Data Protection Reform
On 15 December 2015, agreement was reached on the EU data protection reform package after 4 years of debates. The final package was agreed by the three European Institutions – the European Commission, the European Parliament and the Council. The final text of the General Data Protection Regulation (“GDPR”) is expected to be approved early this year and will become enforceable two years later in 2018, allowing a 2 year transition period.
The new rules bring an end to the patchwork of data protection laws that exist across the EU and are designed to improve individuals’ control of their personal data and to develop the opportunity for businesses to benefit from the Digital Single Market.
The new rules will necessitate changes for consumers, businesses and data protection regulators. The focus of the Information Commission in 2016 will be on implementation of the new rules and providing guidance to businesses and consumers. Some of the key points to note under the new rules are, in summary, as follows:
- one set of rules across the EU which will also apply to businesses based outside of the EU who provide goods or services to EU data subjects or monitor EU data subjects’ behaviour;
- a requirement for clear and affirmative consent from data subjects. Pre-ticked consent boxes and silence will not suffice;
- a clarified right to be forgotten;
- a right to know when your data has been hacked;
- a fine for businesses of up to 4% of their global turnover for breaching EU data protection law;
- a business will need to appoint a data protection officer in instances where it is collecting a substantial quantity of consumer or sensitive data, although there are exemptions for SMEs;
- direct compliance obligations on data processors not just data controllers; and
- a one stop shop for complaints and enforcement so that businesses only have to deal with one supervisory authority as its lead authority across the EU.
The GDPR will require many businesses to take steps and make changes in order to ensure compliance with the new regime. Businesses should be alive to the new rules and start sooner rather than later, to review any data processing activities that they undertake and to seek guidance on compliance. We will publish further details on the GDPR and the changes in due course.
Data Transfers Outside the EEA
On 6 November 2015, the European Commission (“EC”) published guidance for the transfer of personal data from the EU to the United States following the earlier Schrems decision declaring Safe Harbour invalid.
In the guidance, the EC stressed that it is committed to ensuring that a comprehensive new safe harbour framework will be in place in early 2016, and that companies should not overreact to the recent Schrems decision. In the meantime, adopting the EU Model Clauses or incorporating Binding Corporate Rules are both considered adequate methods of transferring data. Alternatively, transfers may still be made to the United States if any one of the EC’s list of derogations applies, such as consent to the transfer or necessity of the transfer for performance of the contract.
The EC reiterated that data transfers are still very much possible at this time, and that it will be for the Data Protection Authorities in each EU Member State to ensure that they cater for and properly supervise such transfers.
For further information regarding the Schrems decision, please see our earlier article.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.