On May 25, 2018, the European Union will implement the most significant changes to its data protection regime in twenty years when the European General Data Protection Regulation, or GDPR comes into force. The GDPR was adopted by the European Parliament and European Council in 2016 to standardize data privacy laws across the EU and give more rights and protection to individuals. It replaces the 1995 Data Protection Directive, which could only be implementedd by national legislation. After the directive goes into force, it will apply in all EU state automatically without the need for adoption in national law. Some of the biggest changes include:
Expanded Scope: Article 3
The GDPR will apply to any data processing or controlling company selling goods or services in the EU connected to their data processing activities, regardless of whether they are present in the EU.
New Consent Requirements: Article 7
Individual consent will still permit data processing, but that consent must be given in a separate agreement from other terms of service. Further, individuals that refuse consent must be provided the service unless delivery relies on data processing.
More Individual Control: Article 17, 20
Individuals gain an overt right to have their personal data deleted on request, with some limiting exceptions. They also gain a right to receive or directly transmit their personal data from controllers to a competitor in a usable form.
Standardized Breach Notification: Article 33-34
After discovering a personal data breach risking harm to individuals, controllers must notify relevant authorities without “undue delay,” and generally within 72 hours after discovery. Individual notification may also be required depending on the risk of harm involved.
Cross-Border Supervision and Enforcement: Art. 56, 57, 60, 62, 65
Regulation is entrusted to a “lead supervisory authority” where the processor or controller’s “main establishment” is located. Where data processing has effects in other states, the lead authority must consult with the other supervisory authorities about regulation and enforcement. Disputes between them can be resolved by a new European Data Protection Board.
Heightened Administrative Penalties: Art. 83(3)-(6)
There are two upper limits for fines. For violations of provisions listed in Art. 83(4), companies can be fined up to 10 million euros or 2% of their global revenue. For violations of provisions listed in Art. 83(5), or non-compliance with a supervisory authority’s order, companies can be fined up to 20 million euros or 4% of their global revenue, whichever is greater.
Companies will still need to refer to the laws of each specific EU state to understand their obligations. While the GDPR will become the effective baseline for data privacy regulation across the EU, individual states may expand protections and adopt or adjust certain rules. For U.S. companies that market products or services based on personal data collection, compliance with both the GDPR and national legislation will be a condition of doing business in Europe. And the GDPR’s effects on trade and industry custom are nearly certain to play a role in any future proposal for a comprehensive U.S. data privacy and protection regime.
The GDPR’s full text is available in English at: https://gdpr-info.eu/
To read more posts like this one, check out our blog and contact a Sioux City lawyer, Sioux Falls attorney or Omaha lawyer today for more information about data privacy.