Background to the reform

In 2012, the European Commission launched a reform of the European Union (“EU”) data protection rules. After 4 years of negotiations, the European Parliament, the Council and the European Commission reached, in April 2016, a final consensus on the data protection reform, which consists in two legal instruments:

• Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, as regards the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, or “GDPR”), which reforms and repeals the Directive 95/46/EC on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The Directive came into force on 5 May 2016 and EU Member States have until 6 May 2018 to implement it in their national laws, while the GDPR came into force on 24 May 2016 and will be directly applicable in all Member States as of 25 May 2018.

The E-privacy Directive[1], which specifies how some of the principles in the Data Protection Directive 95/46/CE apply to electronic communications sector, will also be reviewed in the coming years.

Aims of the GDPR

The GDPR aims to strengthen the fundamental rights of citizens and create a harmonized legal framework for the protection of personal data tailored to the digital economy, while reducing the administrative burden for data controllers.

The reform retains the major principles of data protection (i.e. fairness, lawfulness, transparency, security, confidentiality, accuracy) while introducing new rules reinforcing individual freedoms and addressing the challenges of high risk processing operations, such as big data.

What to expect?

A general reform

One set of harmonized rules within the EU, which creates clarity and consistency of the rules to be applied and provides for a common corpus in all Member States, even if they can adapt their legislation to specific issues (in particular the penalty regime).

A broader territorial scope: the new regulation will apply to data controllers/processors established in the EU but also to those not established in the EU, whenever the processing activities concern the offering of goods or services to EU residents or the monitoring of their behaviour within the EU.

A strengthened framework

• Enhanced rights for data subjects

Right to be forgotten: the GDPR specifies the conditions governing the exercise of the right to be forgotten[2].

Right to data portability from one online service provider to another.

Remedies: judicial relief for data subjects has been enhanced. In the case of breach, they will be entitled to an effective judicial remedy and compensation not only from the controller (as is currently the case), but also from the processor.

Specific protection of children, obliging parents to provide their prior consent.

• Enhanced obligations for controllers and processors

Higher standards concerning data subject’s consent to data processing and extensive information about the processing to be provided by data controllers, including, inter alia, the retention period of the data, details of the data transfers outside the EU, and the legal basis for processing.

End of prior notifications / authorisations of data processing with national DPA’s.

Adjustment of data controllers and/or processors‘ obligations depending on the risks of their activities as regards the protection of personal data:

• Obligation to conduct a Data Protection Impact Assessments (“DPIA”) prior to processing activities which are likely to result in a high risk to the rights and freedoms of natural persons.
• Obligation to keep records of the processing activities which comprise, inter alia, a description of the data processed, the reasons for processing, and a description of the technical and organisational security measures adopted.
• Obligation to take technical and organisational measures (including staff policies, pseudonymisation) to meet the requirements of the GDPR.
• Obligation to appoint a data protection officer (“DPO”) for controllers and processors which are public authorities, handling regular and systematic monitoring of data subjects on a large scale and processing sensitive or criminal data.

Specific procedure for personal data breaches must be followed by both processors and controllers.

Heavier penalties

Supervisory authorities will be allowed to impose on a case-by-case basis dissuasive administrative fines on controllers and processors in cases of breach of the regulation. Some contraventions could trigger a fine of up to EUR 20.000.000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The GDPR also allows Member States to regulate criminal penalties.

Less than two years to be compliant!

The GDPR will be applicable as of May 2018 but data controllers and processors are encouraged to ensure the compliance of their data processing as soon as possible. The following steps are in particular recommended:

• Check whether you are required to appoint a DPO
• Check whether you are required to conduct a DPIA
• Review your existing compliance mechanism to enable you to keep records of processing activities and identify data breaches as soon as possible
• Audit your processing activities based on consent to make sure that the consent meets the requirements of the new regulation
• Update your current procedures in order to allow data subjects to exercise their new rights (e.g. right to be forgotten, right to data portability)
• Review and complete where necessary your privacy notices so that you include the additional information required by the GDPR (e.g. legal basis for processing, retention period of the data).

To facilitate the transition to the GDPR regime, a draft law^[3] was recently presented to the Luxembourg Parliament. The main aim of the proposal is to simplify the formalities of prior authorisation regarding processing activities for supervision purposes and transfers of personal data to third countries.

[1] Directive 2002/58/E of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector

[2] As previously formulated by the European Court of Justice in the Google Spain decision (C-131/12).

[3] Draft law No 7049 amending the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data

Download this newsletter in French