On 15 December 2015 it was announced that the EU Council, Commission and Parliament had finally agreed the text of the General Data Protection Regulation (“GDPR”) [pdf].
This needs to be approved by the EU Parliament next month and will then come into force in January 2018. It will replace the Data Protection Directive which was enacted in the United Kingdom by the Data Protection Act 1998.
In addition, there will be a new Data Protection Directive for the police and criminal justice sector designed to ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.
In announcing the agreement the EU Commission suggested that
“The reform will allow people to regain control of their personal data. Two-thirds of Europeans (67%), according to a recent Eurobarometer survey, stated they are concerned about not having complete control over the information they provide online. Seven Europeans out of ten worry about the potential use that companies may make of the information disclosed. The data protection reform will strengthen the right to data protection, which is a fundamental right in the EU, and allow them to have trust when they give their personal data”.
The key features of the agreed GDPR include the following:
- Right to be forgotten: Article 17 sets out the “right to be forgotten,” which gives a data subject the right to order a controller to erase any of the data subject’s personal data in certain situations.
- Right to data portability: Under Article 18 data subjects will have the right to transmit any of their personal data from one controller to another. In other words, data subjects will be able to transfer their personal data between service providers.
- Consent: There will be a new standard of “a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to personal data relating to him or her being processed” and “explicit” consent in relation to special categories of data.
- Breach notification. There must be data breach notification to the regulator “without undue delay” and where feasible within 72 hours.
- Fines: Article 79 states that companies may be fined a specific percentage of their annual global turnover for failing to comply with certain provisions of the GDPR. For example, a company that violates data subjects’ rights could face a fine of up to 4% of its annual global turnover which, for some large companies, could mean many millions – or even billions – of dollars.
- Data protection officers. Article 35 requires certain entities, including those whose “core activities” involve large-scale processing of special categories of data (sensitive data), to appoint a data protection officer. Articles 36 and 37 provide further details on the duties of a data protection officer.
The Directive seeks to guarantee increased protection of personal data and to facilitate the exchange of data between law enforcement authorities within the European Union.
New elements of the agreement on the Directive include:
- The Directive will apply to the cross-border processing of personal data, as well as to the processing of personal data by police and judicial authorities at strictly national level. Accordingly, police and judicial authorities should no longer apply different rules according to the origin of the personal data.
- Transferring personal data from competent authorities to private entities will be possible under specific conditions. It constitutes a legal framework that will enable police authorities to take swift action in cases of a terrorist attack or other emergencies.
- As well as protecting the rights of individuals, the Directive makes it possible for police authorities to limit both the information held in on the data and access to the processed data. The framework allows for police authorities to neither confirm nor deny whether they are in possession of personal data in order to avoid compromising ongoing investigations.