The European Parliament and the Luxembourg presidency of the Council of Ministers, on behalf of national governments in the EU, reached a deal on the wording of a new General Data Protection Regulation and a new Data Protection Directive for police and criminal justice authorities on Tuesday.
The package of reforms will replace the existing Data Protection Directive and, in the case of the Regulation, set a single data protection law with affect across the EU. Businesses based outside of the trading bloc will also be subject to the new rules in certain cases. The new framework has still to be formally adopted but is likely to have effect from early 2018.
According to a leaked copy of the new Regulation (209-page / 475KB PDF) published on the Statewatch website, organisations will face a number of new obligations under the new regime.
Data controllers will no longer be required to pre-notify data protection authorities (DPAs) of their personal data processing activities, but they, along with data processors, will need to maintain a record of processing activities they are responsible for or carry out and make it available to DPAs when requested, although there are some exceptions for SMEs.
In addition, organisations will be required to carry out data protection impact assessments where their plans to process personal data are "likely to result in a high risk for the rights and freedoms of individuals". This obligation will arise particularly where companies are looking to process personal data through the use of new technologies and where companies plan to engage in people profiling, according to the leaked draft.
Data controllers will be required to consult with DPAs "prior to the processing of personal data where a data protection impact assessment … indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk". If DPAs believe the planned processing would not comply with the Regulation it could issue advice to data controllers on how to proceed or use one of the powers given to it under the Regulation, such as requiring companies to open themselves up for a data protection audit.
Some companies and most public bodies will also be required to appoint a data protection officer (DPO) under the new framework. For businesses that obligation arises where their "core activities" consist of processing operations that "by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale"; or if it involves processing sensitive data on a large scale.
The Regulation will allow group companies and different public bodies to share the same DPO and for DPOs to perform their duties in addition to other functions. DPOs will be required to have suitable "professional qualities" and knowledge on data protection matters. Their duties will include serving as a point of contact for organisations to DPAs and data subjects, advising their employers on personal data processing and monitoring their compliance with the Regulation.
Under the new Regulation organisations of all kinds will be required to notify DPAs and their customers of major data breaches they experience in certain circumstances.
Specifically, organisations will need to report a personal data breach to DPAs "without undue delay and, where feasible, not later than 72 hours after having become aware of it" unless that breach is "unlikely to result in a risk for the rights and freedoms of individuals". The notification to DPAs must include a number of details about the breach, including the type of personal data compromised, the number of people the incident has affected, the likely consequences of the breach and what measures have been taken to "mitigate its possible adverse effects".
The new rules also address the issue of liability for breaches of the new Regulation. The new regime allows data subjects to pursue compensation for "material or immaterial damage" they have suffered as a result of a breach of the Regulation by either a data controller or data processor, although there are limited circumstances in which processors can be held liable. In practice it could mean businesses having to reclaim at least a share of the compensation they have paid out from other companies that were responsible, fully or in-part, for the breach.
A complex sanctions regime will also apply under the new Regulation. Different maximum financial penalty thresholds have been set depending on the nature of the breach of the Regulation an organisation is responsible for.
In the most serious cases, including where the rights of data subjects have not been honoured, where "basic principles for processing" have not been observed or where rules on data transfers have been broken, companies could be fined up to 4% of their annual global turnover for the previous financial year.
One of the basic principles for processing personal data is where organisations obtain the consent of data subjects for that processing. Under the agreed reforms, organisations relying on consent to process personal data will need to show that the consent they have obtained is freely given, specific and informed and is an "unambiguous indication" of a data subject's wishes and expressed "either by a statement or by a clear affirmative action".
If relying on consent to process sensitive personal data, organisations will need to ensure they have "explicit consent to the processing of those personal data for one or more specified purposes".
New rules on data portability, data protection by design and default and on profiling are also set out in the agreed Regulation, whilst a new complex framework for the handling of enforcement matters that have cross-border impact is also set to apply, according to the leaked draft.