Following more than two years of consultations and intense speculation in recent weeks, the European Commission today proposed comprehensive measures to reform the European data protection framework.  We currently are analysing the proposed reforms in detail, but it appears that the proposal for a General Data Protection Regulation largely mirrors earlier leaked drafts. 

For example, key measures include:

  • One law.  The proposed law will take the form of a Regulation that will apply across all EU Member States. 
  • Application to EU and non-EU companies.  In addition to EU based companies, the new Regulation will apply to non-EU companies that either process data of individuals residing in the EU to whom they offer goods or services, or whose activities serve to monitor the behavior of such individuals.  This replaces the current “making use of equipment” test with a new “targeting” test.
  • “One-stop-shop” for EU data controllers — but not for non-EU controllers.  EU data controllers will be supervised by the data protection authority of the Member State where the controller’s “main establishment” is based.  Non-EU based controllers must designate a representative in one of the Member States where they target data subjects, but it appears that this representative may be addressed by “any supervisory authority”. 
  • Broader concept of “personal data” and new definitions.  The definition of “data subject”  is expanded to cover anyone who can be identified (directly or indirectly) by the controller directly or “any other natural or legal person”.  Identification may occur by reference to an “identification number, location data, online identifier” or other factors.  The Regulation also introduces a host of new definitions, including ones for “personal data breach”, “biometric data”, “genetic data”, “main establishment”, and “child” (defined as any person under the age of 18).
  • Data transfers.  The existing EU restriction on data transfers to countries that do not offer adequate protection remains in place.  However, the use of standard contractual clauses will no longer be subject to prior authorization or approval by data protection authorities.  Also, the adoption of binding corporate rules (BCRs) would be made easier, and the regime would be extended to data processors; an entire section is devoted to BCRs.  The draft Regulation retains the original derogations for transfers to third countries, such as consent, but adds a new derogation for occasional or limited transfers that are necessary for the legitimate interests of a data controller.
  • Legitimate bases to process data and specific rules on consent.  Similar to the existing rules, lawful processing may be based on several grounds, including consent, and where processing is necessary for the performance of a contract with the data subject, for compliance with a legal obligation to which the controller is subject, and for the purposes of the legitimate interests of a controller.  The draft law now contains a stand-alone section on consent, however, which is defined as any “freely given specific, informed and explicit indication of will”.  Consent cannot be used as a legal basis for processing personal data where “there is a clear imbalance between the data subject and the controller”, and controllers will have the burden of proving that individuals have consented to processing.  Further, consent will not provide a valid legal ground “where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment”. 
  • Children.  The processing of personal data of a child below the age of 13 years shall only be lawful if consent is given or authorised by the child’s parent or custodian. Controllers will have to make reasonable efforts to obtain verifiable consent, “taking into consideration available technology”.
  • New rights for individuals.  The draft contains a new “right to be forgotten” that imposes a specific obligation on a controller to erase certain data, and to take steps to erase links to that data where the controller has made the data public.  A new data portability right will enable data subjects to obtain a copy of their data from a data controller in a format that “is commonly used” and “allows for further use by the data subject”.  Individuals also will have the right to transfer certain data in a format that can be used in a different service.  The Commission reserves the right to specify the electronic format and technical standards to enable such transmission.
  • Breach notification.  The draft Regulation, as was expected, introduces a comprehensive breach notification regime.  It specifies that data controllers must notify any data breach to the supervisory authority “without undue delay and, where feasible, within 24 hours”.  Controllers also must notify individuals whose personal data could be “adversely affected” — e.g., if it “could result in identity theft or fraud, physical harm, significant humiliation or damage to reputation” — without undue delay, unless the controller can demonstrate, to the satisfaction of the supervisory authority, that they have implemented appropriate technological protection measures. 
  • Mandatory Data Protection Officer.  Organizations employing 250 persons or more must designate a data protection officer.
  • Sanctions.  The draft Regulation contains an elaborate section on administrative sanctions.  Mirroring sanctions for violations of EU competition law, each competent authority would now have the power to impose administrative sanctions and to tailor these sanctions according to a company’s annual worldwide turnover.  For certain types of intentional or negligent violations, supervisory authorities will be able to impose fines of between 250,000 and 1,000,000 Euros, or up to 2% of an enterprise’s annual worldwide turnover.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.