The General Data Protection Regulation (GDPR), the successor to the 1995 Data Protection Directive, was first proposed by the European Commission three-and-a-half years ago, and after various rewrites in EU parliament chambers, now appears to be on the home straight to becoming law.
Yesterday, 28 ministers in the Justice Council agreed to adopt a “general approach” on the Commission's proposal on the regulation.
“Trilogue negotiations with the Parliament and the Council will start in June; the shared ambition is to reach a final agreement by the end of 2015,” read a press release announcing the news.
Key features of the regulation include the ‘One Stop Shop' rule – where companies will have to deal with a single set of rules on data protection rather than 28 covering each EU member state, the right to data portability and the ‘right to be forgotten', although the Council notes that that the latter is “not an absolute right”.
Meanwhile, the Council's view is that data breach fines should be capped at two percent (or a maximum of €1 million) of global annual turnover, rather than previous declarations from the European Parliament that they should go up to five percent (or €100 million). If it were capped at two percent, it would be good news for the ICO which recently hinted it has no intention of handing out huge fines.
Elsewhere, the GDPR stipulates that data breaches will need to be reported within 72 hours, large firms will need to hire data protection officers and all the proposals will apply to non-EU companies that offer services to EU customers.
Andrus Ansip, vice president for the Digital Single Market, said: "I feel very encouraged by this positive step towards improved and harmonised data protection rules. Data Protection is at the heart of the Digital Single Market; it builds a strong basis to help Europe make better use of innovative digital services like big data and cloud computing."
Vera Jourová, commissioner for justice, consumers and gender equality said: "Today we take a big step forward in making Europe fit for the digital age. Citizens and businesses deserve modern data protection rules that keep pace with the latest technological changes. High data protection standards will strengthen consumers' trust in digital services, and businesses will benefit from a single set of rules across 28 countries. I am convinced that we can reach a final agreement with the European Parliament and the Council by the end of this year."
William Long, partner at Sidley Austin, said in an email to SCMagazineUK.com: “Europe's Council of Ministers has agreed to a proposed EU Data Protection Regulation that, if adopted, will have a very significant impact on businesses in the EU and those internationally, including in the US, that do business in the EU.
“This regulation has a raft of new requirements, such as appointing data protection officers, and new rights, including a right of erasure, as well as fines for non-compliance of up to 5 percent of annual worldwide turnover (gross revenue).
“Negotiations will now commence between the Council, the Commission and the European Parliament and the Regulation is widely expected to be adopted by the end of 2015 or early 2016.”
Others, though, remain unconvinced of the changes. The UK's justice minister Lord Faulks QC was one of many ministers to express reservations, saying the UK government had concerns over the “practical applications” of the regulation – like the one-stop shop DPA idea – while other experts have told SC that the changes are “commercially untenable”.
“This agreement is quite simply a brazen effort to destroy Europe's world leading approach to data protection and privacy,” added Joe McNamee, executive director of European Digital Rights.
“The Council position is a mixture of reckless disregard for citizens' fundamental rights and pandering to special interests that led to draft legislation where the number of exceptions is higher than the total number of articles in the previous Directive,” McNamee said.
The group added that, far from modernising data protection laws, the changes had actually “weakened” it. Both EDRi and Privacy International said there are 48 exceptions where member states can make their own rules.
The changes are cause for concern for CISOs and IT security teams. A study last year from security vendor Trend Micro indicated that only half of UK IT security teams were aware of the proposed changes, compared to 87 percent in Germany and 65 percent in France.
And at the start of 2015, FireEye found that more than a third of IT security teams were unprepared for GDPR and Network and Information Security (NIS) directive. Thirty-nine percent of organisations in UK, German and France admitted to having no defensive measures in place, while only two-thirds said that their firm fully understood the impact of proposed regulations.
Rowenna Fielding, information governance manager at the Alzheimer's Society, told SC: “I think it's likely that there will need to be a lot of planning and resources needed to meet the new requirements and the longer that business puts off this activity, the more risk they are incurring when this becomes law,” she said.
“However, the likelihood of regulators being able to detect and react to infringements unless [incidents are] self-reported is low, and especially since the funding of regulators is still in question.”“IT teams can only deliver what business directs and resources them to be able to deliver so it lies with senior decision-makers to meet this challenge.”
Chris Gould, partner and cyber-crime lead at EY, added in an email to SC: “Although these regulations will require a joined-up approach across an organisation, the need to report the nature and scale of the data breach within 24 hours [as is currently being recommended by the European Parliament - Ed], as well as providing guidance to the regulator about whether there were ‘appropriate technical protection measures' in place to prevent the breach, will have a significant impact on IT security teams.
“Organisations therefore will need to be able to look at their forensic capabilities so they can understand and quantify the scale of a data breach before responding to the regulator. This will avoid over or under reporting of the issue and hence the level of penalty.
“A judgement call will also need to be taken on what constitutes appropriate technical protections. Some countries have already enacted specific legislation regarding this. Russia, for example, has a federal law on privacy backed up by detailed minimum technical requirements. The EU approach has been more risk based and allows organisations to select what they feel is the most appropriate form of protection for their data.
“We know that breaches happen even in organisations with strong security controls, so pro-active threat intelligence will be necessary as part of a defence in depth strategy and this is an area where I feel many organisations are just starting to dip their toes into the water.”