Yesterday, the European Parliament and European Commission announced that an agreement has been reached regarding the consolidated text of the new General Data Protection Regulation (GDPR). The agreement is the culmination of three years of negotiating the terms of the GDPR, which will replace the aging European Data Protection Directive of 1995.

Agreement on the GDPR comes amidst US anxiety regarding the future of the US-EU Safe Harbor, the transatlantic data transfer agreement that was invalidated by the European Court of Justice earlier this year, and unrelated negotiations currently taking place to establish a Safe Harbor 2.0 before February 1, 2016.

This is a major milestone in privacy and data protection in Europe and across the globe. The GDPR will apply directly in each of the 28 EU Member States and will not only apply to the data processing activities of EU-based businesses, but also to various data processing activities of businesses not established in the EU to the extent they target EU data subjects.

The agreed-upon text has not yet been made public, and the legislation still must be voted on and passed into law, but many expect that to be more of a rubber stamping process completed in the spring of 2016. Once the law is passed it will become likely be implemented over the course of 2017 and 2018.

The version available to the public now is presumed to be very close to the final agreed-upon text and makes significant changes to the consent rules, corporate accountability and enforcement. 

Some major provisions of the 200-plus-page document include:

• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processor is headquartered.

• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.

• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.

• Many organizations will now be required to appoint a data protection officer, including all companies where data processing is a “core” activity and all companies where sensitive data is processed on a “large scale.”

• The GDPR introduces a formal idea of “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.

• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, to perform a task in the public interest or where “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.”

• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time and will not be considered valid if a data subject has to give consent to processing for the provision of a service where the processing isn’t necessary to the actual performance of the contract.

• While the stated intent of the GDPR is to unify data protection law in the EU, there will still be variation from member state to member state: “To this extent, this Regulation does not exclude Member State law that defines the circumstances of specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful.”

• Children under the age of 16 will need to get parental approval to give consent unless the member state passes a law to lower the age no lower than 13.

• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.

• Controllers have to provide any information they hold about a data subject free of charge and within one month of request.

• A “right to erasure” is established, where controllers are required to delete personal data in a variety of cases, including if the data was collected when the data subject was still a child in need of parental consent or if the data collected falls into one of the sensitive categories. Even if the data has been made public already.

CASRO is following developments relating to the GDPR closely and will be providing our members with education and compliance support beginning early in 2016.