Detlev Gabel, Tim Hickman, Audrey Oh, White & Case
After an unexpectedly long legislative process, the EU has published Regulation 2016/679 (the General Data Protection Regulation or “GDPR”). But what are the future implications of this new legislation?
On 4 May 2016, after more than four years of drafts, discussions and negotiations, the GDPR was published in the Official Journal of the EU by the Secretaries-General of the European Parliament and of the Council of the EU. It will come into force after a further twenty days, followed by an effective two-year grace period, meaning that enforcement of the GDPR will not begin until 25 May 2018.
During this period, the existing collection of national data protection laws, based on EU Directive 95/46/EC, will continue to apply. However, organisations will need to use the two-year window wisely. It is important for organisations to allocate sufficient time and resources to ensure that they are compliant with the GDPR by May 2018. Failure to meet this deadline may result in enforcement action under the GDPR, including possible fines up to the greater of €20 million, or 4% of annual global turnover. France is already in the process of introducing legislation to implement fines at these levels immediately, rather than waiting for the GDPR to become enforceable. It is not yet clear whether other Member States will follow suit.
What are the key concerns for businesses?
The GDPR makes wide-ranging changes to existing EU data protection law. In particular, businesses should bear in mind the following points:
- Territorial application – The GDPR applies to non-EU businesses if they: (i) target their goods or services at EU residents (e.g., using local domain names, in the local language, offering local delivery and accepting payment in local currency); or (ii) monitor the behaviour of EU residents. Many businesses that are not subject to existing EU data protection law will be subject to the GDPR, especially businesses operating in the EU in an online context.
- Remedies and sanctions – As noted above, the consequences of breaching EU data protection law escalate dramatically under the GDPR, which sets the maximum fine for a single breach at the greater of €20 million, or 4% of annual global turnover.
- Consent – Under the GDPR, consent becomes harder for businesses to obtain and rely on. Notably, the GDPR states that consent is not valid where there is a ‘clear imbalance’ between the controller and the data subject.
- Increased compliance obligations for controllers – The GDPR imposes increased compliance obligations on businesses that act as controllers (e.g., implementing appropriate policies, keeping records of processing activities, appointing a Data Protection Officer in some cases, implementing privacy by design and by default, etc.). For many businesses, this is likely to require a significant overhaul of their data processing activities.
- Direct compliance obligations for processors – Existing EU data protection law generally does not impose direct legal compliance obligations on processors. However, under the GDPR, processors have direct legal compliance obligations, and Data Protection Authorities can take enforcement action directly against processors. For businesses that commonly act as processors (e.g., outsourced service providers to financial institutions) this is a significant change, and may result in attempts to re-negotiate existing processing agreements.
- 72-hour data breach notification – The GDPR requires businesses to report data breaches to the relevant Data Protection Authority within 72 hours of detection. For most businesses, radical changes to internal reporting structures will be needed in order to be able to meet this deadline.
The publication of the GDPR in the Official Journal marks the end of a long journey. The first draft of the GDPR, setting out a comprehensive reform package of the EU’s data protection rules, was published by the European Commission in January 2012. It has since been through numerous rounds of revisions, committees and votes, which have taken significantly longer than many commentators originally anticipated.
In parallel to the GDPR, the EU has also adopted a new Police and Criminal Justice Directive which governs the processing of personal data for the purposes of prevention, detection, investigation or prosecution of criminal offences, and related judicial activities. The UK has effectively opted out of this Directive, meaning that the processing of personal data for policing and criminal justice purposes in the UK may be governed by a different set of rules from the rest of the EU. The practical impact of the UK’s decision on this issue remains to be seen.
Once the GDPR comes into force, two further key developments are expected. First, EU Data Protection Authorities will, individually and collectively, begin to issue guidance on the application and interpretation of the GDPR, with the aim of helping organisations to achieve compliance with the requirements of the GDPR. This guidance is expected to offer additional clarification of certain issues in the GDPR that are not totally clear from the current text (e.g., several of the new data transfer mechanisms set out in the GDPR require significant further explanation before they can be used in practice).
Second, the European Commission has launched a Public Consultation with the aim of reviewing Directive 2002/58/EC (the “ePrivacy Directive”). The potential for overlap between the GDPR and the ePrivacy Directive has been the subject of much discussion in recent months. For example, that overlap could result in controllers that suffer a data breach being obliged to report that same breach twice – once under the GDPR and once under the ePrivacy Directive. It is hoped that the Commission’s efforts will resolve these issues before enforcement of the GDPR begins.