Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Last Friday, the EU Council has adopted its position at first reading on the data protection reform. This prepares the way for the final adoption of the legislative package which includes the General Data Protection Regulation (GDPR) by the European Parliament on 14 April 2016. This formal adoption by the EU Council comes after the compromise agreed with the European Parliament on 15 December 2015.
The European Parliament now is expected to vote in second reading at its plenary session next week, on Thursday 14 April. If the Parliament approves the Council’s position at first reading without amendments as expected, this would then complete the legislative process for the GDPR. Afterwards, the legal texts are going to be published in the Official Journal of the EU. The new EU-wide data protection Regulation will come into effect 2 years and 20 days after adoption. Please find below a short summary of the most relevant consequences of the GDPR.
What’s the practical impact of the new EU Data Protection Regulation for international companies?
To date, data protection has rarely been discussed at the board level. That is now about to change, with the European Parliament set to adopt the new EU General Data Protection Regulation in June 2016. The Regulation is intended to provide a uniform set of rules for data processing throughout the EU and to replace the existing patchwork of national laws governing how personal data is handled. Brussels is getting serious about data protection – and that includes the penalties it can impose, which should be “effective and dissuasive,” according to the Regulation.
Companies that do not comply with the strict new requirements face fines of up to 4% of their global revenue for the previous year. Even errors that are deemed less serious could lead to fines of up to 2% of revenue. In the case of corporate groups, regulatory authorities are expected to calculate fines on the basis of consolidated revenue. Such penalties could easily run into the hundreds of millions.
Managers, data protection officers, heads of IT and other staff responsible for data protection within a company must be careful. Those in senior positions who do not comply with the new rules face fines of up to EUR 20 million. In addition, they could be personally liable if the company is forced to pay fines or damages due to their own errors. The dramatic increase in risks means individuals should be aware that, in future, acts of negligence could very quickly cost them their jobs.
The new EU data protection rules will be much stricter than existing laws. Brussels is significantly tightening the requirements for companies in several areas:
Worldwide application: The Regulation’s reach is intended to extend beyond the EU. Companies outside the Union must also comply with European data protection rules if they process data relating to individuals in the EU in order to offer them goods or services or to monitor their behaviour.
Art. 3(2) GDPR: “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the European Union.”
Personal liability of data protection officers and managers: Up until now, data protection officers have generally been required to “work towards” compliance with the requirements. However, under the new law, they must ensure that all rules are actually adhered to. Management board members and managers, who are already subject to extensive monitoring duties under the existing law, are no better off under the new arrangements.
Training, duties to prove compliance and accountability: Companies must introduce effective data protection guidelines and train their employees in the new law. Documentation is another area of data protection in which businesses face a significant workload. It is not sufficient to simply comply with the new requirements – proof of compliance is also required. This seemingly unremarkable change could be very costly in practice because defendants in proceedings relating to corporate fines or damages claims must first furnish the necessary evidence that they did everything by the book. This requires an effective data protection management system – including risk analysis, training, structures, processes, controls and rapid change management.
Information and notification: In the future, companies must notify individuals earlier and in a much more comprehensive manner if they process their data. Here, too, errors can lead to hefty fines.
Right to be forgotten: As soon as personal data is no longer needed, it must be erased. If data is published, the recipient to whom the data has been passed must be notified if the data subject requests that links to or copies of this data be erased.
Right to a copy and “data portability”: Data subjects can request that companies which store their data provide them with a copy of all stored data. This will be costly and time-consuming for businesses.
“Services for data” at risk: It will no longer be permitted for companies to provide additional contractual services on the condition that data subjects consent to the processing of their data. The “services for data” business model is likely to be unhappy about this change.
Data protection impact assessment: If data processing is expected to result in high risks to the freedoms and rights to privacy of data subjects, the company must perform and document an extensive preliminary assessment and, if necessary, subsequently submit this assessment to the data protection authority for approval.
Data protection by design and by default: Firms must design their IT systems in such a way that they meet the regulatory requirements, e.g. by only collecting and processing as little data as is needed from the outset in order to achieve a specific purpose. Where possible, data should be pseudonymised. If a company fails to ensure the required level of data security – e.g. to prevent hacker attacks – the consequences could be very costly. Non-compliance here could lead to fines of up to 2% of revenue.
Data protection at work: Many of the new rules were designed with the IT sector in mind and are therefore not very compatible with data protection at work. Alternative rules for the processing of employee data can be incorporated in work agreements, but this requires the cooperation of the works council. That is why some companies are already negotiating with their employee representatives.
Companies should have a roadmap setting out how they will fulfil the new requirements by 2018. Some measures are already self-evident:
Risk analysis: What risks does the company’s business model face? How high is its revenue? What are the risks of being fined and what other potential adverse effects could there be?
Gap analysis: Where is the company now? What measures are necessary to meet the requirements of the new EU data protection law going forward?
Resource planning: What resources are needed in order to transition to the new law? What resources are available and where is there a shortage?
Budget planning: It is well known that data protection costs money. The liability of both the company and its decision-makers will play no small part in budget negotiations.
Project planning: Transitioning to the new EU law could be a project of mammoth proportions, especially for large companies and even for corporate groups. That is why project planning should be professional and flexible from the outset. The list of corporate functions alone that are involved here is much longer than in many other major projects.
For more information on the GDPR, please see:
Press release of the EU Council regarding the GDPR.
The English version of the GDPR as adopted by the EU Council.
Agenda for the plenary session of the EU Parliament on 14 April 2016.
Authored by Tim Wybitul, Eduardo Ustaran, and Bret Cohen