EU data protection reforms expected to be finalised on 14 April

The new General Data Protection Regulation (GDPR) (261-page / 1.31MB PDF) and a new Data Protection Directive for police and criminal justice authorities were endorsed by national governments within the EU in a vote held by the Council of Ministers.

The Council's approval of the texts means that the new laws could be finalised by the European Parliament on 14 April.

“With the European Parliament looking set to approve this package next week, and a lead time of only two years before the Regulation takes effect directly in all member states, organisations will need to start preparing now for what will be the biggest change to data protection laws in over 20 years," data protection law expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said.

The Regulation contains wide-ranging changes to EU data protection laws. Organisations will be under a greater obligation to undertake privacy impact assessments and to consider privacy when designing new products and services. Many organisations will need to appoint a dedicated data protection officer. Updated rules on data transfers will also apply.

In addition, organisations will be subject to tougher data security rules and a new data breach notification framework. Data protection authorities will be able to impose fines of up to 4% of the global annual turnover of businesses that are responsible for serious breaches of the Regulation.

Hon said the stiffer sanctions that could be levied under the new Regulation should "make data protection firmly a boardroom issue".

The GDPR will also impact on contracts between data controllers and data processors since data processors will face new obligations and potential liabilities under the new framework than they do under the existing regime, she said.

In a statement the Council of Ministers said: "The Regulation provides for a single set of rules, valid across the EU and applicable both to European and non European companies offering online services in the EU. This avoids a situation where conflicting national data protection rules might disrupt the cross-border exchange of data. It also provides for increased cooperation between member states to ensure coherent application of the data protection rules across the EU."

"With a view to reducing administrative costs, the regulation applies a risk-based approach: data controllers can implement measures according to the risk involved in the data processing operations they perform. Different businesses have different activities and the risks of such activities in terms of privacy can vary. The regulation does not set out a no one-size-fits all solution: the stronger the risks of the activities for the personal data, the more stringent the obligations," it said.

The Council also explained that a new system of enforcement would apply to data protection cases of a cross-border nature.

"To reduce costs and provide legal certainty, in important cross-border cases where several national supervisory authorities are involved, a single supervisory decision is taken," the Council said. "This one-stop-shop mechanism allows a company which is active in several member states to deal only with the data protection authority in the member state of its main establishment. This mechanism also provides for a single decision applicable to the entire EU territory in case of disputes."