Currently 28 data protection laws in 28 countries exist within the European Union. Although they are all based on the same Data Protection Directive from 1995 (95/46/CE), they could not be more different in terms of the protection they provide based on their different implementation in each European country. The aim of the new Data Protection Regulation is to create a uniform, but high standard of protection all over Europe. The regulation will focus on reinforcing individuals‘ rights and will address the current lack of trust of the citizens. It will strengthen citizen’s rights such as the right to be forgotten, the right to data portability and the right to be informed of personal data breaches. Furthermore it will strengthen the EU internal market, streamlining international transfers and set global data protection standards with technologically neutral rules to enable innovations and remain up to date.
What does the new regulation mean for Non-European companies?
Data is the currency of today’s digital economy. Collected, analyzed and moved across the globe, personal data has acquired enormous economic significance. Strengthening the European standards of data protection will create new business opportunities beyond state borders and will include more and more Non-European companies. Therefore these companies have to face major changes and have to include the following three new substantial innovations in their business practice:
Most important for Non-European Companies will be the extended territorial scope of the new regulation. It will apply to all organizations that process personal data of EU residents. Unlike in the past the use of equipment located within the territory of a EU Member State is now irrelevant. The focus instead will be on the targeting of EU residents. Whenever a company offers goods or services to residents, handles personal data or monitors their behavior they must comply with the new rules (“the same rules for all companies – regardless of where they are established”). As a result, all Non-European-websites, search engines, social networks, e-commerce platforms, cloud services and apps available in the EU will be covered by the new regulation
Moreover, instead of dealing with 28 different legislations when processing such data in Europe, now these companies have to meet only one single set of rules (“one continent-one law”). Hence the regulation will overrule national laws and the current Data Protection Directive.
The last major innovation will be the “One-stop-shop”. In the past international companies had to deal with several national authorities, in Germany even with several state authorities. Under the new regulation companies (European or not) will have to deal with one single national supervisory authority based in the EU country where their main business is established. This change will especially simplify the creation of each Non-European company’s Binding Corporate Rules (BCR) and streamline their approval process and thus will simplify their transborder data flow.
What are the general obligations for Non- European companies?
As mentioned the applicability of the regulation will lead to major changes in the practice of Non-European companies as it may force them to comply with a wide range of privacy rules. These are their new main obligations:
- Companies have to implement appropriate technical and organizational security measures.
- If the companies handle data of more than 5000 residents within 12 months or if they handle especially sensitive data they need to appoint a European data protection officer.
- They have to produce a detailed documentation on the data that is processed
- They are required to adopt reasonable steps to implement compliance procedures and policies, which should be reviewed every two years. These procedures should include adopting privacy-by-design and privacy-by-default and promote new techniques to follow the rules of anonymization and pseudonymization.
- In case of a data breach the companies need to notify the responsible one-stop-shop supervisory authority in the EU without undue delay a (“comprehensive data breach notification”).
For this purpose the companies have to acquire detailed knowledge of the new regulation, existing security and data protection measures, policies and procedures have to be reviewed, new employees must be hired and staff trainings have to be set up.
Thus, all of named obligations require significant investments and resources and will after all have an impact on small businesses and their attempt to actually access a new market if they have not already sufficient protection mechanisms.
What are the consequences in case of failure to comply?
Companies who do not comply with the new rules will be fined by the data protection authorities with up to 20 Mio. EUR or up to 4% of their global annual turnover. In addition an immaterial compensation of damages will be possible. European regulators will be equipped with strong enforcement powers therefore the companies are required to carefully review their duties.