European Data Protection Regulation agreed at last

16 December 2015


If you thought there was still a chance that the proposed Data Protection Regulation would fall by the wayside, you will be disappointed! Trilogue discussions ended yesterday and agreement on the new Regulation is pretty much there. A formal confirmation vote before the Civil Liberties Committee is expected tomorrow morning, followed by a vote before the Parliament in the New Year (at which stage we will see the full final text of the Regulation). These are expected, however, to be mere formalities.

We do not have the details yet (and look forward to digesting the fuller implications when the text of the Regulation is released in the New Year) but in the meanwhile, our data protection experts have summarised the headlines below. None of which are particularly surprising except perhaps the size of potential fines - which have been finally settled at a whopping 4% of global annual turnover.

One data protection law for Europe

The Regulation will come into force (automatically so no need for national implementation) in early 2018 - two years from the point it is formally adopted in the New Year.

The good news is that there will finally be a set of uniform rules across the European Economic Area (EEA) and with the 'one stop shop' approach having been agreed, multi-nationals will be able to deal with one regulator. We commented in our last update on the Regulation that the Council had proposed a number of changes which would water down the 'one law' approach by allowing some local variation.

How much room for local variation there will be remains to be seen when we see in the final text.

Application of Regulation to organisations outside of Europe

Organisations outside of the EEA will have to comply with the Regulation if they offer services into the EEA. It is not clear at the moment how far this concept has been extended. We commented in our last update on the Regulation that this requirement could be applied to targeting goods and services at EU citizens (whether free or paid for) and any monitoring of behaviour of EU citizens. We will need to wait to see the final text on this.

Purpose limitation and consent

More control will be given to individuals over the use of their personal data. Trust of the public in organisations (in particular the e-economy) has always been a driving force behind the Regulation, so it stands to reason that provisions giving greater control to individuals over use of their personal data, accessibility and transparency will be strengthened. Processing of personal information will become much more consent-based than under current data protection laws.

Full agreement could not be reached on the question of required age of children to give valid consent for data processing. The Regulation will allow some room for national discretion. Parental consent will be needed for children's use of social media but the age limit for this can be set nationally anywhere between 13 and 16.

Mandatory new requirements to be introduced by the Regulation

Unsurprisingly, the following new mandatory requirements will be introduced (there was never any serious debate between the European Council, Commission and Parliament over the introduction of these core concepts, the debate was only ever about breadth and depth of the requirements):

  • Right to be forgotten
  • Right of portability
  • Privacy by design
  • All organisations to have a data protection officer if processing sensitive data on a large scale or have large scale customer databases. SMEs will be exempt unless personal data processing is a core business activity
  • Privacy impact assessments (with a limited exception for SMEs unless high risk)
  • Serious security breach notification to national supervisory authorities as soon as possible

The Data Protection Directive

The trilogue sessions have also concluded discussions on a new Data Protection Directive for data transfers for policing and judicial purposes. The new Directive will allow national law and enforcement bodies within the EU to exchange information more rapidly and more effectively fight terrorism and serious crime.

The press releases from the European Parliament and European Council on the conclusion of the trilogue sessions, can be found at:

Agreement on Commission's EU data protection reform will boost Digital Single Market

Data protection package: Parliament and Council now close to a deal


NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.

Related   Tech, ThinkHouse