The new EU General Data Protection Regulation (“GDPR”) is here, following approval by a key European Parliamentary committee on December 17, 2015. Here are some highlights:
Vast expansion of scope
- Worldwide application. The GDPR applies to many more businesses than existing EU data protection law. The GDPR’s reach includes non-EU companies that process personal data about EU residents if the processing is related to either (i) the offering of goods or services to EU residents, regardless of whether payment is required or (ii) monitoring the behavior of individuals located in the EU. Many more U.S. companies will now have to comply.
- Service providers now in scope. While the bulk of current EU data protection law applies directly to data controllers (i.e., companies with the right to make decisions about why and how personal data is processed), the GDPR places many new obligations directly on data processors (i.e., companies that process data only on behalf of their customers, the data controllers). On top of that, data controllers will now be required to impose additional contractual obligations on their data processors.
Fines for noncompliance and a right to sue.
Violations of certain provisions, such as consent requirements or cross-border data transfer restrictions, can trigger fines up to the greater of 20,000,000 EUR or 4% of the company’s total annual turnover. In addition, any person who has suffered “material or immaterial damage” may sue and obtain compensation from the relevant controller or processor.
More stringent consent requirements generally.
COPPA Lite, or COPPA Plus.
When an online service is required to obtain consent, the consent must be obtained from the parent or guardian if the concerned individual is under 16. This age threshold can adjusted down to as low as 13 by individual member states, so expect continued lack of harmony on this point. Companies must make “reasonable efforts” to confirm that consent is provided by the parent or guardian, “taking into consideration available technology.”
Limitations on profiling.
“Profiling” is defined to include the processing of personal data to analyze or predict certain aspects regarding a person, such as their personal preferences, interests, behavior, location, movements, performance at work, economic situation, health or reliability. Like all processing of data, profiling will require a legal basis (typically consent), and individuals have special rights to opt out of profiling, including when it is performed for direct marketing purposes or to conduct activities that significantly affect the individual.
Cross-border transfers still restricted.
Safe Harbor 2.0 remains under negotiation. Alternative legal bases for transferring personal data to outside the EU remain mostly intact, but they may be subject to later review. For example, the current Standard Contractual Clauses approved by the European Commission for cross-border transfers will at least initially remain valid.
More data is considered sensitive.
More stringent requirements apply to sensitive data, a category which now will include genetic and biometric data (in addition to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health, sex life or sexual orientation). Additional restrictions apply to other categories of data (e.g., criminal records).
Data breach notification.
While certain data breach notification obligations exist under current EU laws, the GDPR will require all covered data controllers to notify the relevant privacy regulator of a breach “not later than 72 hours after having become aware of it” unless the breach “is unlikely to result in a risk for the rights and freedoms of individuals.” Controllers must also notify affected individuals unless certain exceptions apply, such as if the controller has taken post-breach steps that sufficiently mitigate risk. Data processors will be required to notify the relevant controllers of a breach “without undue delay after becoming aware.”
Enhanced notice and information obligations.
Many companies will be required to let individuals obtain a full copy of their data in a standard format and, upon request by an individual, facilitate transfers of the data to other companies (including competitors) “where technically feasible.”
The GDPR will take effect in early 2018 (assuming additional voting and procedural formalities are completed in early 2016, as anticipated).