On April 8, 2016, the Council of the EU adopted the final text of the General Data Protection Regulation (GDPR). On April 14, the EU Parliament approved the Council’s decision. Twenty days after its publication in the Official Journal of the EU, the GDPR will enter into force (very likely in May 2016) and two years after this entry into force, it will be applicable and will replace the current Directive 95/46 (very likely in May 2018). What are the practical impacts of this new legislation?
First, the main principles of the current Directive will remain. Even if some changes will have great impacts in the day-to-day practice of companies, the GDPR mainly raises EU standards by recognizing previous best practices, case law and non-binding opinions of certain authorities. Major evolutions probably result from the legal form of the instrument: a Regulation, rather than a Directive. This means that the GDPR’s provisions will be directly invoked by individuals and directly enforced against companies without implementation through variable national legislations. Hence, contrary to the Directive, the text is totally consistent and comprehensive. This is progress for multinationals having subsidiaries in several member states.
Below are some key provisions of the GDPR:
- Territorial scope. The GDPR applies, notably:
- to processing carried out in the context of the activities of a controller/processor established in the EU, regardless of whether such processing takes place in the EU or not; and
- to processing of personal data of data subjects who are in the EU, even if the controller/processor is not established in the EU, provided that the processing activities relate to (i) an offer of goods or services to data subjects in the EU, or (ii) the monitoring of their behavior as far as their behavior takes place within the EU.
- Consent. If consent is the relevant legal basis for processing, the GDPR clearly states that it can never be implicit and must result from unambiguous and positive actions directly relating to the purpose of the processing.
- Accountability. Data protection law is no more a simple declaratory or documental matter; controllers should be able to demonstrate concrete compliance and implementation of GDPR’s principles.
- Privacy by design and by default. Controllers must implement technical and organizational measures ensuring that, from the determination of the means for processing, such processing complies with the GDPR and that, by default, only data that are necessary for each specific purpose are processed.
- Data Protection Impact Assessment (DPIA). Where the processing relates to certain sensitive operations or data, the controller must carry out and must provide a documented DPIA to authorities, describing, assessing and preventing the risk associated with each processing.
- Data Protection Officer (DPO). Where the processing relates to certain sensitive operations or data, the controller/processor must designate a DPO, mainly to ensure compliance with the GDPR and communicate with data subjects and authorities.
- Controller/Processor. Regarding most of the GDPR’s requirements, the processor is severally and jointly liable with the controller.
- Data breach. The GDPR provides details on criteria and delays for declaring data breaches to authorities and, in some cases, to data subjects.
- Sanctions. In the case of infringement, the GDPR entitles national data protection authorities to impose fines that are greatly increased compared with the current national laws. These fines may amount to:
- 2 percent of the total worldwide annual turnover for a minor offense, an
- 4 percent of the total worldwide annual turnover for a major offense.
On April 14, the EU Parliament also adopted a new Directive on data transfers for police and judicial purposes.
As indicated above, the GDPR will be applicable in about two years, which is a sufficient (but not excessive) period of time to prepare for compliance and accountability.
For more information on the GDPR, please refer to the following prior Password Protected blog posts:
2016: A Turning Point For Personal Data Protection