October 15, 2019

October 14, 2019

Subscribe to Latest Legal News and Analysis

New EU Data Protection and Cybersecurity Laws Finalised

The General Data Protection Regulation places new obligations on businesses to protect personal data with high financial penalties for noncompliance.

The European Commission has confirmed that the new General Data Protection Regulation (the Regulation) has been finalised after almost four years since the first draft was published. The Regulation, together with a new Data Protection Directive that deals with the police and criminal justice sector and a new Network and Information Security Directive (the NIS Directive), will strengthen Europe’s foundations on which to build its Digital Single Market. European Parliament is due to formally adopt these laws in early 2016.

Andrus Ansip, the Vice President for the Digital Single Market, has said that the Regulation will “remove barriers and unlock opportunities . . . with solid common standards for data protection, people can be sure they are in control of their personal information.” He also said that “the Internet knows no border—a problem in one country can have a knock-on effect in the rest of Europe. That is why we need EU-wide cybersecurity solutions.”

The Regulation will become effective two years after it is approved (this approval is expected in early 2016), and the EU member states will need to pass laws that implement the NIS Directive 21 months after it is approved (also expected in early 2016).

The Key Provisions

Increased Data Protection Rights for Individuals

Individuals will be required to give informed, freely given and express consent to the processing of their personal data. Businesses must demonstrate that such consent was provided if consent is challenged as being invalidly given. The right to opt out of marketing data must also be available at the time of the marketing communication.

Individuals will have greater rights to access their data and transfer the data from one service provider to another. Businesses will have to prepare for these expanded rights and also have procedures in place for individuals who exercise their rights to erase personal data (often referred to as the “right to be forgotten”).

Businesses will need to build privacy safeguards in their technology and actively factor privacy considerations into the design and upgrade of systems that hold personal data (“privacy by design”). Privacy-safeguarding default settings will need to be implemented to allow users to reduce privacy controls, if preferred.

Clearer Rules for Businesses

The benefit of a regulation rather than a directive is that one data protection law would apply across the EU instead of 28 different data protection laws implementing a directive (as is currently the case). The potential effect of the Regulation, however, is that countries are still likely to interpret provisions differently across the EU. A consistency mechanism within the Regulation allows the European Data Protection Board to give an opinion on cross-border data protection issues.

Businesses will be able to deal with one data protection authority of their choice (a “one-stop shop”) and will no longer have to file data processing notifications with data protection authorities.

Smaller businesses will not have to appoint a Data Protection Officer or conduct impact assessments of data protection risks.

New Obligations for Businesses

All businesses that offer goods or services in the EU (whether or not for a fee) or that monitor or track individuals within the EU will be subject to the Regulation. This will be more than “mere access to a website or email address” and will cover an individual’s ability in the EU to purchase or register for such goods or services. Methods for monitoring individuals will include the use of tracking techniques and cookie files as well as the ability to profile individuals in the EU. Organisations that do not have a physical presence in the EU will, therefore, be subject to the Regulation. These businesses not based in the EU will need to appoint an EU-based representative for data protection regulatory purposes.

Businesses will need to appoint a Data Protection Officer (except smaller businesses) who will be responsible for implementing the Regulation, including an organisation’s policies and procedures, and also be accountable to the relevant data protection authority in the event of a data breach. The Data Protection Officer will need to be appropriately trained and supported by the business in terms of authority and access to information about the business. A group of companies may appoint a single Data Protection Officer.

In the event of a data breach, businesses will need to notify the relevant data protection authority without undue delay, and in any event, within 72 hours of becoming aware of the breach. In circumstances where individuals are significantly affected, they must also be notified without undue delay. Under the NIS Directive, there are separate security breach notification provisions requiring an operator of “essential services,” such as energy, transport, banking, financial markets, and healthcare to notify the authority without undue delay of a breach that has a significant effect on the provision of such services.

Sanctions for breaching the Regulation will be tiered: up to 2% of annual turnover for some breaches, and up to 4% of annual turnover for other more significant breaches.

Businesses that act in the capacity of “data processors” (i.e., on instructions from a “data controller,” which currently has direct legal obligations under data protection laws) will have some direct obligations under the Regulation. This includes appointing a data protection officer where processing is a core function, notifying the data controller for whom it acts as a data processor of any data breaches without undue delay, and implementing technical and organisational measures to protect personal data processed on behalf of the data controller.

International Data Transfers

The Regulation will mean that businesses can no longer self-assess an international data transfer as being adequate if that country is not already on the list of countries deemed by the European Commission as being adequate. Therefore, unless an individual gives express consent to the transfer or an exemption from the need to obtain consent is applicable, businesses will need to consider model clauses in the forms approved by the European Commission or binding corporate rules. Currently, the European Court of Justice has deemed the Safe Harbor programme invalid. The European Commission has said it will issue guidance for organisations that are Safe Harbor–certified by the end of January 2016.

Copyright © 2019 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Pulina Whitaker, Morgan Lewis, labor and employment lawyer
Partner

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...

+44.20.3201.5550
Matthew Howse, Employment law attorney, Morgan Lewis
Partner

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

44 (0)20 3201 5670
Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis
Partner

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

215-963-5170
Mark Krotoski, Litigation attorney, Morgan Lewis
Partner

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

202.739.3001
W. Reece Hirsch, Morgan Lewis, Regulatory Attorney
Partner

W. Reece Hirsch counsels clients on healthcare regulatory and transactional matters and co-heads the firm’s privacy and cybersecurity practice. Representing healthcare organizations such as hospitals, health plans, insurers, physician organizations, healthcare information technology companies, and pharmaceutical and biotech companies, Reece advises clients on issues such as privacy, fraud and abuse, and self-referral issues. This includes healthcare-specific data privacy and security matters, such as compliance with the Health Insurance Portability and Accountability Act...

415-442-1422