Following more than two years of consultations and intense speculation in recent weeks, the European Commission today proposed comprehensive measures to reform the European data protection framework.  We currently are analysing the proposed reforms in detail, but it appears that the proposal for a General Data Protection Regulation largely mirrors earlier leaked drafts. 

For example, key measures include:

  • One law.  The proposed law will take the form of a Regulation that will apply across all EU Member States. 
  • Application to EU and non-EU companies.  In addition to EU based companies, the new Regulation will apply to non-EU companies that either process data of individuals residing in the EU to whom they offer goods or services, or whose activities serve to monitor the behavior of such individuals.  This replaces the current “making use of equipment” test with a new “targeting” test.
  • “One-stop-shop” for EU data controllers — but not for non-EU controllers.  EU data controllers will be supervised by the data protection authority of the Member State where the controller’s “main establishment” is based.  Non-EU based controllers must designate a representative in one of the Member States where they target data subjects, but it appears that this representative may be addressed by “any supervisory authority”. 
  • Broader concept of “personal data” and new definitions.  The definition of “data subject”  is expanded to cover anyone who can be identified (directly or indirectly) by the controller directly or “any other natural or legal person”.  Identification may occur by reference to an “identification number, location data, online identifier” or other factors.  The Regulation also introduces a host of new definitions, including ones for “personal data breach”, “biometric data”, “genetic data”, “main establishment”, and “child” (defined as any person under the age of 18).
  • Data transfers.  The existing EU restriction on data transfers to countries that do not offer adequate protection remains in place.  However, the use of standard contractual clauses will no longer be subject to prior authorization or approval by data protection authorities.  Also, the adoption of binding corporate rules (BCRs) would be made easier, and the regime would be extended to data processors; an entire section is devoted to BCRs.  The draft Regulation retains the original derogations for transfers to third countries, such as consent, but adds a new derogation for occasional or limited transfers that are necessary for the legitimate interests of a data controller.
  • Legitimate bases to process data and specific rules on consent.  Similar to the existing rules, lawful processing may be based on several grounds, including consent, and where processing is necessary for the performance of a contract with the data subject, for compliance with a legal obligation to which the controller is subject, and for the purposes of the legitimate interests of a controller.  The draft law now contains a stand-alone section on consent, however, which is defined as any “freely given specific, informed and explicit indication of will”.  Consent cannot be used as a legal basis for processing personal data where “there is a clear imbalance between the data subject and the controller”, and controllers will have the burden of proving that individuals have consented to processing.  Further, consent will not provide a valid legal ground “where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment”. 
  • Children.  The processing of personal data of a child below the age of 13 years shall only be lawful if consent is given or authorised by the child’s parent or custodian. Controllers will have to make reasonable efforts to obtain verifiable consent, “taking into consideration available technology”.
  • New rights for individuals.  The draft contains a new “right to be forgotten” that imposes a specific obligation on a controller to erase certain data, and to take steps to erase links to that data where the controller has made the data public.  A new data portability right will enable data subjects to obtain a copy of their data from a data controller in a format that “is commonly used” and “allows for further use by the data subject”.  Individuals also will have the right to transfer certain data in a format that can be used in a different service.  The Commission reserves the right to specify the electronic format and technical standards to enable such transmission.
  • Breach notification.  The draft Regulation, as was expected, introduces a comprehensive breach notification regime.  It specifies that data controllers must notify any data breach to the supervisory authority “without undue delay and, where feasible, within 24 hours”.  Controllers also must notify individuals whose personal data could be “adversely affected” — e.g., if it “could result in identity theft or fraud, physical harm, significant humiliation or damage to reputation” — without undue delay, unless the controller can demonstrate, to the satisfaction of the supervisory authority, that they have implemented appropriate technological protection measures. 
  • Mandatory Data Protection Officer.  Organizations employing 250 persons or more must designate a data protection officer.
  • Sanctions.  The draft Regulation contains an elaborate section on administrative sanctions.  Mirroring sanctions for violations of EU competition law, each competent authority would now have the power to impose administrative sanctions and to tailor these sanctions according to a company’s annual worldwide turnover.  For certain types of intentional or negligent violations, supervisory authorities will be able to impose fines of between 250,000 and 1,000,000 Euros, or up to 2% of an enterprise’s annual worldwide turnover.
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.