By Laurent De Muyter, Of Counsel, Jones Day, Brussels
The most comprehensive reform of data protection law probably ever to be undertaken in the EU was finalized by the EU institutions on December 17, 2015 and will become applicable law within about two years. The new General Data Protection Regulation (GDPR) officially aims at further harmonizing rules across the 28 EU Member States and reducing red tape for businesses. Crucially, however, it will also further the scope of data protection regulation and the level of enforcement.
EU single market. The GDPR’s primary purpose is to reduce both the risk of inconsistent or conflicting obligations between different Member States and compliance costs, in particular for businesses active across the EU market. The GDPR, as an EU regulation, will be directly applicable in all EU Member States and will automatically replace national legislation (with limited exceptions, such as for processing data in the employment context, or national ID numbers). The GDPR will also establish a ‘one-stop shop,’ whereby a single national authority should effectively regulate all processing activities of a business across the EU. Such authority will, in principle, be the one of the “main establishments of the controller and/or processor” (although data subjects shall remain free to solicit their home regulatory authorities). Finally, the obligation to notify the relevant authority of each and every occurrence of data processing is replaced by an obligation to notify only data breaches (albeit within a strict timeframe of 72 hours).
Expanded reach of regulation. Furthermore, the GDPR will act to extend the scope of data protection regulation. Companies providing goods or services, from outside the EU, to EU residents will now be covered, even if a company lacks any establishment or any equipment in the EU. The GDPR also makes clear that online identifiers, such as IP addresses and cookies, are likely to be considered as “personal data.” The GDPR further adds genetic and biometric data, as well data concerning sexual orientation, to the list of “sensitive data” that benefits from additional protection. In line with such broader protection, the main justification for processing data, i.e. the notion of consent, now requires “clear affirmative action”, i.e. ticking a box or selecting technical settings that indicate the data subject’s acceptance of the data processing (as opposed to inactivity or pre-ticked boxes, which are considered insufficient). Consent must also be “explicit” for sensitive data.
The GDPR introduces new obligations for both processors and controllers. For controllers, this includes, under certain circumstances, appointing a data protection officer, respecting “privacy by design,” or conducting data protection impact assessments. For processors, new obligations include maintaining records and complying with data transfer obligations. The GDRP also formalizes various rights for data subjects, such as the right “to be forgotten,” to “data portability,” and to refuse profiling.
Transfers outside the EU. As concerns international data transfers, companies can still safely transfer data to the “white list” of countries established by the EU Commission, draft appropriate contractual clauses to allow the data transfer, and/or rely on other justifications such as explicit consent or the performance of a contract with the data subject. Following a ruling of the European Court of Justice on October 6, 2015, Safe Harbor registration does not constitute a valid justification for data transfer. This shall remain the case at least until the adoption of a new version of the Safe Harbor agreement (anticipated for the end of January 2016). Furthermore, judgments issued from third-country jurisdictions that require the transfer of personal data (e.g. discovery) will be enforceable only if based upon an international agreement.
Scaled-up enforcement. Finally, the GDPR tightens the enforcement of privacy laws, providing that in case of breach, national data protection authorities shall have the power to impose administrative fines of up to 2 to 4% of a company's worldwide annual turnover, depending on the infringement at stake. A right to compensation is also foreseen.
The impact of the data protection reform is thus substantial and should be properly anticipated by all businesses, as any company necessarily processes personal data, whether such data come from clients, employees, suppliers or any third-party.