General Data Protection Regulation

"GDPR" redirects here. For the economics term, see Gross regional domestic product.

The General Data Protection Regulation (GDPR) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) [2] from 1995. Perhaps confusingly for some, there is a new directive as well as a new regulation; it will apply to police procedures, which will continue to vary from one Member State to the other.[3]

A proposal[4] for GDPR was released on 25 January 2012 and the EU Council aimed for formal adoption in early 2016.[5] The EU Council and the Parliament both adopted the regulation in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by governments.

Summary

"The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover." [6] The Parliament's version contains increased fines up to 5%.[7] After trilogue negotiations between the European Parliament, the European Commission and the Council of Ministers, there is general consensus on the wording of the GDPR and also the financial penalties for non-compliance.[8]

Content

The proposal for the European Data Protection Regulation contains the following key changes:[7] [9]

Scope

The regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents. The regulation does not apply to the processing of personal data for national security activities or law enforcement ("competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties"). According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." [10]

Single set of rules and one-stop shop

A single set of rules will apply to all EU member states. Each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offences, etc. SAs in each member state will cooperate with other SAs, providing mutual assistance and organising joint operations. Where a business has multiple establishments in the EU, it will have a single SA as its “lead authority”, based on the location of its "main establishment" (i.e., the place where the main processing activities take place). The lead authority will act as a “one-stop shop” to supervise all the processing activities of that business throughout the EU[11][4] (Articles 46 - 55 of the GDPR). A European Data Protection Board (EDPB) will coordinate the SAs. EDPB will replace Article 29 Working Party.

There are exceptions for data processed in an employment context and data processed for the purposes of the national security, that still might be subject to individual country regulations (Articles 2(2)(a) and 82 of the GDPR).

Responsibility and accountability

The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided.

Privacy by Design and by Default (Article 25) require that data protection is designed into the development of business processes for products and services.

Privacy settings are set at a high level by default.

Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and a prior approval of the DPA for high risks. Data Protection Officers (Articles 37–39) are to ensure compliance within organizations. They have to be appointed for all public authorities and for companies processing more than 5000 data subjects within 12 months.

Consent

Valid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children under 16[12] must be given by child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.[13]

Data Protection Officer

Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, or where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation The DPO is similar but not the same as a Compliance Officer as they are also expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data. The skill set required stretches beyond understanding legal compliance with data protection laws and regulations. Monitoring of DPOs will be the responsibility of the Regulator rather than the Board of Directors of the organisation that employs the DPO. The appointment of a DPO within a large organisation will be a challenge for the Board as well as for the individual concerned. There are a myriad of governance and human factor issues that organisations and companies will need to address given the scope and nature of the appointment. In addition, the post holder will need to create their own support team and will also be responsible for their own continuing professional development as they need to be independent of the organisation that employs them, effectively as a "mini-regulator".

Data breaches

Under the GDPR, the independent Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority without undue delay and this is also still subject to negotiations at present. The reporting of a data breach is not subject to any de minimis standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).

Sanctions

The following sanctions can be imposed:

Right to erasure

A so-called right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[14][15] Article 17 provides that the data subject has the right to request erasure of personal data related to him on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (see also Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González).

Data portability

A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. In addition, the data must be provided by the controller in a structured and commonly used electronic format. The right to data portability is provided by Article 18 of the GDPR. [9] Legal experts see in the final version of this measure a "new right" created that "reaches beyond the scope of data portability between two controllers as stipulated in Article 18."[16]

Timeline

The schedule is

Discussion & challenges

The proposal for the new regulation gave rise to many discussions and controversy. Thousands of amendments were proposed.[19] The single set of rules and the removal of administrative requirements were supposed to save money. But critics pointed to these issues

References

  1. Presidency of the Council: "Compromise text. Several partial general approaches have been instrumental in converging views in Council on the proposal for a General Data Protection Regulation in its entirety. The text on the Regulation which the Presidency submits for approval as a General Approach appears in annex.", 201 pages, 11th June 2015, PDF, http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf
  2. "Directive 95/46/EC"
  3. "European Commission - Fact Sheet. Questions and Answers - Data protection reform". European Commission. 21 December 2015.
  4. 1 2 "GDPR proposal"
  5. The EU General Data Protection Regulation Timeline, Allen & Overy
  6. "New draft European data protection regime". m law group. Retrieved 3 January 2013.
  7. 1 2 "Inofficial consolidated version GDPR". Rapporteur Jan Philipp Albrecht. Retrieved 9 December 2013.
  8. Article 83 (5) of The Council's first reading after the trilogue sets maximum fines to be the highest of 4% of global turnover and 20 million Euro. The Commission adopted the views of the Council's document April 11th 2016, see COM/2016/214/FINAL and ST 5419 2016 ADD 1 - 2012/011 (OLP)
  9. 1 2 Proposal for the EU General Data Protection Regulation. European Commission. 25 January 2012. Retrieved 3 January 2013.
  10. European Commission’s press release announcing the proposed comprehensive reform of data protection rules. 25 January 2012. Retrieved 3 January 2013.
  11. The Proposed EU General Data Protection Regulation. A guide for in-house lawyers, Hunton & Williams LLP, June 2015, p. 14
  12. Member states may in law provide for a lower age, however not lower than 13. See article 8 (1) of the common position after the trilogue, april 2016.
  13. "How the Proposed EU Data Protection Regulation Is Creating a Ripple Effect Worldwide". Judy Schmitt, Florian Stahl. 11 October 2012. Retrieved 3 January 2013.
  14. Baldry, Tony; Hyams, Oliver. "The Right to Be Forgotten". 1 Essex Court.
  15. "European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)". European Parliament.
  16. "The Final European Union General Data Protection Regulation, by Cedric Burton, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot and Sára G. Hoffman, Section II, 4". Bloomberg BNA. February 12, 2016.
  17. Data protection reform: Council adopts position at first reading
  18. Data protection reform - Parliament approves new rules fit for the digital era
  19. Overview of amendments. LobbyPlag. Retrieved 23 July 2013.

External links

This article is issued from Wikipedia - version of the Thursday, May 05, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.