the main legal framework for data protection in the EU. The GDPR’s provisions are far-reaching and have sparked intense debate and lobbying throughout the legislative process. Below are some of the most important elements of the GDPR.
- Extraterritorial Effect. The GDPR will apply to organizations established in the EU, but also to non-EU organizations collecting and processing the personal data of EU individuals to offer them goods and services (e.g., via a website), freely or against payment, or to monitor their behavior (e.g., by tracking individuals online to build profiles). Thus, nearly all non-EU businesses that are active in the EU will be subject to the strict requirements of the GDPR.
- Concept of Personal Data and Sensitive Data. The GDPR maintains the current definition of personal data (i.e., data relating to an identified or identifiable natural person), but provides more examples of data that can qualify as personal data, such as location data and online identifiers (e.g., IP addresses, cookies). Under the GDPR, as under the current Data Protection Directive, sensitive types of personal data will receive specific protection. The GDPR adds genetic data and biometric data to the group of sensitive data.
- Consent and Other Legal Grounds for Processing. The GDPR will add more restrictions to the legal grounds for processing personal data. In particular, the GDPR adds conditions for consent to be a valid ground for data processing. For instance, consent must be obtained via a specific (i.e., separate from general terms) and clear consent statement. The GDPR also introduces rules for parental consent for the processing of children’s personal data in the context of information society services offered directly to children. Parental consent will be required if the child is under 16, unless national law in the relevant EU country sets a lower age limit (provided the limit is not below the age of 13). Companies will be expected to take reasonable efforts and to use available technology to verify that parental consent has been duly obtained.
- New Accountability Requirements. The GDPR will replace the current requirement to submit filings with Data Protection Authorities (DPAs) by a new requirement to maintain internal documentation on the company’s data processing activities. In addition, companies will need to conduct privacy impact assessments if they conduct high-risk data processing activities, and in particular if they: (i) profile individuals; (ii) process sensitive data on a large scale; or (iii) systematically monitor a publicly accessible area on a large scale. Companies will also be required to implement privacy-enhancing measures when they design their products and services (privacy by design) and to, by default, select the techniques that are the most protective of individuals’ privacy and data protection (privacy by default). If a company’s core data processing activities involve the monitoring of individuals on a large scale or encompass sensitive data, the company will also be required to appoint a data protection officer.
- New Obligations for Service Providers Acting as Data Processors. The GDPR will impose many more restrictions on the outsourcing of data processing activities to data processors. The current requirement for data processors to protect personal data with appropriate security measures will be complemented by specific obligations that must be included in data processing agreements, such as requirements to obtain the data controller’s prior written approval for subprocessing; to contractually impose the same obligations on subprocessors as are imposed on the data processor; and to assist the data controller in ensuring data protection compliance.
- New Data Breach Notification Requirement. The GDPR introduces a personal data breach notification requirement. Under the GDPR, a data breach will have to be reported to the national DPA if it is likely to result in a risk for the rights and freedoms of individuals. The data breach will have to be reported to the DPA without undue delay, and when feasible, within 72 hours after a company becomes aware of the breach. The data breach will also need to be reported to the individuals concerned, without undue delay, if it is likely to result in high risks, unless certain exceptions apply (e.g., the data is encrypted, the company has taken measures to reduce the risks). The introduction of a pan-EU general data breach notification requirement is an important novelty under EU data protection law. Guidance regarding the circumstances in which companies are required to notify data breaches will be issued by the European Data Protection Board (EDPB), which is a new EU body that will gather all national DPAs and replace the existing Article 29 Working Party.
- New Rights for Individuals. The GDPR strengthens the current rights of individuals under the Data Protection Directive, and also includes a few new rights. The GDPR codifies the “right to be forgotten,” which was affirmed by the Court of Justice of the EU in its Costeja decision in 2014.5 The new “right to data portability” further strengthens individuals’ control over their personal data by allowing them to export personal data from one controller to another, without hindrance. Controllers will thus need to use interoperable formats when handling personal data.
