Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation) (the “Regulation”) has been published by the EU Official Journal.
The new Regulation will enter into force on 24 May 2016 and shall apply from the 25 May 2018. The new Regulation applies to data controllers and data processors that operate outside the European Union where their processing activities relate to goods or services of data subjects within the EU. Therefore, the territorial reach of the Regulation extends beyond the EU.
Currently, companies in the EU must adhere to stricter standards than companies that are established outside the EU. With the new Regulation, companies that are based outside the EU will have to apply the same rules when they offer goods or services on the EU market. For companies the important question to ask is whose data am I processing? Is the data subject an EU citizen? If the answer is yes and the entity is processing data in relation to an EU person, then EU data law arises and it does not matter where the business that processes the information is located.
The purpose of the new Regulation is to ensure that peoples’ right to personal data protection are recognised and remain protected. The current rules had been in place since 1995 and did not reflect digital and technological changes implemented since then, e.g. the cloud. As well as reinforcing individual rights and strengthening the EU internal market, it aims to set global data protection standards and give people more control over their personal data and accessing it. The regulatory framework is moving to a single regulation so rather than having to comply with data protection rules across EU member states, one set of rules will apply.
This means that peoples’ data should be protected no matter where it is stored, even if this is outside the EU, as is often the case with internet transactions. One of new rules introduced is the data subject’s right to be forgotten; where there is no longer any need for an organisation to maintain data in relation to a person, it will be deleted. There is also a right to know when there has been a data breach and specific timelines will be in place for breach notifications. Breach notification obligations shall apply to data processors as well as data controllers. The new Regulation introduces stronger enforcement of data protection; data protection authorities will be able to fine companies that do not comply with the new rules at up to 4% of their global annual turnover.
In summary the main changes to Data Protection law under the new Regulation are:-
- The territorial breach of the Regulation has been greatly expanded. Whenever a data controller’s activities relate to the offering of goods or services to EU individuals or to monitoring of their behaviour, EU rules of data protection will apply. Currently the EU provides strong protection for personal data. If data belonging to EU citizens is stored outside the EU, the transfer of that data needs to be secure with data protection requirements being complied with by the entity outside the EU to the same standard as within the EU.
- Compliance. The Regulation place erroneous obligations on data controllers to demonstrate that they are complying with Data Protection Law. Included in this is a requirement to maintain certain documentation and conduct Data Protection impact assessments if there is a potential risk.
- Breach Notifications. These must be done without undue delay and where possible within 72 hours.
- The role of Data Processors has been increased so that they now have direct obligations including implementing technical and organisational measures, notifying data controllers of breaches and appointing a data protection officer, if required.
- Sanctions. Tiered approach for penalties will allow data protection authorities to propose fines of up to 4% of annual worldwide turnover. Other specified infringements can attract a fine of up to 2% of annual worldwide turnover.
- International Transfers. Self-assessment is no longer a basis for transfer. Consent for the transfer of data outside the EU will need to be informed, a concept of legitimate interest has been introduced but it is quite limited in scope.
- Binding Corporate rules are recognised for intra group transfers.
- The concept of a one stop shop has been introduced-one set of regulations for all, and a right to be forgotten so that a data subject can request for their data to be deleted where it is no longer required to be held.
Practically speaking, businesses that process data in relation to EU data subjects will need to carry out extensive audits to ensure that they are complying with EU Data Protection law. At a minimum they should be able to demonstrate that they have proper policies and procedures in place, that data within an organisation is properly classified and only the correct persons have access to each class of data.
For more information on these recent changes contact Gríana O’Kelly, Partner Corporate and Commercial Group