As most of you will be well aware by now, negotiations on the EU data reform package have been ongoing since 2011 and whilst the final texts are not yet available, we do now have the final compromise texts for both the draft General Data Protection Regulation ("GDPR") and the draft Data Protection Directive relating to the police and criminal justice justice sectors covering data transfers between law enforcement agencies across Europe.
Following the agreement on 15th December, the European Parliament's Civil Liberties, Justice and Home Affairs ("LIBE") Committee voted on the proposals this morning, 17th December 2015. The GDPR was voted in with a large majority of 48 votes to 4 against and only 4 abstentions. The Directive was voted in with 53 votes to 2 against and 1 abstention.
Once the texts are translated into all the EU languages and ratified by the Council of the European Union and the European Parliament (anticipated early in the New Year), they will be published in the Official Journal of the European Union.
Each of the 28 EU member states must then amend their national laws within two years and 20 days after that publication. The new law will therefore become enforceable from early 2018.
What are the main elements of change?
The top 10 major changes under the new law are as follows:
- Greater protection for the personal data of individuals - the key focus of the new law is to ensure that individuals have greater control over their personal data (especially in relation to data deletions, portability and access) and to ensure that organisations (especially those operating across several jurisdictions and/or using outsourcing partners) are forced to take more care in their approach to data sharing and transfers.
- More liability for sub-contractors and outsourcing organisations - where an outsourced partner is used to process data, both the parties will be jointly liable. Traditional data processor outsourcing organisations will no longer be able to 'pass the buck' to their instructing data controller, instead being forced to comply directly.
- Fines of up to 4% annual worldwide turnover for non-compliance. Crucially, any company found to be in breach of the data protection regulations could be fined up to a maximum of €20 Million or 4% of annual global turnover (between a 2-5% cap had been negotiated but they have settled on 4%, higher than many speculated). Jan Philipp Albrecht, chief negotiator for the European Parliament, highlighted that "for global internet companies in particular, this could amount to billions". The first tier fines are for breaches of certain parts of the new law, such as failing to have lawful reason to process the data. A second and lower tier fine of up to €10 Million or 2% of annual worldwide turnover will apply to certain processor, security and administrative related breaches.
- Easier complaints mechanism for individuals. Consumers will now be able to raise a complaint in their own country, as opposed to the country the offending company is headquartered in. Should a complaint cover several European countries, a newly created European Data Protection Board will help settle the dispute.
- Explicit consent. Companies will need to ensure that consent to process any data is freely given, specific, informed, 'unambiguous' and, for personal data, consent is 'explicit'. Consent will need to be via an agreed statement or demonstrable, easily accessible and intelligible affirmative action. They will also need to take note of any consumer's request to have their details deleted under the tightened-up 'right to be forgotten'. These changes may require you to make changes to your current data collection and retention processes. The legitimate interest ground for processing personal data is now going to be more heavily qualified by specific and explicit notice requirements.
- Mandatory data breach reporting. Any data breaches that pose a high risk must be reported to regulators 'without undue delay' and, where feasible, within 72 hours. Individuals must also be notified without undue delay if there is a high risk to their rights and freedoms. This could be difficult to implement in practice and will require more careful public relations management and data breach response planning.
- Increased protection for Under 16yr olds. Data protection for under 16 year olds has been toughened up. Whilst the regulation sets the age of digital consent for using social media platforms at 16 years, individual member states can decide to lower it to 13 years. 13 is the current limit for many US social media companies, such as Facebook and Instagram. Companies will also be restricted on profiling and collecting data for users under 16 years and will require parental consent to do so. They'll also have to show they've made reasonable efforts to get this consent. Timothy Kirkhope, Conservative MEP said: "Concerns have been listened to and the UK's age of consent will not be forced to change". Watch this space.
- Mandatory Data Protection Officer. The contentious requirement to appoint a Data Protection Officer seems to have been restricted to public authorities and organisations that process large amounts of sensitive personal data or that process personal data used for systematic monitoring on a large scale. Watch this space to see what implications this might have in practice.
- Mandatory Privacy Impact Assessments. More onerous requirements on organisations to ensure privacy by design, including a requirement to carry out privacy impact assessments (as we know them now) in certain circumstances.
- Requirement for formal data protection policies, procedures and training. The current requirement to register data processing activities with the EU regulators (such as the ICO Notification process) will now be replaced with perhaps much more onerous requirements to document, formalise and audit data processing practices internally within an organisation and to carry out training. Please do contact us if you need help with getting your "house" in order.
- International Data Transfers - following the ECJ Safe Harbor case in Schrems, the GDPR will continue prohibiting data transfers to non-EEA countries unless they are recognised as being "adequate" by the EU. While there will now be stricter conditions for countries trying to obtain that "adequacy" status, new data transfer compliance mechanisms like privacy seals will be considered and binding corporate rules have been endorsed.
- Application to a Greater Number of Organisations - Following recent ECJ cases, such as the Weltimmo case, the GDPR will apply to most organisations that offer goods or services in the EU, or that monitor the behaviour of EU citizens. This will include, most notably, online activities of non- EU organisations.
- 'One Stop Shop' - the controversial one-stop shop enforcement process which aims to centralise data protection enforcement is to be introduced via one competent national regulator. There is a complicated process set out in the GDPR to help ensure consistency and co-operation, which only time will help us to truly understand.
So What Next?
The headlines above, give a brief overview of some of the key changes. The next step for us and for you is to fully review the documents when they're finally published in the New Year.
We will follow up early in 2016 with a more detailed Pritchetts blog article on the key changes of the new law and preparations to be made. For now, all organisations should take note that they have 2 years to review their operations and carry out a data protection audit or gap analysis against the requirements of the new regulations. It is possible that many organisations will need to make potentially significant changes to the way that they currently collect, use and transfer personal data in order to avoid fines of up to 4% of annual worldwide turnover. The UK regulator, the ICO, has started to offer advice on key areas to consider as a priority.
Whilst further analysis and insight will be given in future Pritchetts newsletters and blogs, please don't hesitate to contact us if you require any additional information - particularly on our data protection audit services, the impact of the new EU GDPR reforms or indeed specific advice on how this new law will affect your particular organisation.