Businesses that operate in the European Union (EU) may soon face a new set of data protection regulations. High-level discussions about a proposal to consolidate all individual EU-member nations’ data protection regulations into a single EU law are set to restart this month. If those negotiations are successful, the legislation could be approved by the end of the year.
Known as the General Data Protection Regulation (GDPR), this law would be directly applicable to each of the EU’s member states. Prior to this point, since 1995, the EU has operated under a Data Protection Directive, a much less defined system of privacy protection. A “directive” simply instructs member states to pass laws to achieve certain common goals, but does not mandate a particular approach.
Proponents of the GDPR say that it will create a unified and consistent legal regime concerning data protection within the EU. They argue that a streamlined regulatory system will facilitate economic growth throughout the region and have far-reaching effects on the global economy.
The European Commission first released a proposal for a legislative framework in January 2012. The European Parliament voted in favor of reform measures in March 2014. EU procedural rules require that both the European Parliament and the Council of the European Union jointly adopt a proposed regulation, which means that the current draft may be altered before its final enactment.
The final law would almost certainly apply to all businesses that provide goods or services within the EU, no matter where a business is based. Heiko Maas, the German Minister of Justice and Consumer Protection, recently stated that the effects of data breaches on European citizens are not confined to national boundaries, so it is only fair that companies operating within the EU be subject to any European data protection law.
While ultimate passage is highly likely, it is not inevitable. A group of Google executives met in Spain last week to discuss implementation of a ruling by the Court of Justice of the European Union regarding the “right to be forgotten.” Google and other corporate and governmental bodies (including the government of the U.K.) oppose the concept of a “right to be forgotten,” and vociferously oppose its inclusion in the current GDPR draft regulations.
It is unclear whether opposition to this single provision would be enough to derail the entire GDPR process, but Europe’s trade partners and professional services experts aren’t betting on it. Already, market participants are preparing for the big change. Some insurance industry experts, for example, are studying the potential for offering coverage for non-criminal privacy-related fines that the GDPR is expected to establish.
Some of the key changes that the draft regulation sets out are:
- Increased Fines: There will be significant increases in potential fines for data breaches, as the draft regulation prescribes a maximum fine of 2% of the offending organization’s global revenues.
- Data Breach Notification: In the case of any data breach, the data controller will be required to notify the supervisory authority and individual whose data was breached without undue delay and, where feasible, within 24 hours.
- Data Protection Officer: Businesses of a certain size will be required to hire a data protection officer, who will need to be an expert in data protection law and practice.
- Rights for Individuals: The current version of the regulation also establishes the “right to be forgotten,” which allows people who are mentioned in data to obtain the erasure of that data and prohibits further dissemination of such data once the person exercises their right.
For a look at a draft of the GDPR, please see here.
Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.
