Publication of the European General Regulation on Data Protection and parallel Directives
On May 4, having been several years in the making, the Official Journal of the European Union finally published the regulatory instruments forming the new European framework for personal data protection, namely:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data repealing Directive 95/45/EC.
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
The European General Data Protection Regulation is the most significant legislative milestone in terms of privacy and personal data protection implemented in Europe in the last 20 years, replacing (and repealing) Directive 95/46/EC. As a European Regulation, it is directly applicable to all Member States without any need to be transposed, although given the tremendous importance of the amendments which will be necessary, the regulation has established that compliance will only be compulsory from May 25 2018, (despite the fact that the Regulation will enter into force 20 days after its publication).
The Regulation's entry into force will also be a decisive step in unifying the criteria and requirements that different Member States have been applying hitherto in respect of personal data processing.
During the first two years before the law becomes compulsory, Member States will need to take the appropriate measures to adjust their national laws to the new regulations. Furthermore, in those two years, the content of the Directives, jointly published alongside the Regulation and which complete the new regulatory framework for privacy in Europe, will need to be transposed to national laws.
In turn, businesses and professionals will also have the arduous task of updating their organisations in order to adapt to the requirements of the new Regulation, which entails not only cosmetic or formal changes, but also in some cases significant transformations in terms of organizational, operational and procedural changes. Thus, among other aspects, there will be tougher obligations regarding provision of information to data subjects, the figure of the Data Protection Officer is created within the company with extremely high level of rank and responsibility, obligations are imposed in the event of breach of data security, and there will be a requirement to assess the impact of privacy on implementing and developing new products and services.
The Regulation will apply to all European companies, but also those businesses which, although they are established outside the EU, carry out activities involving personal data processing within the Union, irrespective of whether or not they have a physical presence in European territory.
Finally, penalties are considerably increased and may amount to up to 20,000,000€ or 4% of the volume of total annual overall turnover of the previous financial period, applying the larger of the two.
We have just entered into a complex transitory period on the path towards a new common framework in matters of data protection, which affects not only those subject to the regulation but also Spanish legislators and the Spanish Data Protection Agency.