After more than four years of negotiations, the European Parliament adopted on April 14, 2016 the General Data Protection Regulation (GDPR). Pending publication in the EU Official Journal, the new rules, which will replace the current Data Protection Directive, will be applicable two years after, in 2018.
Parliament’s adoption follows Council’s adoption on April 8, 2015. The adoption by the Council and Parliament follows a political agreement reached in December 2015 between both EU institutions (Flash).
The new rules will:
- replace the “current inconsistent patchwork” of 28 national data protection laws based on the Data Protection Directive (Tracker) by one single framework for the whole EU;
- apply both to companies established in the EU and to companies not established in the EU but that monitor the behaviour of individuals in the EU;
- recognize new rights for individuals such as the right to data portability;
- contain new obligations for companies, for instance notifying personal data breaches (Table) and designating a data protection officer (DPO);
- set up a one stop shop whereby companies will only have to deal with a single national data protection authority (DPA) and a consistency mechanism to handle cross-border data protection cases; and
- contain fines up to 4% of the total worldwide turnover of a company.
A full summary of the GDPR is contained in this Tracker.
The European Commission said it will “engage in open dialogue with stakeholders, notably businesses, to ensure there is full understanding and timely compliance with the new rules.”
European DPAs gathered in the Article 29 Working Party (WP29) have launched anaction plan for 2016 on the implementation of the GDPR (Flash).
The action plan foresees the adoption of guidance for companies as regards different issues, including the new right to data portability and the DPO.
It is worth noting that according to the GDPR, WP29 will be replaced by the European Data Protection Board, a new body of the EU with legal personality and decision powers.
The GDPR will be complemented by new e-privacy rules, which will concern the processing of personal data in the communications sector. The Commission is currently reviewing the current e-Privacy Directive and is expected to come up with a legislative proposal at the beginning of 2017 (Tracker).
As part of this process, the Commission launched on April 11, 2016 a public consultation on this issue (Flash).
The EU is also soon to adopt its first cybersecurity rules. A political agreement on the draft Network and Information Security (NIS) Directive (Tracker) was also reached last December, but the text still needs be formally adopted by Council and then Parliament. Member states would have 21 months to implement the directive, meaning that it will probably enter into application around the same time as the GDPR in 2018.
This post has originally been published on the Cullen International Site.