It is just over four years since Datonomy reported on the leak of the Commission’s original DP reform proposals and, as most readers will have heard by now, last night the EU institutions reached political agreement on the General Data Protection Regulation. Agreement was also reached on the other part of the reform package, the less-reported-on Data Protection Directive for the police and criminal justice sector. We do not have final texts, although key Council analysis documents of the compromise texts for both the GDPR and the Directive have been leaked on the Statewatch website, and this, combined with reports from sources in Brussels, gives us an indication of where the key aspects of the Regulation have ended up. Datonomy will of course be analysing the finalised texts once these become available.
What’s next? When will the new rules be in force?
The compromise texts will now go back to the Council and the Parliament for ratification. The EP’s Civil Liberties Committee, the lead committee for the proposals, will vote tomorrow morning, 17 December, and then the EP will vote in plenary in the new year. Once the final text has been translated into all the EU languages, it will be formally signed by the Presidents of the Parliament and the Council, then published in the Official Journal. From this point, the two year lead in time will start to run – taking us to early 2018. The Regulation will have direct effect in Member States – the aim of the reform being a harmonised EU regime – although there appear to be several areas where Member States will have a discretion to impose stronger or weaker rules.
What are the headlines?
- Fines of up to 4% of annual global turnover for breaches of the rules – lower than the 5% supported by the Parliament but double the level proposed by either the Commission or Member States.
- Consent: The new standard will be freely given, specific, informed and “unambiguous” consent – i.e. a clear affirmative indication – for processing of all data and “explicit” consent for the use of sensitive personal data. There are concessions to the need for online consent to avoid being “unnecessarily disruptive”.
- Breach notification: Data breach notification to the regulator for all organisations “without undue delay” – and where feasible within 72 hours. Breaches unlikely to result in a risk to the rights and freedoms of data subjects do not need to be notified. .The threshold for notifying affected individuals would be breaches likely to pose a high risk.
- Profiling: Tougher restrictions on the use of profiling and the collection and use of under 16s data, which will require parental consent (and reasonable efforts to verify) , but with flexibility for Member States to lower the threshold to 13.
- Supply chain: joint and several liability for suppliers (data processors).
- DPOs: A requirement for the public sector and for private sector organisations engaged in large scale, systematic monitoring to appoint a data protection officer (but with flexibility for Member States to impose stricter DPO requirements).
- Other key obligations: more exacting requirements for organisations to ensure privacy by design and by default and to document their compliance with the new regime.
There is of course much more to say and much more to digest about the far-reaching reforms in the 200-page GDPR, and doubtless plenty of devil in the detail – for example, how new concepts like the One Stop Shop principle of enforcement will work, and on the various aspects of the Regulation which will turn on Commission delegated and implementing acts, and on standards and benchmarks. Businesses have just over two years to gear up for profound changes in the way they collect and use data. The UK ICO has recommended making a start in the five key areas detailed here. The Datonomy team will be taking stock and providing practical analysis on key compliance issues in the New Year, and will continue to keep readers updated on the final leg of the GDPR’s epic legislative journey.