by Breda O'Malley February-18-2016 in Commercial & Business, Data Protection, Employment Law

Europe finally reaches agreement on the proposed General Data Protection Regulation (GDPR) which it is hoped will streamline existing data protection laws across the 28 member states and enhance data privacy protections for individuals.

After almost four years of “triologue” deliberations between the European Commission, the Parliament and the Council, a compromise text has now been agreed. This will replace the existing European Data Protection Directive (Directive 95/46/EC) and the outdated assortment of data protection rules across the respective member states.

The new laws will consist of the GDPR, which relates to the use of EU citizens personal data and the Data Protection Directive, which relates to the use of personal data by law enforcement agencies. Importantly, as the GDPR is a regulation, as distinct from a directive, it will be automatically applicable to all EU member states. This means that no additional implementing steps will be required.

The compromise text itself is now available on the website of the European Parliament and although yet to be finalised, the current draft offers an important insight into what is yet to come.

What you need to know

  • Extra territorial effect - The GDPR will not only extend to organisations established within the EU, but may also extend to those located outside of the 28 member states, where the organisations target EU customers in the provision of goods and services or where these organisations engage in the monitoring of the behaviour of EU citizens.
  • International transfers - This is a hot topic at present in light of the recent decision of the CJEU in the Schrems/Safe Harbour case which concerned the international transfer of EU citizens’ personal data from Europe to the US. The new regulation appears to widen the margins for organisations to transfer data to a non-member state. For example, binding corporate rules which apply to data transfers within multinational companies will be afforded statutory recognition, adequacy decisions made by the commission may apply to specific sectors or territory and new grounds for the adequacy of international transfers are to be found in the form of codes of conduct and certifications.
  • Consent - Now defined as freely given, specific, informed and unambiguous, this suggests that an affirmative action is required on the part of the data subject. This means that pre-ticked boxes or mere silence will no longer be sufficient for the purposes of obtaining consent. A data subject’s consent may also be withdrawn at any stage and there should be no impediments to this, consent should be as easily withdrawn as it is given.
  • Fair processing information - The new regulation expands upon the information which must be given to data subjects regarding the processing of their personal data. Currently, the Irish Data Protection Acts1988 and 2003 provide that such information should include details such as the identity of the data controller and the purpose for which the data is being processed. The regulation goes further to require that individuals should also be informed how long their data will be stored, the details of any transfers to third countries, if applicable, the fact they have a right to make a subject access request or their right to rectify and/or delete their personal data.
  • Subject access requests – While the process for dealing with subject access requests has not hugely changed, there are a number of administrative differences. For example, the compromise text provides that information provided in a subject access request must be provided free of charge, provided that the request itself is not excessive or burdensome (in which case a reasonable fee may be charged). Currently, Irish law provides that a small fee of no more than €6.35 may be charged as payment for dealing with a subject access request. The timeline in which to comply with a subject access request will also be reduced to 1 month (currently 40 days under Irish law). This can however be extended to two months where necessary, taking into account the complexity of the request.
  • Joint liability - Controllers and processors can now be jointly liable for breaches. The compromise text also sets out more detailed requirements in respect of the legal requirements which must apply to the controller/processor relationship. The text now makes data processors subject to regulation for the first time.
  • Enhanced sanctions - The regulation will introduce a two-tier system in respect of sanctions; minor administrative breaches may attract a penalty of up to €10m or 2% of annual worldwide turnover and more fundamental breaches can be subject to a higher fine of €20m or 4% of annual worldwide turnover. Given these increased sanctions, organisations will be forced to take the provisions of the new legislation very seriously.
  • One-stop shop - In cross border scenarios, this will allow an organisation to select a single data protection authority in the country of the main establishment of the controller/processor organisation.
  • Obligation to notify - The GDPR introduces a mandatory requirement to notify the supervisory authority where a data breach has occurred. This requirement must be fulfilled without undue delay and where possible, within a period of 72 hours. Further to this, if there is a high risk to the data subject on foot of the breach, the data subject too must be notified without undue delay. The only exemption to this requirement is where the breach in question is “unlikely to result in a risk for the rights and freedoms of individuals”. However, it is thought that this exemption will be interpreted very narrowly.
  • Role of Data Protection Officer - Organisations which (i) regularly or systematically monitor data subjects on a large scale; or (ii) process a large amount of sensitive personal data, will be obliged to appoint a data protection officer to ensure overall compliance with data protection requirements. For all other organisations, this step is voluntary. In terms of a suitable candidate for this role, the recitals to the compromise text refer to a person with expert knowledge of data protection laws and practices.
  • Right to be forgotten - The GDPR lists a number of circumstances in which individuals will be afforded an explicit right to have their personal data removed from the controller/processor’s system and/or online content, as the case may be. In these circumstances, the controller/processor must erase the said data, without undue delay.
  • Age of digital consent - The controversial proposal to raise the age of digital consent from 13 to 16 has been watered down in this latest compromise text. This would have had significant impact on technology companies, who would have been forced to obtain consent from a parent/guardian to process certain types of data. However, the current text provides that individual member states will have the freedom to set their lower age of consent to a minimum of 13.
  • Guidance notes / certifications / codes of conduct - The compromise text envisages a number of ways in which organisations may be guided as to their compliance with the new legislation. A new European Data Protection Board will be established with the function of issuing guidelines, recommendations and best practices. The regulation will also provide for codes of conduct and certification mechanisms by which organisations will be able to demonstrate that they are in compliance.

Once finalised, subject to a legal-linguistic review, the final text must then be approved by the European Council and Parliament and thereafter published in the official journal. It is likely that the GDPR will become official within a two year period, i.e. sometime in 2018. On this basis, it is important that all organisations who process and manage personal data should be aware of the changes envisaged and begin to consider how to update their practices, if applicable.

Overall, it is thought that the forthcoming regulation signifies an important step on the road to streamlining existing data protection laws across Europe and strengthening privacy protections for Europe’s 500 million citizens. With hefty sanctions at the ready for those who breach the prescribed requirements, organisations will be forced to take the rules seriously and adapt their practices accordingly.

While in some respects, the regulation has been criticised for being overly bureaucratic, it has generally been welcomed as what should be the most progressive and extensive data protection framework in the world to date.

Back to Full News
Share this article:

About the Author

Breda O'Malley
Breda O'Malley

Breda practises in both Employment and Commercial Law and is Partner and Head of the Employment Law team at Hayes solicitors. Breda has trained and qualified as a mediator with the UK based, internationally renowned Centre for Effective Dispute Resolution (CEDR). Breda practices as a mediator of commercial, employment, boardroom, charity trustee and shareholder disputes.