EU Reaches Agreement on Final Text for General Data Protection Regulation

After almost four years of negotiation, European Union negotiators on December 15 reached consensus on the final text of the new EU Data Protection Regulation. The new Regulation will replace the EU's now over 20-year-old Data Protection Directive (95/46/EC) and seek to harmonize privacy legislation among the 28 EU Member States.

Negotiators were finally able to reach a compromise on several issues that have been the subject of lengthy debate. Most notably, the new Regulation will set the maximum corporate fine for privacy violations at four percent of a company's global revenue. According to Jan Philipp Albrecht, the European Parliament's lead negotiator, this "could imply billions of euros for the major global online corporations" if they violate the Regulation. In addition, on the issue of consent, Albrecht said that negotiators agreed that data subjects "will have to give explicit consent for their data to be used." Lastly, companies will be obligated to appoint Data Protection Officers "if they are handling significant amounts of sensitive data or monitoring the behavior of many consumers," which implies that the amount of data being processed, not the number of employees (as previously proposed by the Commission), will be decisive.

Other aspects of the new Regulation, which had already been broadly agreed upon, are included, such as the provisions around data portability, the data breach notification requirement and the introduction of a "one-stop-shop" system. The latter will ensure that companies only have to deal with one Data Protection Authority, while at the same time EU data subjects can file complaints with their own national Data Protection Authority, which will cooperate with other concerned authorities to resolve the complaint.

The controversially discussed "Right to be Forgotten" is also included in the Regulation, which will enable data subjects to request the deletion of their data, once they no longer want it to be processed and provided that there are no legitimate grounds for retaining it.

One surprise issue that arose late in the negotiations is parental consent for the processing of children's data. While the European Parliament had originally proposed an age threshold for valid consent without parental agreement of 13 years (the current standard), the Council opposed this. As a result, it will now be up to each Member State to set its own age for online consent, in a range from 13 to 16.

In a Press Release, the European Commission stressed the new advantages of the Regulation, promising EU data subjects more control over their own data and more information on how their data is being processed. The Commission also explained that for companies, the Regulation should bring "clear modern rules," which aim to encourage innovation and create business opportunity. For example, the new "risk-based approach," which is expected to enable the infusion of data protection safeguards into products and services from the earliest stage (Privacy by Design) and the support of privacy-friendly techniques such as pseudonymization. Measures such as these are expected to reduce companies' compliance costs by an estimated EUR 2.3 billion per year.

The Commission added that the Regulation would also ensure that "companies based outside of Europe will have to apply the same rules when offering services in the EU."

The agreement on the text of the draft EU Data Protection Regulation is still provisional and will now be subject to a ratification vote in the Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE), which will take place on Dec 17. The Council of the European Union, consisting of all EU Member States, must also formally approve the text. If the full Parliament vote is completed in early 2016, companies will have two years—until early 2018 to comply.

In the months to come, Crowell & Moring will provide further and more detailed guidance on these important developments, which will affect any company doing business in Europe or merely offering goods and services to individuals in Europe. We will hold a seminar on this subject in the next few months, for which you will receive an invitation soon.