New EU Regulation 'Biggest Shake-up to Privacy Rules in 20 Years'
While details of the EU General Data Protection Regulation (GDPR) remained sketchy Wednesday because the text of the compromise isn't public, the measure is widely viewed as a major development -- be it good or bad. Privacy lawyers said the legislation will strongly affect the way companies handle data protection responsibilities, partly because of the new, higher penalties. "This will deliver the biggest shake-up in privacy regulation for 20 years," wrote Linklaters (Brussels) Global Head of Privacy and Data Protection Tanguy Van Overstraeten. One industry coalition said the GDPR will scare off investors, while telecom network operators said the agreement will leave in place conflicting rules for telcos and Internet players. Digital rights activists and ISPs said the legislation seemed to lack the ambition of the original European Commission proposal.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The GDPR, which is the first major update to EU data protection law since 1995, was approved Tuesday by the European Parliament and Council (see 1512150004) and is to be voted on Thursday by the European Parliament Civil Liberties, Justice and Home Affairs Committee. If confirmed, the final text is expected to be adopted by Parliament and the Council in early 2016, the EC said, and the new rules will be effective two years later. During the transition, the EC will "inform citizens about their rights and companies about their obligations," it said.
The agreement "builds a strong basis to help Europe develop innovative digital services," said EC Vice President-Digital Single Market Andrus Ansip. It will give people more information on how personal information is processed; make it easier for them to transfer their data between service providers; clarify the right to be forgotten (RTBF); and require that individuals be notified in some cases when data is hacked, the EC said.
"We can assume" several changes from the current regime, said Hogan Lovells (London) data protection attorney Eduardo Ustaran. European privacy law will have much wider extra-territorial applicability, he emailed: "The moment a website places a tracking cookie on an EU-based device, you're caught." There are new rules for "pseudonomized" data and tighter rules on consent to use of personal data, he said. There are "very wide grounds" for exercising the RTBF, and a completely new right to data portability. The regulation requires companies to notify data protection authorities (DPAs) within 72 hours of spotting a data breach incident, and to notify individuals if the risk to their personal information is high, he said. Restrictions on international data transfer remain, but "there is a whole new menu of options to legitimise those transfers," Ustaran told us in an email. For organizations that break the rules, there are "huge potential fines," he said.
The step-change in penalties "will make privacy a board level issue" and force business to start taking those issues a lot more seriously, said Van Overstraeten. The biggest change involves sanctions, said Linklaters (London) Global Head of Technology, Media and Telecommunications Richard Cumbley in an interview. Many of the regulation's building blocks are the same as in the existing data protection directive, but currently DPAs can fine only small amounts of money, he said. The shift to potential fines of 4 percent of annual revenue will compel many companies that are trying to comply with data protection requirements to move from a risk-based approach to strict compliance -- a "complete mind-shift," he said. Some industry sectors, such as search engines, will care deeply about the RTBF provisions, while others, such as cloud services providers, will worry about data portability, he said. For all, the fines are the biggest deal, he said.
The U.S. has played a big part in the evolution of the regulation, said Cumbley. European regulators, politicians and lawmakers have seen how the FTC's approach to privacy, with its major enforcement actions, have brought about better compliance, he said. It's ironic that U.S. companies will now be affected by the GDPR as a result of U.S.-style enforcement, he told us.
The regulation "represents a major setback," said Sébastien Houzé, secretary general of the Federation of European Direct and Interactive Marketing, on behalf of the Industry Coalition for Data Protection. "We are concerned that investors will be scared off from investing in Europe and will look outside the continent to finance the next big thing in technology." EU legislators have underestimated EU citizens' demand for data-driven services and failed to strike the right balance between protecting privacy and encouraging digital industry, he said. Other coalition members include the American Chamber of Commerce to the EU, BSA|The Software Alliance and the Computer and Communications Industry Association.
The regulation "defines the legal boundaries not just for all digital marketing, but any marketing in any medium that uses consumer data," said Digital Marketing Association (UK) Solicitor James Milligan in a statement. He said it recognizes that direct marketing is a legitimate interest and personal data is any information about an identified or identifiable person; whether online identifiers such as cookies fall under that definition will depend on where they're placed, while consent for marketing must now be "unambiguous."
The agreement is an important step toward horizontal rules that apply across the digital value chain, said the European Telecommunications Network Operators' Association. But electronic communications are still subject to double regulation and the GDPR missed the opportunity to streamline and simplify the rules, it said. The regulation will make redundant several provisions in the EU e-privacy directive, such as on traffic and location data and breach notification, and fails to integrate other e-privacy directive provisions such as on confidentiality of communications and cookies, an ETNO spokesman told us. "As boundaries of communications services are today blurred, the distinction between those provided by telcos and those provided by internet players does not make sense any longer."
The European Internet Services Providers Association is "disappointed" because the compromise falls short on some key points and differs greatly from the EC proposal, said President Oliver Sueme. He said the text suggests that when creating consumer profiles, online sellers may have to obtain consent for very basic processing, which could result in more personal data being collected just for compliance.
"The bare essentials appear to have been salvaged from the lobby storm," said European Digital Rights. Faced with what may have been the "world's biggest ever lobbying onslaught," the compromise has "left little of the initial ambition" of the privacy proposals," said EDRi Executive Director Joe McNamee: The "devil is in the detail and the detail hasn't been published yet."