After many years of negotiations, on 27 April 2016, the European Regulation concerning the protection of individuals in respect of the processing of personal data and the free movement of this data (hereafter, "the Regulation"), has finally seen the light of day.
This approval came at almost the same time as the vote by the United Kingdom on 23 June in favour of their exit from the European Union, which as we shall see may have an important effect as regards data protection.
Let us first see what are the principal new elements introduced by the Regulation, which will not come into force until 25 May 2018, until which time the current rules regarding data protection will continue to apply.
- Data protection representative ("DPO"): all public bodies must have such a person, and must private companies that carry out large scale regular and systemic monitoring of data or that process particular classes of data, such as for example data relating to health. With regard to his duties, they will consist of advising on and supervising the compliance by the entity as regards data protection, the preparation of reports assessing the impact of specific types of data processing on personal data and cooperation with the supervisory authorities.
- Enhanced consent: the Regulation introduces greater demands upon the data protection representative at the time of obtaining the consent of those concerned, even doing away with the implied consent that is acceptable under the current rules.
- File registration: the obligation to register files containing personal data with the relevant data protection authority is discontinued: nevertheless, there will be a duty to maintain a written register of all the personal data processing performed.
- Reporting data breaches: this point establishes the obligation to report breaches which may occur, stating that the data processing representative is obliged to notify the relevant data protection authority and the individual affected at the latest 72 hours after becoming aware of the breach. Undoubtedly, in our view, this is one of the flagship measures as regards compliance, since it will force entities to have in place permanent and coordinated active legal and technical response mechanisms which also cover information media, on a permanent and coordinated basis.
- Penalties: the penalties are substantially increased up to the sum of 20 million euros or the equivalent of 4% of the annual worldwide turnover of the business for the previous financial year at the time that the breach occurs.
- Application: the application of the general data processing Regulation has been extended: the Regulation will not only apply to companies established in the European Union, but also to data processing by companies resident in the Union through a representative or manager not resident in the European Union, when the data processing activities are related to the offer of goods or services to interested parties in the Union, or who are in charge of how it is conducted, to the extent that this takes place in the European Union.
- Right to privacy: the Regulation introduces the concept of the right to erasure, better known as the right to privacy, namely the right of individuals concerned to restrict the dissemination of their personal data on search engines.
Ultimately the new Regulation should involve a further step towards European harmonisation as regards data protection, and therefore in the free movement of data on a European level.
But this aim may be sharply affected, as we said, as a result of the United Kingdom's vote in favour of their exit from the European Union, the famous Brexit.
Indeed, once the departure of the United Kingdom from the EU is complete, the Union's treaties with the United Kingdom will be suspended, and, therefore, the free movement of data will also be suspended.
What we mean is that it is highly likely that on leaving the European Union the United Kingdom will become a country without an equivalent level of data protection to that of Europe, and it will have to begin the process by which the European Commission will once again recognise it as a country with a comparable level of protection. The process is neither speedy nor simple; in fact, it could take years.
Under this scenario, the transfer of data between the United Kingdom and the other European Union countries will become more complicated, since these transfers will be considered to be international transfers of personal data whose requirements are far stricter than those applicable to the movement of data within the European Union or between countries with a comparable level of protection. And in this regard, reports have already been published about telecommunications companies who are considering transferring their head offices from the United Kingdom to an EU country in order to avoid these complications. They will undoubtedly be the first of many to do so.
Thus, the entry into force of this new Regulation shall certainly be affected by the exit by the United Kingdom from the European Union, thereby necessitating the regulation of the movement of data to and from the United Kingdom and the European Union. This is not a trivial issue, and it will be advisable to deal with it with the aim of arriving at the date when the Regulation comes into force with a gradual and well-organised compliance process, that will increase, without doubt, the legal and operational security of all entities, especially in the context of the actual exit of the United Kingdom from the European Union.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.