EU Data Protection Reform is about to happen... eventually.

EU Data Protection Reform is about to happen… eventually.

Although subjected to the well-known saying ‘nothing is agreed until everything is agreed’, data protection reform is slowly taking shape and businesses should prepare themselves for what is coming, as activities which involve the processing of personal data will have to comply with the new data protections laws.

In June, the Council’s Justice and Home Affairs Committee reached  an agreement on the rules concerning data transfers and on the territorial scope of the future new Regulation.

In the last meeting held in Luxembourg, earlier this month, Justice and Home Justice Ministers have reached a broader partial agreement regarding the wording of chapter IV of the draft General Data Protection Regulation, which includes new rules on personal data breach notifications that businesses operating in the European Union will have to comply with.

Therefore, in the light of the new approach, contractual freedom regarding the content of contracts will be restricted and the liability of processors regarding controllers over subcontracting activities will be further elaborated.

Addittionnally, pseudonymisation of personal data will be included as a  technical and organisational measure to ensure an appropriate level of security.

In this context, businesses will have 72 hours to notify regulators as soon as they become aware that they have suffered a personal data breach that “may result in physical, material or moral damage” to individuals. This will include disparate situations such as loss of confidentiality of the data, damage to the data’s subject reputation and identity theft.

Moreover, although businesses will have to inform without undue delay data subjects in case of a data security breach which could affect severely their rights and freedoms, they will be exonerated of this obligation when appropriate technological protection measures have been implemented to protect its access, even if lost or stolen, namely through encryption.

Furthermore, the processing of personal data which is likely to represent a high risk for the rights and freedoms of individuals, such as health data or personal data which can be used for profiling, will have to carry out a data protection impact assessment.

If businesses based outside the European Union process personal data of citizens of the European Union, they will have to appoint a representative based in the European Union, except if the processing is occasional and unlikely to result in a risk for their rights and freedoms.

Of course, negotiations with the European Parliament and the European Commission in order to finalize the instrument will only begin once a consensus on the whole draft has been reached within the Council.

If slowly is the best way to go further, we will get there… eventually.