26 Apr 2016

EU Data Protection Reform Adopted

As announced by one of our previous publications, the new rules on personal data protection were adopted at the European Union (“EU”) level on April 14, 2016.  Referred to as “the culmination of over four years of hard work” in the joint statement of the European Commission (“Commission”) First Vice-President, Vice-President in charge of the Digital Single Market and Commissioner for Justice, Consumers and Gender Equality, the new policy aims to extend the citizens’ right to personal data protection, enhance legal certainty for businesses by unifying the regulation within the EU and allow for improved cooperation of Member States’ criminal law enforcement authorities.  Its significance also lies in the fact that it will facilitate the fulfillment of principles underlying the EU Agenda on Security and the Digital Single Market.

The reform package introduces the General Data Protection Regulation (“Regulation”) and the Data Protection Directive for Police and Criminal Justice Authorities (“Directive”), which will replace the current centerpiece of European data protection legislation, 1995 Data Protection Directive (Directive 95/46/EC), as well as the 2008 Framework Decision for the police and criminal justice sector.  The new legal framework will take effect after a two-year transition period, as that should be a timeframe allowing a steady adaptation.

The Regulation should give individuals more control over the processing of their personal data by letting them being instantly notified of hacking or disclosure of their personal data, fortifying their right to be forgotten (as it allows for the personal data to be erased without undue delay under certain conditions) and introducing a right to data portability, which should facilitate transfer of personal data between service providers.

When discussing businesses, the Regulation, unlike the previous legislation, envisages that a company outside the EU which is targeting consumers in the EU will also be a subject to its application. In this context, data controllers, data processors and joint controllers are faced with additional obligations.  Data processors must comply with direct obligations such as taking technical and organizational measures, notifying of data breaches without undue delay and designating a Data Protection Officer.  If not, they risk heavy fines, which, for some infringements, may amount up to 4% of annual worldwide turnover.  What is also of importance for businesses is the one-stop shop system, replacing 28 authorities with a single supervisory authority.

On the other hand, the application of the Directive should result in a more harmonized legal framework when it comes to exchanging information between law enforcement authorities in EU, and, eventually, help lower the crime rates and cut the costs.