Yesterday brought concrete progress on the revisions to the EU’s data protection laws. The current system dates from 1995 and is regarded by many as out-dated and onerous. The new law with greater uniformity across the EU and, the authorities say, a simpler compliance regime, has been in the planning for several years. With this latest agreement between national ministers some of the difficult areas have been hammered out and movement towards a final document may now be quicker than expected.
The EU’s planned General Data Protection Regulation has been stuck in negotiations between member state ministers, EU parliamentarians and the Commission for several years. Businesses know that they will have to comply with the new regime but there has been little certainty about what that will involve and when it will take effect. Now the council of ministers has reached agreement on a 'General Approach' - this is not the end of the process but marks a real step forward. Once the final negotiations are complete there is a likely to be a two-year period to comply.
Some points to note (all still subject to final political agreement):
- Because the legal instrument being used is a regulation rather than a directive the new law will apply in a uniform way across the continent without the need for national implementation.
- Non-EU business that carry out data processing activities related to the offering of goods or services to such data subjects, or to the monitoring of their behaviour in Europe, will have to comply.
- ‘Data protection by design’ and ‘Data protection by default’ are to be essential underlying principles in the rules. Data protection safeguards will have to be built into products and services, and privacy-friendly default settings should be used.
- Data Protection Officers may become a requirement for organisations, although SMEs will be exempt from this obligation if data processing is not their core business activity.
- Regular notifications to supervisory authorities will be scrapped to remove some of the red tape inherent in the current system.
- The ‘right to be forgotten’ that arose in the 2014 Google Spain case will be explicit, although there will be limits to the scope of this right.
- There will be a one-stop-shop for both businesses and consumers. They will only have to deal with one regulator for activities across the EU.
- Prompt reporting of breaches – serious breaches should be reported to a national regulator within 24 hours where possible.
- Genetic data will be treated in the same way as sensitive personal data about sex life and political or religious beliefs.
- The sting in the tail – penalties for non-compliance: A hotly-debated area has been the level of fines for failure to comply. The new agreement would permit data protection authorities to be fine companies up to 2% of their global annual turnover for the most serious breaches. This is lower than the 5% suggested at one point by the EU parliament, but is at a level intended to be taken seriously in the boardroom.
You can see more on the latest agreement here:
There will be a ‘Trilogue meeting’ on 24 June, after which we’ll have a clearer view on the likely rate of progress.