Trilogue is on: preparing for the EU General Data Protection Regulation
August 2015 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
A major revision of the personal data protection framework applicable in the European Union is currently underway. The upcoming regulation, known as the General Data Protection Regulation (GDPR), is likely to be adopted late in 2015 or at the beginning of 2016, and will provide a harmonised data protection framework in the EU. As the impact of the GDPR will be significant for the entities that process personal data, it is necessary for businesses to begin adapting their internal processes in order to mitigate the impact of the GDPR on their operations.
Context of the revision of the EU data protection framework
In the European Union, the legal framework relating to the protection of personal data mainly results from Directive 95/46/CE of 24 October 1995 (the Directive), which has set a minimum level of protection for the processing of data relating to individuals. Even though such legislation was a major achievement in terms of setting up the principles of a harmonised data protection regime in Europe, back in 1995, it has become necessary to review this framework.
On the one hand, because the harmonisation step of 1995 was under the form of an EU Directive, and its implementation under national law, member states eventually produced a patchwork of very different regulations. As a result, it may currently prove quite complex for businesses established in several countries within the EU to roll-out personal data processing on their various sites. There was an obvious need for a consistent data protection framework across the EU.
On the other hand, since 1995, technology has evolved significantly, particularly in the field of IT, telecommunications and the internet. Nowadays, most individuals are connected to, and businesses rely on, cloud computing solutions. Big data promises to deliver significant value, especially concerning analytics based on personal data. As a result of such a major shift in the uses of networks and data, revision of the framework set by the Directive was inevitable.
This legislative process started in 2012 with a proposal from the Commission for the GDPR. Unlike the Directive, the fact that the GDPR will take the form of a regulation will make it directly applicable in all EU member states, finally ensuring a consistent legal framework across the EU.
Key anticipated changes resulting from the GDPR
Even though the legislative process of the GDPR is ongoing, certain principles have emerged from the draft versions discussed at this stage.
First of all, the territorial scope of the GDPR will likely be extended with respect to the scope of the Directive. The GDPR would apply not only to data controllers established in the EU, but also to entities offering goods or services to EU residents, or monitoring the behaviour of EU residents. If this is confirmed, it is a key change that may affect businesses located outside of the EU but serving the EU market.
Also, while the data processors (i.e., the entities processing data on behalf of an entity that defines the purposes and means of a data processing – the data controller) were not directly subject to the Directive, the draft GDPR will most likely apply at least to those data processors based in the EU.
Sensitive personal data, which gathers specific categories of personal data, the processing of which is limited by greater constraints, will now expressly include genetic data. Additional safeguards will also apply to the processing of sensitive personal data.
Regarding the consent of the data subject to the processing of his personal data, the draft GDPR reinforces the conditions for the consent of the data subject to be recognised as sufficient legal basis for the processing of personal data.
While the profiling of individuals was not subject to specific rules under the Directive, the GDPR expressly grants individuals the right not to be subject to decisions that impose legal measures on them, or significantly affect them.
In addition, the GDPR will introduce a major shift regarding the obligations of data controllers in terms of data protection compliance. Pursuant to the accountability principle, and instead of carrying out administrative registration formalities prior to implementing data processing, data controllers will have to establish internal documentation describing and analysing their data processing activities. This documentation will be necessary to provide evidence of compliance with data protection rules set by the GDPR.
The obligation to notify data breaches (which currently only applies to telecoms operators), will be broadened to include all data controllers. Data processors will also have an obligation to report data breaches to data controllers.
Finally, another key change that is expected to be introduced by the GDPR is a major shift in the enforcement of data protection framework violations. Indeed, whereas the administrative sanctions that can currently be imposed by the national data protection authorities are generally limited, the different versions of the draft GDPR refer to maximum fines for non-compliance of up to €100m, or 2-5 percent of the company’s global turnover, whichever is greater. This evolution emphasises that ensuring sufficient personal data protection has become both a major political and legal issue in the EU.
Status of the GDPR – key issues are still under discussion
Major changes to the EU data protection framework are nearing the horizon, as the elaboration of the GDPR has reached its final stage, known as the trilogue – a joint discussion between the European Parliament, the EU Commission and the Council of Ministers. This trilogue session is scheduled to last until around the end of 2015, so the odds are that the GDPR could be adopted at the end of 2015 or in early 2016. It is then expected that it will come into force two years after its adoption.
However, and even though considerable progress has been made since 2012, the versions of the proposed GDPR as respectively revised by the Parliament, the Commission and Council of Ministers still differ on several important points. In addition to the maximum amount of possible fines, other key issues are still pending discussion, such as the possibility to further process data for purposes that are incompatible with the initial purpose, the one-stop-shop mechanism to ensure the consistency of the supervision process, and the mandatory or optional designation of a data protection officer depending on the magnitude of the data processing.
Anticipating the GDPR: a strategic issue for businesses
As the legislative process for the adoption of the GDPR is reaching its end, and even if the orientation of the GDPR still has to be confirmed, it is key for businesses to get acquainted with, and implement as soon as possible, the principles that will result from this regulation.
The GDPR will significantly impact the way businesses process personal data. All businesses that will be subject to the GDPR should therefore: (i) begin defining their strategy and internal procedures for processing personal data; (ii) ensure their compliance programs address data protection compliance; (iii) mitigate their data governance risks, including by implementing consistent technical procedures in order to prevent possible data breaches; (iv) establish data breach response strategies; and, last but not least, (v) prepare for investigations by data protection supervisory authorities.
In other words: get ready for the General Data Protection Regulation.
Olivier Haas is counsel, and Philippe Marchiset and Evgenia Nosareva are associates, at Jones Day. Mr Haas can be contacted on +33 1 56 59 38 84 or by email: firstname.lastname@example.org. Mr Marchiset can be contacted on +33 1 56 59 38 83 or by email: email@example.com. Mrs Nosareva can be contacted on +33 1 56 59 39 04 or by email: firstname.lastname@example.org.
© Financier Worldwide
Olivier Haas, Philippe Marchiset and Evgenia Nosareva