On 15 December 2015, the European Commission, along with the European Parliament and the Council of Ministers, agreed on the final text of the General Data Protection Regulation ("GDPR"), thus bringing to a successful conclusion the so-called "trilogue" negotiations.
The GDPR will replace the current Directive 95/46/EC of 24 October 1995. As an EU Regulation (instead of a Directive), the GDPR will be directly applicable in all 28 EU Member States and the single text of the DGPR will replace the national laws implementing Directive 95/46/EU.
While the core of Directive 95/46/EC is maintained, the GDPR will introduce considerable changes to (i) strengthen the rights of the data subjects; (ii) impose new obligations and elaborate on existing obligations for companies; and (iii) enhance the enforcement of data protection rules across the EU. The GDPR also extends the territorial scope of EU Data Protection Rules to non-EU data controllers targeting EU citizens.
Improved Position of Data Subject
First, the GDPR strengthens the position of the data subject in different respects. It creates:
- a new right to "data portability", which will enable data subjects to transfer their personal data between service providers;
- a clarified "right to be forgotten", which will guarantee that, if one does not want their data to be processed any longer and if there are no legitimate grounds for retaining it, then one's personal data will be deleted;
- the possibility of contesting targeted online advertising;
- additional information on the processing of personal data;
- specific protection for vulnerable data subjects, such as children; and
- methods facilitating action against non-compliant data controllers.
Significant New Obligations for Businesses
The GDPR imposes significant new obligations on businesses, such as the principle of accountability, obligatory data protection impact assessments, additional information obligations and the appointment of data protection officers. These obligations seek to ensure that considerations of data protection are built into the daily activities of each business. Companies will also be required to report to national authorities within 72 hours data breaches likely to harm data subjects.
On the other hand, the GDPR also abolishes some formalities, including (in most cases) notifications to the local data protection authorities ("DPA"). Moreover, SMEs which do not rely on personal data for their core activities may be exempt from specific obligations under the GDPR. To some extent, the GDPR also allows businesses to adopt a risk-based approach towards protecting data subjects' fundamental rights.
Nevertheless, the new obligations imposed by the GDPR, together with an increased level of enforcement, mean that all companies must carefully consider how their business will be affected by the new rules which will confer on DPAs the power to impose fines of up to 4% of the companies' worldwide turnover.
The new rules provide for increased cooperation between the national authorities of the 28 Member States in order to apply a single set of rules, so that companies active in several European markets are no longer subject to conflicting decisions.
The GDPR will be adopted as a legislative package together with a new Directive on the processing of personal data by authorities for criminal and public security purposes. In the coming days, the institutions will compare the two legislative instruments to avoid inconsistencies. The final text of the GDPR and the new Directive will be formally adopted by the European Parliament and the Council at the beginning of 2016 and will enter into force two years later.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.