After nearly four years of negotiations, the European Parliament, Council of Ministers, and European Commission have reached an agreement about overhauls to the EU data protection regime. The comprehensive data protections will consist of a General Data Protection Regulation (GDPR), which governs personal data in the private sector, and a Data Protection Directive, which addresses police and criminal justice use of personal data. The GDPR will apply to all companies that offer services in the EU or monitor behavior of data subjects in the EU and will bring major changes to how companies address data protection and the use of European citizens’ personal data.

Highlights

• Companies will face new data breach reporting requirements.

• If a company collects information from many consumers or processes certain sensitive information on a large scale, then the company must appoint a data protection officer.

• Violating the GDPR can result in penalties of up to 4% of annual worldwide revenue.

• Data processors and data controllers will both face new liabilities.

• Businesses will interact with a single supervisory authority for data protection.

• Individuals can learn how businesses process their data with greater ease and clarity.

• Consumers will have a right to transfer personal data between service providers.

• A “right to be forgotten,” that is, deletion of data that individuals no longer want processed, will be included.

Next Steps

Further information on a variety of the proposals, including the establishment and interaction of the supervisory authorities and the right to be forgotten, is needed to understand the extent of the GDPR’s effect.

The European Parliament’s Civil Liberties Committee approved the EU data protection regime agreements on December 17. The European Parliament will next vote on the GDPR and the Data Protection Directive. EU member states will then take any approved data protection agreements and implement the provisions into their own national laws.

Since the European Commission and Parliament first announced their intentions to reform the data protection regime in 2011–2012 and tension hit US-EU data transfers, there has been increased pressure to reevaluate the protection of EU citizens’ personal data. The EU has spent nearly four years negotiating how to turn the 28 EU member states’ varying concepts of privacy and effective data protection regimes into one uniform system. Slated to take effect in 2018, the proposed new EU data protection regime is a turning point in data protection policy that is sure to have a big effect on consumers and businesses alike.

Read the full text of the agreement.