23 March 2018
The European Union (“EU”) member states have adjourned the implementation of the European Commission's proposal for a new General Data Protection Regulation until at least 2015. It had been anticipated that the text of the Regulation would be finalized by the end of 2013 but looming EU Parliamentary elections and various inter-governmental disagreements have added complications to an already difficult and politically-charged process.
The European Commission originally proposed data protection reforms in January 2012, in an effort to overhaul the current 1995 EU Data Protection Directive (95/46/EC). Currently, the 28 EU member states implement the Directive's requirements somewhat differently in each of their countries. The Regulation is intended to fully harmonize data protection rules and enforcement throughout the EU. It may also bring businesses based entirely outside of the EU (including US companies) that target data related services to its citizens or host EU derived data directly within its scope. The proposed Regulation has been controversial since it was first introduced, with certain EU governments such as the UK (as well as a lobby of global technology companies) apparently opposed to the increased regulatory burden that the new law presents, while other states, such as Germany, have taken the position that the new rules do not go far enough to protect individuals. These fundamental disagreements have led to doubts about the Regulation surviving in its current form.
The Regulation aims to improve EU consumer protection but is also likely to place an increased burden on organizations handling personal data. Key changes to the current rules generally include, but are not limited to: further extension of extraterritorial reach of EU data protection law to overseas companies when processing EU citizens' data (whether or not the company has any data processing equipment or a place of establishment in the EU); increased notice and transparency requirements for personal data collection and use; extension of requirements to obtain positive individual consent to processing of personal data; a mandatory requirement on organizations to notify relevant regulators in the event of a data breach; fines for serious breaches of the rules of up to €100 million or 5% of annual worldwide turnover, whichever is greater; and obligatory designation of a data protection officer for certain companies that are subject to the Regulation.
Given the potential increase in legal requirements and sanctions, the delay in the adoption of the Regulation may be seen as welcome since it will provide companies (including US-based organizations and cloud service providers processing EU data that are not subject to current rules) more time to prepare for the change. However, there are signs that the wrangling at inter-governmental level may also have an impact on current data protection arrangements, with the EU-US ‘Safe Harbor' Scheme that permits registered US companies to export personal data from the EU to US without breaching the EU Data Protection Directive coming under threat in light of the recent NSA surveillance controversy. Whatever happens, all organizations that are involved in processing or collecting personal data from the EU should keep a close eye on developments.