After nearly four years of amendments and negotiations, the European Parliament, Council of the European Union and European Commission reached a political agreement on the proposed General Data Protection Regulation (GDPR) on December 15, 2015. Pending a legal-linguistic review of the texts and final votes from  the European Parliament and Council, the GDPR will be published in the Official Journal of the European Union and will take effect two years after such publication (expected Spring 2018).  This will change not only how Europe regulates personal data but how we as a global society regulate the Internet.

Additionally, the GDPR introduces significant penalties for breaches of the GDPR: up to 4 percent of an entity’s total worldwide annual revenue.  Penalties will apply to all data processing by an establishment in Europe, regardless of where that processing takes place.  If an entity is established outside of Europe, the GDPR will apply to that entity if the entity is (1) offering goods or services in Europe (including free services); or (2) monitoring behavior in Europe.  Monitoring behavior may be broadly applied to include ordinary web analytics on any website, thereby bringing many websites potentially within the scope of the GDPR.

Other notable changes include the following:

  • Harmonized Law.  As a legal instrument, a “regulation” has direct effect—meaning that each Member State will have the same law leading to greater harmonization among the Member States in the area of data protection and privacy.  However, there is still a possibility that Member States interpret provisions differently and there is a risk that some Member States may pass additional, supplemental legislation where permitted under the GDPR.
  • Broad Definition of Personal Data.  The definition of personal data is expanding to clearly include online identifiers such as IP addresses and cookie identifiers, which greatly increases regulation of the Internet.
  • Two Kinds of Consent.  As a legal basis, any processing based on consent must be freely given, specific, informed and based on unambiguous indication of an individual’s wishes.  In addition, processing relating to special categories of personal data, (e.g., race, religion, political opinion, health, etc.), profiling and data transfers require explicit consent.  Moreover, the entity obtaining consent has an affirmative obligation to prove that consent was properly obtained if such consent is challenged.
  • Children.  Similar to the Child Online Privacy Protection Act (COPPA) in the United States, entities processing the personal data of children will have to obtain parental consent.  Unlike COPPA, under the GDPR, a child is someone under the age of 16, not 13.  Also, any information or communication addressed to a child (e.g., privacy policy for a children’s service) must be specifically drafted in clear and plain language that a child can easily understand.
  • No More Registration.  The obligation to register data processing activities with Member State data protection authorities (DPAs) has been abolished.
  • Data Protection Officers.  Entities engaged in processing which either (1) require regular and systematic monitoring of individuals, or (2) consist of processing on a large scale of special categories of personal data, must appoint a data protection officer. There are several requirements related to the appointment and retention of a data protection officer, including a prohibition against dismissing the data protection officer for fulfilling his/her duties.
  • Data Protection Impact Assessments.  Where an entity is engaged in high-risk data processing, it must first perform a data protection impact assessment (DPIA), and where the results of that DPIA indicate that the processing would result in a high risk to individuals in the absence of mitigating measures being taken by the entity, that entity must first consult with its DPA prior to commencing that data processing.
  • Accountability and Records.  Entities must be able to demonstrate compliance with the principles relating to personal data processing.  That obligation, coupled with the obligation to maintain records and the ability for DPAs to inspect and audit such records, introduces a new level of accountability requirements for entities.
  • One-Stop Shop and the European Data Protection Board.  Entities present in multiple Member States will no longer have to interact with multiple DPAs in regard to the same data processing and may instead interact directly with a lead DPA who is obliged to coordinate with other concerned DPAs.  However, local DPAs will retain jurisdiction where data processing specifically concerns their Member State, e.g., as is the case with local employees.  Where DPAs disagree on a course of action, they may consult with the European Data Protection Board for a binding decision on the appropriate course of action.
  • Broad Enforcement Rights.  In addition to a DPA’s ability to sanction entities, a DPA can (1) compel entities to produce information; (2) conduct audits; (3) inspect processing facilities and equipment; (4) order specific processing operations (e.g., delete certain data); (5) order a temporary or permanent ban on processing; and (6) suspend international data transfers.
  • Quasi Class Actions. Not only do individuals have a right to lodge a complaint with a DPA and the right to seek judicial redress in court, but individuals also have the right to appoint a not-for-profit entity acting in the public interest with the power to lodge a complaint before a DPA and to exercise rights of judicial redress on behalf of the individual.
  • Profiling.  Profiling, including the profiling of interests and behavior, which produces legal effects or significantly affects an individual is prohibited, unless (1) such profiling is necessary for the entering into or performance of a contract between the entity and the individual; (2) is specifically authorized by Member State or EU law; or (3) the data subject has provided their explicit consent.
  • Data Breach Notification.  Entities must notify DPAs of data breaches within 72 hours of becoming aware of the data breach unless the data breach is unlikely to result in a risk for the rights and freedoms of individuals.  Where the data breach is likely to result in a high risk to the rights and freedoms of individuals, individuals must also be notified without undue delay.
  • New Individual Rights.  In addition to traditional rights of access, correction, deletion, and objection, individuals will also have the right to data portability (e.g., take your personal data from one service provider to another); the right to erasure (e.g., the right to be forgotten); and the right to restrict processing (e.g., stop data processing pending a review).
  • Data Protection by Design and by Default.  On top of data protection by design requiring that data protection and privacy controls be considered from the outset, data protection by default requires that by default, only personal data which are necessary for each specific purpose of processing are processed.
  • Obligations on Processors.  Data processors, such as service providers acting on behalf of a controller, now have direct obligations under the GDPR, including the obligation to notify the controller and obtain consent before switching to any different or new sub-processors.
  • Restrictions on Data Transfers.  Restrictions on data transfers continue to be a centerpiece of the GDPR.  Adequacy decisions and existing data transfer mechanisms such as EU Model Contracts and Binding Corporate Rules have been grandfathered in.  New data transfer schemes such as data transfers made pursuant to an approved code of conduct or certification have also been introduced.

While the GDPR will not enter into force for at least two years, it is important that organizations begin to prepare for the coming GDPR now.  If you have any questions about what your organization will need to do to comply with the GDPR, please contact experienced counsel.

© 2015 Perkins Coie LLP