Some four years after the European Commission first proposed enacting a new data protection regime to replace the 1995 EU Data Protection Directive, the European Parliament and the Council of the European Union have announced a sweeping new data protection regulation.
The impact of the new General Data Protection Regulation (GDPR) cannot be overstated. It will affect not only companies established in the EU, but also any company in the world that processes personal data of EU residents, even if the company does not have an office there.
In our monthly Privacy & Cybersecurity Update at the end of this month, we will provide a detailed summary of the GDPR and what companies should start doing immediately. In this client alert, we set forth some of the key differences between the GDPR and the 1995 directive.
The GDPR will not go into effect until two years after it has been voted into law by the European Parliament. Many expect this to occur in January.
There has been intense lobbying regarding the GDPR by the business community and privacy advocates for the last four years. This is likely to continue between now and when the regulation is finally voted into law. However most do not expect any substantive changes to the 200-page draft.
Adoption by Member States
As opposed to the 1995 data directive, which needed to be enacted into law by each member state and left room for more stringent requirements on a country-by-country basis, the GDPR is a regulation and therefore will automatically apply to each member state. Regulatory bodies responsible for data privacy in each member state (Data Protection Authorities) will have only limited areas where they can impose their own regulations. A more uniform data protection framework will be a welcome development for many companies.
- As noted above, the GDPR applies to any company that is a processor or controller of data regarding EU residents even if that company is not located in the EU. It is not yet clear how this will impact, for example, online businesses that do not target EU residents but have EU residents visit their sites.
- Companies that suffer a data breach that creates significant risk for data subjects must provide notice within 72 hours of discovering the breach. This is the first time the EU will have a data breach notification law and it creates a far shorter notification period than exists in the U.S.
- Data controllers and data processors will be jointly liable for data breaches.
- Data Protection Authorities in each member state have the authority to fine organizations that violate the law at an amount up to 4 percent of the organization’s annual revenue.
- If an organization is not performing a contract or complying with a legal obligation, it generally can only process data if it has the user’s unambiguous consent. Such consent can be retracted by the data subject at any time, and an organization cannot make its provision of a contracted service contingent on the data subject providing consent for another purpose.
- The GDPR introduces the concept of a “purpose limitation,” which prohibits data from being processed beyond its specified and explicit purpose.
- Parental approval is required for the consent of any child under 16, although member states can lower this to 13.
- The GDPR includes the so-called “right to be forgotten,” which allows EU residents to demand that search results revealing their personal information be removed in a variety of cases. It also includes a “right to erasure,” which allows EU residents to demand that their data be erased if it is no longer required.
- Companies will only have to deal with one data protection authority as opposed to the data protection authority in every member state in which they do business.
Many within the business community are concerned that the GDPR’s restrictions and the potential for extremely large fines will have a negative impact on business with the EU. Privacy advocates maintain that the GDPR did not go far enough. Regardless, there is no doubt that the GDPR is likely the most significant privacy development of the last 20 years.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.