After 4 years of negotiations, the final “Data Protection Package”, which sets out new European rules on privacy in the digital age, was formally adopted by the European Parliament and Council on April 2016. Here are some background and key points of the reform, together with a checklist to help you to comply with these new rules.
Background to the reform
In 2012, the European Commission launched a reform of the European Union (“EU”) data protection rules. After 4 years of negotiations, the European Parliament, the Council and the European Commission reached, in April 2016, a final consensus on the data protection reform, which consists in two legal instruments:
The Directive came into force on 5 May 2016 and EU Member States have until 6 May 2018 to implement it in their national laws, while the GDPR came into force on 24 May 2016 and will be directly applicable in all Member States as of 25 May 2018.
The E-privacy Directive, which specifies how some of the principles in the Data Protection Directive 95/46/CE apply to electronic communications sector, will also be reviewed in the coming years.
Aims of the GDPR
The GDPR aims to strengthen the fundamental rights of citizens and create a harmonized legal framework for the protection of personal data tailored to the digital economy, while reducing the administrative burden for data controllers.
The reform retains the major principles of data protection (i.e. fairness, lawfulness, transparency, security, confidentiality, accuracy) while introducing new rules reinforcing individual freedoms and addressing the challenges of high risk processing operations, such as big data.
What to expect?
A general reform
One set of harmonized rules within the EU, which creates clarity and consistency of the rules to be applied and provides for a common corpus in all Member States, even if they can adapt their legislation to specific issues (in particular the penalty regime).
A broader territorial scope: the new regulation will apply to data controllers/processors established in the EU but also to those not established in the EU, whenever the processing activities concern the offering of goods or services to EU residents or the monitoring of their behaviour within the EU.
A strengthened framework
Right to be forgotten: the GDPR specifies the conditions governing the exercise of the right to be forgotten.
Right to data portability from one online service provider to another.
Remedies: judicial relief for data subjects has been enhanced. In the case of breach, they will be entitled to an effective judicial remedy and compensation not only from the controller (as is currently the case), but also from the processor.
Specific protection of children, obliging parents to provide their prior consent.
Higher standards concerning data subject’s consent to data processing and extensive information about the processing to be provided by data controllers, including, inter alia, the retention period of the data, details of the data transfers outside the EU, and the legal basis for processing.
End of prior notifications / authorisations of data processing with national DPA’s.
Adjustment of data controllers and/or processors‘ obligations depending on the risks of their activities as regards the protection of personal data:
Specific procedure for personal data breaches must be followed by both processors and controllers.
Supervisory authorities will be allowed to impose on a case-by-case basis dissuasive administrative fines on controllers and processors in cases of breach of the regulation. Some contraventions could trigger a fine of up to EUR 20.000.000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The GDPR also allows Member States to regulate criminal penalties.
Less than two years to be compliant!
The GDPR will be applicable as of May 2018 but data controllers and processors are encouraged to ensure the compliance of their data processing as soon as possible. The following steps are in particular recommended:
To facilitate the transition to the GDPR regime, a draft law was recently presented to the Luxembourg Parliament. The main aim of the proposal is to simplify the formalities of prior authorisation regarding processing activities for supervision purposes and transfers of personal data to third countries.
 Directive 2002/58/E of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
 As previously formulated by the European Court of Justice in the Google Spain decision (C-131/12).
 Draft law No 7049 amending the Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data