Regulation (EU) 2016/679: how the European personal data protection landscape will change
After four years of troubled negotiations, on 4 May 2016 the new Regulation (EU) 2016/679 on personal data protection was published in the Official Journal of the European Union. The Regulation replaces Directive 95/46/EC and reforms data protection rules in the European Union, introducing several key changes directly applicable to all Member States from 25 May 2018; this is, in itself, a significant novelty.
Below is a brief summary of the most significant changes introduced by the Regulation.
The scope of application of the European data protection legislation is broadened: the new Regulation, in fact, shall also be applied to data controllers established outside the Union when data processing, aimed at offering them goods and/or services or at monitoring their behaviour concerning data subjects established in the Union. This innovation will particularly affect non-European Internet service providers.
The requirements to obtain valid consent become stricter: in particular, to be valid, consent must be given by a clear affirmative act. Thus, silence, pre-ticked boxes or inactivity cannot constitute valid consent. Furthermore, data subjects may always revoke their consent to data processing without any limitation.
Right to be forgotten (i.e. the right of data subjects to obtain the definitive deletion of their data processed and stored by data controllers) and the right to data portability from a data controller to another one are now expressly provided for.
Principles of data protection “by design” and “by default” are introduced. The latter consist of the duty for the data controller to, respectively, properly protect personal data at the time of their collection and during the whole duration of the processing, and to only use data collected for purposes for which data subjects have given their consent and not beyond the minimum necessary time for the achievement of those purposes.
Data controllers shall carry out a “data protection impact assessment” when the data processing at issue is likely to result in a high risk to subjects’ rights and freedoms and they shall maintain records of processing activities under their responsibility.
As soon as they become aware that a personal data breach has occurred, data controllers shall notify the national supervisory authority and/or data subjects of the data breach at issue.
The new role of the data protection officer is introduced for public entities and for private entities that process special categories of data (for instance, sensitive data) or whose data processing consists in the regular and systematic monitoring of data subjects on a large scale. Data protection officers are data protection law and practices experts – employees of the data controller or outside consultants – who shall inform and advise the data controller of its obligations pursuant to the Regulation, monitor its compliance with the latter, provide the abovementioned data protection impact assessments and liaise with data subjects and with the DPA.
Data controllers and processors can obtain a certification from credited certification bodies or by the competent supervisory authority demonstrating the compliance of their data processing with the Regulation.
Penalties become significantly stricter: infringements of the Regulation’s provisions, in fact, are subject to administrative fines up to € 20.000.000, or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year.