Agreement reached on EU data protection reform
The European Commission, Parliament and Council have announced that they have reached political agreement on the content of the General Data Protection Regulation (“the Regulation”), which will set up the basis for a centralised, one-stop shop for data protection law in Europe. This will effectively replace the UK’s current legal regime for data protection in the Data Protection Act 1998.
According to the Commission, the new Regulation will enable people to control their personal data and allow businesses to cut red tape (although commentators have heavily criticised these claims). The Commission has been keen to promote certain of the measures to be introduced, including:
- a requirement not only to comply with data protection principles (as existed previously) but to be able to prove compliance;
- the scrapping of the requirement for companies to register with the Information Commissioner’s Office (“ICO”);
- abolition of the £10 data subject access request fee, except where requests are manifestly unfounded or excessive, in which case a reasonable fee can be charged;
- a requirement for businesses to carry out impact assessments where they are high risk (e.g. carry out large scale processing operations, scrutinise specific individuals’ data, and/or monitor publicly accessible areas on a large scale); and
- a requirement for businesses to appoint a data protection officer if their core activities include the carrying out of regular, systematic, large-scale data monitoring or large-scale processing of sensitive data.
The maximum penalty for businesses that breach the new legislation has been increased radically. The Regulation sets out a scale of penalties, with the most serious offences attracting a penalty of up to 4% of annual worldwide turnover or €20,000,000, whichever is greater.
It is expected that the final text of the Regulation will be formally adopted at the beginning of 2016 and come into force two years after that. In the meantime, the Commission will work closely with the ICO and other EU countries’ data protection authorities to ensure a uniform application of the new rules across the digital single market.
Although headlined as a one-stop shop, that is not the case in the employment context. The Regulation allows Member States to provide for more specific rules on the processing of personal data. Employers operating in more than one Member State will still need to go beyond the Regulation and check the law in the countries in which they operate.