EU Data Protection reform on its way


Last week, on 15 June 2015, the Council of the European Union reached a general approach on the EU General Data Protection Regulation (GDPR). The general approach of the Council was long-awaited as the European Commission gave its initial proposal for GDPR already in January 2012.

The trilogue negotiations between the Council, European Parliament and the Commission commenced this week, and the aim is to finalize the negotiations by the end of 2015. The GDPR would consequently come into effect after a two-year period following the finalization of the negotiations and adoption of the GDPR. Therefore, it seems likely that the GDPR will enter into force already in late 2017 or early 2018.

The GDPR will undoubtedly be the biggest thing that has happened in the field of data protection law since the current Data Protection Directive was adopted in 1995. Rapid technological development and the digitalization of society have driven the need for an updated EU-wide data protection legislation as personal data has become increasingly important to industries across the spectrum. Simultaneously, the need for strengthened data protection rights of individuals has been recognized.

The GDPR has, however, proven to be extremely controversial among different stakeholders and, hence, the forthcoming negotiations are expected to be challenging. The final provisions of the GDPR are still subject to change in the negotiations but some conclusions can be drawn at this stage:

  • The GDPR will increase the level of harmonization of data protection laws in the EU as the GDPR will be directly applicable in all EU member states. The member states have implemented the current Data Protection Directive in various ways which has caused ineffectiveness in the internal market of the EU. As an example, Finland, contrary to most EU member states, has a specific statute regulating the processing of personal data in the employment context. The GDPR is not likely to fully harmonize the member states’ data protection legislation since it is presumable that the GDPR will allow member states to pass their own legislation on certain specific data processing areas.
  • The territorial scope of the EU data protection legislation will be broadened as also companies domiciled outside of the EU will have to comply with the GDPR when they are offering goods or services in the EU.
  • New obligations are set for data controllers and processors, such as a duty to notify the supervisory authority about personal data breaches within 72 hours after having become aware of the breach, as well as an obligation to conduct a data protection impact assessment when the processing activity in question is subject to a high risk to the rights and freedoms of individuals.
  • The sanctions for non-compliance with the GDPR will be substantial. According to the most extreme suggestion made by the Parliament, the supervisory authority could impose a fine up to EUR 100 000 000 or 5% of the total worldwide annual turnover of an undertaking that breaches the GDPR. This will be a significant change in many member states – including Finland – where the local data protection authority does not currently have the power to impose fines.

Especially companies and organizations processing a multitude of personal data should thoroughly evaluate the foreseeable impacts of the GDPR in their activities already now. Moreover, it is essential for all entities that process personal data to note the importance of data protection compliance and take necessary steps in order to ensure compliance with the GDPR upon its adoption.

Tanja Jaatinen
Associate, Avance Attorneys Ltd

Tanja is an associate lawyer at Avance Attorneys specializing in data protection and privacy law. Tanja was appointed the secretary of the Finnish Data Protection Board on 10 June 2015. The Data Protection Board is an independent authority and the most important decision-making agency in personal data matters in Finland.