New EU Data Protection legislation: the reaction in full

After three years of negotiations, this week saw the European Union take the significant step of agreeing new privacy legislation – the General Data Protection Regulation (GDPR) – which will bring Europe’s ageing data privacy regulation up to date for the modern technological era.

Sanctions for failing to comply with the new requirements include fines of up to 4% of worldwide annual turnovers.  The new rules will introduce mandatory data breach notification for all, joint and several liability for suppliers (data processors); tougher restrictions on the use of profiling and the collection and use of children’s data; enhanced rights for individuals; and a requirement for most organisations to appoint a data protection officer. Plus, there will be more exacting requirements for organisations to ensure privacy by design and by default and to document their compliance with the new regime.

Unsurprisingly, this week the comments flooded in and here we bring you some of them in full.

The final text of the new Regulation now needs to be translated for formal adoption by the European Parliament and the Council in early 2016, with the new rules coming into effect two years after that in 2018.

Ross McKean, the head of Olswang’s data protection practice:

“GDPR is a paradigm change in the way that data collection and use is regulated.  We have now moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world.

“Data permeates everything that we do in our digital lives and touches all organisations.  The good news is that we have just over two years to prepare for the new regime.  However in that time, organisations will need to completely transform the way they collect and use personal information.

“This is not a compliance or legal challenge; it is much more profound than that.  Organisations will need to adopt entirely new behaviours in the way they collect and use personal information.”

Jens Puhle, Managing Director of 8MAN

“With the strict new rules on data protection agreed by the EU yesterday meaning that large firms could now see the cost of data breaches reach the billions, there should be no longer be a single organisation leaving any element of their data protection to chance. Harsh financial punishments appear to be the best way to drive home the message that data security should be at the top of the agenda for the board and extend throughout the organisation.

“Setting the appointment of a data protection officer as a rule of law will ensure that all organisations are equipped with a specialist who is constantly vigilant against threats to their data – whether it’s attacks by hackers, malicious insiders, or simple error. Firms must be able to account for the security of essential data such as customer information at all times, with complete visibility of how and when it is accessed. Investing in the latest cyber defence technology will be of little use if employees are able to steal or accidently leak data with impunity.”

Mahisha Rupan, senior associate, Kemp Little:

“For nearly twenty years, UK data protection laws have remained fairly static, even in the face of considerable technological advancements, the rise of social media and the “big data” boom. It has been widely acknowledged that the data protection laws needed to be reformed to address this gap between technology and the law. Last night’s announcement that the new EU General Data Protection Regulation has been finalised is the latest step in that process.

“This reform will have significant impact because almost all businesses collect and store personal information about customers, suppliers and service providers and employees, meaning that almost every business operating in the UK will need to take action to comply with the Regulation. Although businesses have a two year “grace period” before the data protection authorities and the courts can enforce these new data protection laws, they should be taking action now because it will take time to reform internal data protection practices and ensure that all lines of business are compliant.

“While the agreed text has not been made publicly available, it has been reported that there will be an increase in fines for breaches of data protection laws from a maximum of £500,000 in the UK to a possible 4 percent of annual global turnover. While this increase in fines will inevitably grab headlines, the day-to-day reality for businesses is more prosaic. With two years to comply, businesses should now be reviewing and auditing what kind of personal data they’re holding, including employee data, business development data and customer information. They need to develop a deep understanding of the types of data they are holding, what they’re doing with that data and why, as well as finding out if they’re sharing that data with third parties. A complete audit of data protection privacy and practices is the first step towards compliance.

“Interestingly, the regulation does not only apply to businesses based in the EU, but also to any business offering goods or services to EU citizens. The objective of this change is to ensure that EU businesses are not put at a disadvantage by being forced to operate under stricter privacy standards versus organisations based elsewhere and will help to create a more level playing field for all businesses operating in the EU.”

Phil Lee, partner in the Privacy, Security and Information group at Fieldfisher:

“This is the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years.  Forget Safe Harbor and Right to be Forgotten – this is much, much more significant.

“The rules that Europe agreed last night will shape the way that businesses around the world interact with European consumers for decades to come.  Europe has become the flag-bearer for best practice in the treatment of individuals’ data.”

Jane Finlayson Brown, partner in Allen & Overy’s data protection practice:

“Perhaps the most significant change in the new data protection framework is the fines companies could face for breach. Fines are tiered, with infringements of certain provisions (e.g. international transfers or the basic principles for processing, such as the conditions for consent) attracting fines of up to 4 per cent of worldwide annual turnover.  A lower threshold of fines of up to 2 per cent of annual worldwide turnover is set for other breaches (e.g. data minimisation). These are of course eye-watering sums.

“This new level of risk for companies catapults data protection into boardrooms. It’s not only companies in Europe that will be impacted. Data controllers or processors targeting, or simply monitoring, consumers in the EU will now be caught by the expanded territorial reach in the new regulation, no matter where they are based in the world.”

Antony Walker, deputy CEO techUK:

“The agreement reached last night on the new General Data Protection Regulation brings to an end four years of difficult negotiations on the EU’s approach to data protection. As the global economy becomes ever more data driven the significance of these new EU rules cannot be understated. techUK will be examining the final text to understand its overall coherence and how it will impact the companies large and small that are driving innovation across the EU.

“There is no doubt that in the short term innovative data driven businesses of all sizes will face more bureaucracy, more legal uncertainty and more risk. However, the big test will be whether Europe’s consumers and citizens really do feel better informed and protected as a result of the new rules and whether Europe’s businesses are able to stay at the forefront of digital innovation.  Much will depend on the implementation of the Regulation and the role that Europe’s Data Protection Authorities play in interpreting and applying the new rules. Time will tell whether this Regulation underpins or undermines Europe’s ambitions for digital growth.”