Tech Law Blog

Reforming Data Protection Law – Introducing the General Data Protection Regulation

24 March 2016

Click here to subscribe to our weekly tech law updates

In December 2015, 3 years after the first draft was proposed, and almost 20 years since the Data Protection Directive was adopted, EU lawmakers came to agreement on the reform of data protection law. The new General Data Protection Regulation (the “GDPR”) was agreed upon and is currently in the process of formalisation and translation. It is expected to come into force in 2018. In this post – the first of our series looking at the GDPR – we introduce this new piece of legislation and look at some of the implications for businesses.

What is the GDPR?

The GDPR will replace the current Data Protection Directive. As a Regulation, and unlike the preceding Directive, it applies directly. This means that the GDPR does not need to be implemented through each Member State’s national law. This should reduce the level of national variation in relation to data protection law, though it will not eliminate it entirely, as Member States retain some discretion in certain areas.

The GDPR will comprehensively regulate data protection throughout the EU (with the exception of data processed for law enforcement purposes). The GDPR builds upon familiar concepts and rules in the Data Protection Directive, but in many ways it goes further. It has wider scope, standards have been raised, and sanctions are much higher. 

What does this mean for businesses?

With a greater level of harmonisation of laws across the EU, it should be easier for businesses that sell goods or services across the EU to take a unified approach in multiple EU states. However, the compliance burden is generally greater than currently in place, so many organisations will have to review and enhance their existing practices. In particular, the introduction of the ‘accountability’ principle means that affected organisations will have to work on their internal compliance, including record keeping and, for some, the appointment of a data protection officer.

Businesses have some time before the GDPR comes into effect. However, getting to grips with a new compliance framework takes time, and when developing any new products or projects, an eye should be kept to the future.

Why is it important?

The GDPR represents the future of the regulation of data protection in the EU. It is particularly important for two reasons. First, the GDPR has a very wide scope and will capture both data and companies that previously fell outside the realm of EU data protection regulation. Second, the potential fines under the GDPR are extremely high.

The GDPR provides for a two-tier system of fines, depending on the type of non-compliance. For the lower tier of offences, a fine up to the higher of €10,000,000 or 2% of the organisation’s total worldwide annual turnover in the previous year may be imposed. The lower tier of offences includes breach of privacy by design obligations, the rules relating to processor contracts, record keeping obligations and processing security requirements.

For the upper tier of offences, there is potential for fines up to the greater of €20,000,000 or 4% of the organisation’s total worldwide annual turnover in the previous year. Offences which attract the higher level of sanction include breaches of the basic principles for processing, including conditions for consent, infringing data subjects’ rights and unlawful transfers to countries outside the European Economic Area.

For group companies, the percentage fine seems to attach to the turnover of the group, not just the individual company in question. For large multi-nationals, this is a particularly significant deterrent.

There are a number of factors which the data protection authority must consider when deciding the amount of the fine to be imposed, including:

  • the nature, seriousness and duration of the infringement;
  • whether the infringement was intentional or negligent;
  • actions taken to mitigate the damage suffered by data subjects;
  • relevant previous infringements;
  • whether the wrongdoer co-operated with the data protection authority; and
  • the categories of personal data affected.

What next?

As the finalisation and translation of the GDPR is currently in progress, we can expect the GDPR to be formally adopted in the coming months.

The Article 29 Working Party (the group of EU data protection regulators) has released a statement indicating that its priorities will be:

  1. Setting up the new European Data Protection Board. The Board will replace the Article 29 Working Party and have an enhanced role under the GDPR.
  2. Preparing the one stop shop and consistency mechanism.
  3. Issuing guidance, in particular on data portability, the notion of ‘high risk’ and data protection impact assessments, data protection officers and certification.
  4. Communication relating to the new European Data Protection Board and the GDPR.

We will be continuing to look at key aspects of the GDPR throughout the coming weeks and months, so stay tuned for more updates in this area.