Luxembourg politician Viviane Reding proposed three years ago to overhaul the EU Data Protection Directive. Now, European Union officials have settled on an agreement to replace the Directive with new privacy legislation called the General Data Protection Regulation (GDPR). It is not EU law just yet, but the EU Parliament is expected to fully approve it during its next meeting. Upon approval, the GDPR will become law in 2018 across all 28 EU Member States and replace the widely inconsistent laws previously implemented to comply with minimum data protection requirements set out in the directive.
First enacted in 1995, the Directive needed to be updated due to a routine change in the technology sector. It is anticipated the EU government will synchronize privacy laws across the Euro zone through GDPR. Heavy fines are expected for any company’s failure to implement these new requirements.
In its current form, the GDPR contains provisions expected to change how data is collected, stored and transmitted in and out of the EU. This includes the following:
- Instituting more rigorous requirements for accessing and obtaining consent for collecting and individual’s information.
- Raising the consent age for collecting information to 16 years old (from 13).
- Mandating that companies must delete an individual’s data if they are no longer using the data for the original purpose for which it was collected.
- Requiring all companies to notify the EU of data breaches within 72 hours.
- Implementing one national office to monitor and manage complaints brought under GDPR.
- Instituting fines up four percent of a company’s global revenue for non-compliance.
The GDPR’s most critical change is that jurisdiction is not a physical or geographical barrier; the jurisdiction will be digitally measured, which means that companies outside the EU could be affected by new regulations by virtue of collecting data that belongs to an EU citizen. As previously mentioned, fines for non-compliance are four percent of a company’s global revenue, and the financial impact to Fortune 500 companies could be in the billions. It remains to be seen how strictly the EU government will enforce these restrictions. Still, companies should begin planning and implementing new business practices into their workflows and expect the EU to be aggressive in its enforcement when the 2018 deadline hits.
The GDPR will also recognize standard contractual clauses and binding corporate rules as authorized frameworks for transferring citizen data out of the EU. The Safe Harbor was invalidated in 2015 in the wake of the Edward Snowden disclosure of the United States’s comprehensive surveillance programs. As such, the recognition of standard contractual clauses and binding corporate rules should, in theory, provide relief to business owners who rely on self-certifying their company’s compliance with Safe Harbor principles. Negotiations between the United States and the European Union are underway to establish “Safe Harbor 2.0.” Both parties are pushing to finalize the framework by the end of January 2016. This would provide another avenue for data transfer to about 4,000 companies that relied on the first Safe Harbor to collect and transfer data.