What to expect?
The text of the Regulation will undoubtedly be amended over the next 2 years of legislative process. Regardless, the Regulation will force both companies as well as individuals processing personal data to rethink the way they presently operate.
- It will be easier for citizens to access their personal data through data portability – personal data will be easily transferable between service providers.
- Data subjects will have more control to determine how their data is processed, through the inclusion of purpose consent for data processing as well as a right to be forgotten – if a data subject no longer wants data to be processed and there is no reason for a company to retain it, that data shall be deleted.
- More stringent notification obligations upon companies who become aware that data of a citizen has been stolen.
- An extended territorial scope means non-EU data controllers whose processing activities relate to: (i) goods or services offered to individuals in the EU, or (ii) monitoring individuals in the EU are now subject to the Regulation.
- Mimicking competition law, businesses breaching the Regulation could face fines up to €100 million or 5% of their annual turnover.
- Entities processing data will be able to apply for a European Data Protection Seal issued by national data protection authorities certifying that their data processing procedures comply with European legislation. Holders of this seal are partially shielded from prosecution
- Blanket consent for the processing of personal data will be replaced with “Purpose Consent”. Currently, entities processing data may obtain consent from a data subject at the beginning of the business relationship, which consent need not be specific or limited by time. ‘“Purpose Consent” means even where data subjects consented to data processing, the consent is deemed withdrawn once the purpose for which it was granted is fulfilled. This may require active monitoring and increased costs.
Compliance with the Regulation will be policed by a single supervisory authority, streamlining a process that is currently fragmented, eliminating multiple contact points across the EU.
Adoption of this Regulation is not a foregone conclusion. Notwithstanding, the legislative process is progressing fairly quickly and conservative estimates say that a finalised Regulation may be in force at some point in 2016.