We may see the final text of the proposed EU General Data Protection Regulation by the end of 2015. In mid-June, the Council of the European Union set forth an agreed general approach to the proposed EU General Data Protection Regulation. And just last week, the Council, the European Parliament, and the European Commission held their first trilogue negotiations on the measure.
The draft the Council brought to the negotiating table included several important provisions that U.S. organizations doing business abroad should note:
- Single law: Instead of being a directive, the regulation will be a pan-European law that replaces the inconsistent patchwork of laws among the 28 nations of the EU.
- Purpose requirement: Businesses that collect and process data, called “data controllers,” can do so only for a legitimate purpose and with the unambiguous consent of the data subject.
- Right to erasure: Individuals have the “right to be forgotten,” meaning that they have the right to ask service providers not to store their personal data.
- One-stop shop: Global companies that do business in more than one EU nation will only have to deal with a single supervisory authority, not one in every state or locality where they do business. This change will lead to greater consistency among legal rulings and, consequently, will allow organizations to save money.
- Security: Data controllers must implement security measures to protect their data and notify affected individuals and the appropriate data protection authority about any breaches.
- Sanctions: Organizations that breach the regulation can be subject to fines of up to 2 percent of their global annual turnover; however, the European Parliament has suggested raising the penalty to 5 percent.
We will continue to monitor the status of the law as it proceeds through negotiations. There will be additional meetings from July to December between the three organizations to discuss the terms of the regulation.
The earliest the regulation will come into effect is two years after an accord is reached and its final text is published. In the interim, organizations should anticipate how the regulation will affect their data processing protocols and make the necessary adjustments.