Posted by Tara Taubman-Bassirian on May 9, 2016.
EU Regulation 2016/679 (the General Data Protection Regulation, or “GDPR”), Text published 4 May 2016, enforceable after a grace period, 28 May 2018.
Possible fines up to the greater of €20 million or 4% of annual global turnover.
Full title : “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
The text is a major reform of Data Protection introducing, also not a full harmonisation:
– mandatory reporting for data breaches, in most cases breaches will have to be reported within 72 hours,
– heavier sanctions, with significant new fines: Maximum fines of €20 million or 4% of annual global turnover per breach (a dramatic increase from the current typical maximum of less than €1 million).
– extra-territorial jurisdiction : businesses outside the EU will be subject to the GDPR, if they are offering goods or services to, or monitoring the behaviour of, EU residents (currently they are only caught if they operate data processing equipment in the EU). See further on this below.
– the one-stop-shop, expect UK to become a center of forum shopping,
– Expect many jobs to open for data protection officers, most businesses that regularly monitor individuals, or regularly process sensitive personal data, will have to formally appoint an independent Data Protection Officer.
– revised consent, to be express/opt-in (a ‘clear affirmative action’) whereas, under the existing regime, implied/opt-out consent is sometimes sufficient.
– No more registration for data controllers. Instead, they are required to maintain internal records of their processing activities (for disclosure on demand to Data Protection Authorities),
– Processor liability: data processors (i.e. businesses processing personal data solely for and on the instructions of data controllers) will have direct regulatory obligations/liability.
– data protection impact assessments featuring as key aspects. If the results of the assessment indicate a high risk, obtain a prior review by the relevant Data Protection Authority.
France has already been working at reforming its national legislation.
The UK situation is pendant to the Brexit option. It is a fact that the newly appointed UK ICO is Canadian and therefore closer to the Common Law jurisdiction than the EU Civil Law.
The new regulation integrates the context of the new Privacy Shield regulation after the Safe Harbor agreement was invalidated by the CJEU.Submitted in: News_privacy, Tara Taubman-Barissian |