Yesterday the European Parliament and Council announced they have (finally) agreed upon a new General Data Protection Regulation (the GDPR). This is really big news for all U.S. companies that do business in Europe or with Europeans!
The GDPR has not yet been voted into law, but the agreed-upon language is probably quite close to the final law. The International Association of Privacy Professionals (of which I'm a certified member) has published a great, concise list of the key provisions, which I commend to you:
• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered.
• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.
• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.
• Many organizations will now be required to appoint a data protection officer.
• Personal data may only be collected for “specified, explicit and legitimate purposes." The text also introduces principles of “data minimization,” “accuracy,” “storage limitation” and “integrity and confidentiality.”
• The GDPR requires “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.
• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or to perform a task in the public interest.
• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time.
• There will still be variation from member state to member state.
• Children under the age of 16 will need to get parental approval to give consent unless the member nation passes a law to lower the age no lower than 13.
• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.
• Data controllers have to provide any information they hold about a data subject free of charge and within one month of request.
• A “right to erasure” is established, where controllers are required to delete personal data...even if the data has been made public already.
The next legislative step is for the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs ("LIBE Committee") to vote on the text tomorrow (December 17) and if it passes, the full Parliament is expected to vote in January.
There is much more to come on this very significant development. I will be sharing commentary on Twitter (@MattCordell and @PrivacyLawNC) and on LinkedIn as I come across it.