- International Data Transfers. The GDPR will broadly maintain the current rules on international data transfers: personal data may only be transferred to a country that has been considered to provide an “adequate level of data protection,” unless the company has implemented a data transfer mechanism or can rely on a statutory derogation. The GDPR provides new criteria for a country to be considered “adequate”; some of which are clearly imported from the judgment of the EU Court of Justice in Schrems6 that invalidated the “adequacy”’ decision for the U.S.-EU Safe Harbor program for data transfers. Any new agreement between the U.S. and the E.U., such as a Safe Harbor 2.0, would have to meet these requirements. Importantly, current EU model contracts and DPA authorizations for Binding Corporate Rules and ad-hoc contracts will remain valid, until amended, replaced, or repealed by the EU Commission or DPAs. The GDPR keeps the statutory derogations for international data transfers that are included in the Data Protection Directive (e.g., individual’s consent, execution of a contract), but adds a new derogation for data transfers: the controller’s compelling legitimate interests (provided that they are not overridden by the interests or rights and freedoms of the individual). However, this new derogation is subject to strict conditions: the transfer must not be repetitive, concerns only a limited number of individuals, and the controller must adduce suitable safeguards to protect the data and inform the individuals concerned.
In addition, the GDPR introduces new data transfer mechanisms, such as adherence to approved codes of conduct or approved certification mechanisms. These mechanisms still need to be developed, and it remains to be seen whether they will prove to be useful in practice, but these are interesting additions to the tools available for data transfers.
- One-Stop Shop, Cooperation Procedure, and Consistency Mechanism. For companies that are active in multiple EU countries, the GDPR will to a certain extent centralize data protection enforcement. The GDPR introduces a “one-stop shop” mechanism through which the DPA of a company’s main establishment in the EU will take the lead in supervising a company’s compliance across the EU. Other DPAs involved will need to cooperate with the lead DPA through a newly created cooperation procedure. To further ensure consistent application of the GDPR in the EU and to solve disagreements between the lead DPA and other DPAs, the GDPR also creates a consistency mechanism under the authority of the EDPB.
- Higher Fines and Harmonization of DPA Enforcement Powers. The GDPR is designed to step up data protection enforcement in the EU. The GDPR introduces high fines for non-compliance with the new rules. There will be a two-tiered system of fines. The first level, for less severe violations, is set at maximum €10 million or 2 percent of the undertaking’s global annual turnover, whichever is higher. The second level, for more severe violations, is set at maximum €20 million or 4 percent of the undertaking’s global annual turnover, whichever is higher. Moreover, the enforcement powers of DPAs, such as the power to conduct investigations and audits, will be harmonized. The cooperation of DPAs will also be strengthened to ensure the consistent application and enforcement of the GDPR throughout the EU.
It is now almost certain that the GDPR will be adopted by Spring 2016. It will enter into force two years after its adoption—i.e., by Spring 2018. Companies should begin to assess how their business activities will be impacted by the forthcoming GDPR. This means taking stock of the company’s data protection practices, policies, procedures, and contracts to analyze compliance gaps under the GDPR. The two-year transition period might seem long, but for many companies it will be a time-consuming effort to adapt business practices to the requirements of the GDPR.
For a more detailed analysis, please see our recent article in Bloomberg BNA, and to keep up to date with the legislative developments concerning the GDPR, see our Wilson Sonsini Goodrich & Rosati’s EU Data Protection Regulation Observatory at https://www.wsgr.com/eudataGDPR/index.htm.
1 The compromise consolidated text of the GDPR (outcome of the Trilogue on December 15, 2015) is available at: http://www.emeeting.europarl.europa.eu/committees/agenda/201512/LIBE/LIBE(2015)1217_1/sitt-1739884.
2 See the Commission Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (GDPR), COM (2012) 11 final (January 25, 2012), http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.
3 See the European Parliament legislative resolution of March 12, 2014, on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2014-0212+0+DOC+XML+V0//EN.
4 See Council document no. 9565/15, adopted as its “General Approach” at: http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf.
5 See the CJEU Judgment, delivered on May 13, 2014, in Case C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=lst&docid=152065&occ=first&dir=&cid=276746.
6 See the CJEU Judgment, delivered on October 6, 2015, in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner (request for a preliminary ruling from the High Court (Ireland)), http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=1&part=1&mode=req&docid=169195&occ=first&dir=&cid=111628./