On 15 December 2015, the European Council, the EU Commission and the EU Parliament reached an agreement on a reform of the European data protection law within the framework of the so-called “trialogue negotiations”. The package consists of the General Data Protection Regulation and a Data Protection Directive.
The General Data Protection Regulation is aimed at providing EU citizens with better control over their personal data. Important points are:
• Explicit consent of the customers to the use of their data
• Making consent to the use of data not required for the contractual relationship more complicated
• Simplified access to the citizens’ own data
• Right to data transferability (“portability”)
• Right to “be forgotten”
• Right to information about whether data were lost or hacked
• Establishment of a uniform EU data protection supervisory body
Unfortunately, the regulation upholds the statement that member states may also regulate the employee data protection law more strictly than provided for under the European rules. In the area of employee data protection, this will result in there still being countries with stricter rules (e.g. Germany and France) and countries with less strict rules in this area.
In addition, the directive introduces numerous new duties, non-compliance with which is subject to severe penalties of up to four per cent of total worldwide annual turnover or up to EUR 20 million, whichever is higher. This is all the more significant because the provisions of the regulation must first be interpreted by authorities and courts, which will cause considerable legal uncertainty in the first years. This concerns, for instance, undefined legal terms such as “fairness” in data processing and legal issues such as the considerably stricter requirements for valid consent of the data subjects. In the meantime, one can only hope that the competent authorities will not interpret the rules too strictly.
Exceptions apply to SMEs, for instance, regarding the duty to appoint data protection officers. Companies with fewer than 250 employees and turnover not exceeding EUR 50 million fall into this category. It is doubtful, however, whether these exceptions can compensate for the increased costs incurred because of the stricter requirements.
The new provisions also apply to companies having their registered office outside Europe, if they offer services in the EU.
The new data protection law is expected to be formally adopted by the Council and the EU Parliament in spring 2016 and to enter into force in 2018. We urgently advise companies to check their existing data processing processes for compliance with the new rules in due time.
By Gerlind Wisskirchen, Partner, CMS – The firm is a member of the EACCNY