After years of consulting, drafting and negotiating at various levels, on 15 December 2015 the final compromise text of the EU General Data Protection Regulation (GDPR) was agreed. What a milestone! Once the European Parliament and Council both adopt the agreed text, the GDPR will officially come into force, which is expected to be January 2016. Businesses will have a two-year transitional period to adapt to the new regime.
One Continent, One Law
The GDPR will apply directly in each of the 28 EU Member States. With its wide territorial scope, the GDPR will not only apply to the data processing activities of EU-based businesses, but also to various data processing activities of businesses not established in the EU to the extent they target EU data subjects.
- Consent continues to be required to be freely-given, specific, informed and unambiguous (as well as explicit where sensitive data is processed). However, overall the GDPR takes a strikingly prescriptive approach in relation to consent and also (surprisingly) provides that the age of consent is 16, unless Member State law provides for a younger age of consent (which must not be below 13).
- A risk-based approach has been successfully inserted into various GDPR provisions by the Council. This, no doubt, will be welcome news for businesses. Consequently, some compliance obligations will only apply to those data processing activities that are likely to result in a risk (or even high risk) for the rights and freedoms of individuals (e.g., obligations to notify data breaches or carry out privacy impact assessments).
- One-stop-shop survives as a concept. What this means is, where a controller or processor has multiple establishments within the EU, the supervisory authority of the Member State where the controller/ processor has its 'main establishment' will be competent to supervise and enforce its data protection compliance across the EU. This is subject to the lead supervisory authority being required to consult and cooperate with supervisory authorities of other affected Member States. The rule is watered down considerably by exceptions providing that local supervisory authorities (other than the lead authority) will be competent to deal with subject matters that relate only to an establishment in their Member State or substantially affect only data subjects in their Member State.
- Data Protection Officers will be required for businesses that – on a large scale and as part of their core activities - regularly and systematically monitor data subjects or process sensitive data.
- Supervisory authorities will be equipped with broad enforcement powers, and fines for non-compliance will be substantial with a maximum fine of €20 million or 4% of the annual worldwide turnover (whichever is higher).