By Joseph D. McClendon
Three years after Luxembourg politician Viviane Reding originally proposed overhauling the EU Data Protection Directive (“Directive”), European Union officials finally reached an agreement to replace the Directive with new comprehensive privacy legislation called the General Data Protection Regulation (“GDPR”). The GDPR is not yet EU law; however, the EU Parliament is expected to approve the GDPR when it next meets in January 2016. When approved, the GDPR will become law in 2018 across all 28 EU Member States and will supersede the inconsistent laws the EU Member States implemented in order to comply with the minimum data protection requirements set out in the Directive.
Enacted in 1995, the Directive was in severe need of updating to keep up with the near constant change in the technology sector. The EU government intends to synchronize privacy laws across the Euro zone using the GDPR, with heavy fines for a company’s failure to implement the new privacy requirements.
The GDPR in its current form contains provisions that will change how data is collected, stored and transmitted in and out of the EU, including:
- Making the requirements for obtaining an individual’s consent for collecting that individual’s information more rigorous;
- Raising the age of consent for collecting an individual’s information from 13 years old to 16 years old;
- Memorializing the “right to be forgotten”, meaning that a company must delete an individual’s data if the company is no longer using the data for the purpose it was collected or if the individual revokes his or her consent for the company to hold the data;
- Requiring companies to notify the EU government of data breaches within 72 hours of learning about the breach;
- Establishing a single national office for monitoring and handling complaints brought under the GDPR; and
- Fines up to 4% of a company’s global revenue for its non-compliance with the rules set out in the GDPR.
The most critical change brought about by the GDPR is that jurisdiction is not a physical or geographical barrier – jurisdiction will be measured digitally, meaning that companies outside of the EU will be affected by these new regulations by virtue of collecting data that belongs to an EU citizen. With fines for non-compliance being set at 4% of a company’s global revenue, the financial impact to Fortune 500 companies for non-compliance can potentially result in billions of dollars in fines alone. How strictly the EU government will enforce and monitor compliance with the GDPR remains to be seen; however, companies should begin planning and implementing new business practices into their workflows with the expectation that EU regulators will be aggressive with their enforcement when the 2018 deadline hits.
Finally, the GDPR does recognize standard contractual clauses and binding corporate rules as authorized frameworks for transferring EU citizen data out of the EU. With Safe Harbor invalidated in 2015 in the wake of Edward Snowden’s disclosure of the U.S.’s comprehensive surveillance programs, recognition of standard contractual clauses and binding corporate rules should provide some relief to business owners who chose to rely on self-certifying their company’s compliance with the Safe Harbor principles rather than using standard contractual clauses or binding corporate rules to transfer data out of the EU. The EU is currently in negotiations with the U.S. government to establish “Safe Harbor 2.0”, with both parties pushing to finalize the framework by the end of January 2016, thereby providing another avenue for data transfer to the roughly 4,000 companies that previously relied on Safe Harbor to collect and transfer data out of the EU.
Polsinelli attorneys understand how complicated government privacy regulations can be. Whether your company is an established Fortune 500 business with an adaptive cybersecurity policy or a startup with no plan in place, Polsinelli's Privacy & Data Security Team has the experience to coach your business on the importance of having, creating, and following a robust cybersecurity policy that complies with even the most rigorous government regulations. For more information, please contact the author, a member of the Polsinelli Privacy & Data Security Team or your Polsinelli attorney.