24 Dec 2015

EU Announces Sweeping Data Protection Reform

In a trilogue meeting held on 15 December 2015 the European Parliament, the European Commission and the European Council reached a political agreement to reform EU Data Protection policy.  The new policy has been in the works since 2011, but only now have the European Council and the European Parliament managed to reach an agreement on key issues.  The final text is expected to be formally adopted in early 2016, and its rules applicable two years thereafter.  During this period, 28 member states will be required to amend their existing data protection legislation, or to pass new legislation, whereas the European Commission will inform citizens about their rights and companies about their obligations.

Hailed as the most extensive reform of privacy laws in the EU in two decades, data protection policy consists of two instruments: General Data Protection Regulation (the “Regulation”) and the Data Protection Directive.  The latter aims to safeguard the data of all stakeholders involved in criminal investigations or law enforcement actions, and to facilitate cross-border cooperation between police forces or prosecutors in combatting crime and terrorism more effectively across Europe.

The Regulation brings with it significant changes, largely aimed at giving consumers more control over the processing of their personal data, introducing stringent rules on data protection for companies, and hefty fines for those that fail to abide by them.

Most notably, the Regulation makes accessing information about the processing of one’s personal data easier, as well as a right to data portability, making it easier to transfer personal data between service providers. Further, data processors will be obliged to delete the collected personal data once that there is no legitimate ground for its retention (known as “the right to be forgotten”).  In the case of a serious data breach, data collectors will be obliged to notify the national supervisory authority so that users can take appropriate measures.

In terms of obligations for companies, the Regulation expands their potential liability for data breaches by introducing joint liability for both data controllers and data processors. This means that companies will have an interest in ensuring not only that their own operations, but also the operations of their business partners comply with the stringent rules that the Regulation imposes. Companies are also facing fines of up to 4% of annual worldwide turnover where they fail to comply with the Regulation.

On the other hand, the Regulation also takes some of the burden off companies’ shoulders, especially for SMEs. Unlike the bigger companies, they are not required to employ a data protection officer, as long as data processing is not their core business activity. Furthermore, with the introduction of the “one-stop-shop” principle, businesses will now only have to deal with a single supervisory authority. The new rules are mandatory for all companies offering services on the territory of EU, even those based outside of Europe.

Follow our page for more updates regarding the new Data Protection Policy in the New Year.