Dec 162015

Agreement Reached on EU General Data Protection Regulation

Cameron F. Kerry, William RM Long, Edward R. McNicholas, Alan Charles Raul and Francesca Blythe
, , , , ,

After almost four years of intense negotiations, on 15 December 2015, an informal agreement on the proposed EU Data Protection Regulation was reached between the Council of Ministers and the European Parliament. An extraordinary meeting of the LIBE Committee is scheduled for 17 December 2015 for the 28 EU Member States to vote on the text. Final adoption of the Regulation is likely to be in early 2016.

The proposed Regulation expressly recognizes that “[t]he right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced with other fundamental rights, in accordance with the principle of proportionality.” Other fundamental rights to be taken into account for balancing against data protection include “freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.”  However, the proposal does not expressly seek to promote technological innovation.

The Regulation, which is intended to create a single law on data protection in the EU, will have a significant impact on both European companies and importantly also businesses outside of Europe that collect data on Europeans. Some of the key provisions in the Regulation (based on leaked text of the Regulation) include:

  • Fines – fines for non-compliance of up to the greater of €20 million or 4% of annual worldwide turnover;
  • One Stop Shop – the introduction of a new one stop shop mechanism where businesses will be accountable to one lead data protection authority in the EU country where the data controller has its main establishment;
  • Accountability – enhanced accountability principles including requirements on businesses to implement data protection policies, maintain a detailed record of processing activities, conduct privacy impact assessments and implement data protection by design and by default;
  • Extraterritorial Application – the new Regulation purports to apply to any company that processes the personal data of Europeans – even if the company has no physical presence in Europe;
  • Data Protection Officers – a business will be required to appoint a data protection officer where the processing involves large amounts of sensitive personal data or regular monitoring of individuals or is required by national laws – a corporate group can appoint a single data protection officer;
  • Security Breaches – a requirement to report security breaches to the relevant data protection authority within 72 hours and to affected individuals without undue delay unless, for example, the data is encrypted or subsequent measures have been taken to remove the risk to individuals;
  • A Right to be Forgotten – a new right for individuals to have their personal data deleted, the so called “Right to be Forgotten” subject to certain limitations like freedom of expression and information;
  • Right to Data Portability – a right to require the transfer of personal data from one service provider to another;
  • Data Protection Impact Assessment – Where data processing uses new technologies, and is likely to result in high risk, the controller must conduct an assessment of the impact on the protection of personal data;
  • Profiling – new restrictions on businesses carrying out profiling which produces legal effects or significantly affects an individual other than where this is necessary for the performance of a contract, is authorized by national Member State law or with the explicit consent of the individuals.  Profiling based on sensitive personal data (such as health data) is only permitted in limited circumstances;
  • Pseudonymous data – a new definition for pseudonymisation, which in turn enables certain uses of data where a business implements appropriate technical and organizational measures to protect against re-identification.
  • Consent – more stringent consent requirements, including a right for individuals to withhold their consent and parental consent required for children aged under 16 years (or 13 years if permitted under national laws);
  • International Transfers – statutory recognition of international transfers using Binding Corporate Rules, Model Contracts, approved codes of conduct or certification mechanisms; and
  • Foreign Data Requests – a new restriction, separate and independent from other provisions on data transfers, that any judgment of a non-EU court or authority requiring the disclosure of personal data will only be recognized or enforceable if based on an international agreement (e.g., a mutual legal assistance treaty) between the relevant Member State and the requesting country.

Businesses now need to seriously consider the impact of the Regulation and its stricter requirements, and begin planning for 2016 implementation. A first step would be for businesses to consider whether they are subject to the expanded jurisdiction of the Regulation, and if so, carry out an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning, reviewing existing data protection notices and consents, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and appointing a data protection officer.

Cameron F. Kerry

ckerry@sidley.com

William RM Long

London

wlong@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.