The European Commission introduced the draft General Data Protection Regulation (GDPR) in January 2012. The GDPR seeks to harmonize legislation across the EU member states, replacing the 1995 EU Directive and the varying national laws that have implemented this Directive.
The European Parliament formally adopted its compromise text for the proposed GDPR back in March 2014. The Council of Ministers is expected to adopt its general approach to the Regulation during its June 15/16 meetings in Luxembourg. If it does so, the first meeting for the so-called “trilogue” negotiations between the Commission, the Parliament and the Council with a view to agreeing on a final text for the GDPR is scheduled for June 24. It is expected that, if all goes well, these negotiations will continue until the end of the year. Even after that, the new rules will only become effective two years later — so at the earliest by the end of 2017.
As so many stakeholders have been negotiating the draft GDPR for more than three years now, various components of the draft have found a way to reach a larger audience, notably national decision makers.
That is also why, although we may have to wait for quite some time before new EU rules become effective, we are increasingly seeing national legislators introduce the new concepts and obligations themselves, without waiting for the GDPR. This trend is also driven by recent events such as the Snowden revelations and the issues around the Facebook social plug-ins.
A recent example is the decision of the Dutch Senate, on May 26, 2015, to approve the amendment of the Dutch data protection Act by:
(i) introducing data breach notification duties; and
(ii) increasing the enforcement powers of the Dutch Data Protection Authority.
These additions are clearly inspired by the data breach notification duties and the increased enforcement powers in the draft GDPR.
The new Dutch data breach notification duties oblige data controllers to notify the Dutch Data Protection Authority forthwith if a data breach results in “a considerable chance for seriously disadvantageous consequences,” or has “seriously disadvantageous consequences for the protection of personal data.” The data subject should also be informed forthwith if the breach “possibly will have disadvantageous consequences for his private life.” Certain exceptions to the notification duty exist.
With respect to the increased enforcement powers, under the modified Data Protection Act the Dutch Data Protection Authority will have the power to impose fines of up to 810,000 Euro (as compared to the current amount of 4,500 Euro), although there should in principle be warnings given first.
The date of entry into force of the modified Dutch Data Protection Act still has to be set down by royal decree. It is also likely that the Dutch Data Protection Authority will adopt guidelines on how these new rules will be enforced (for example, when is there “a considerable chance for seriously disadvantageous consequences”?). So this is something to watch closely.
In Belgium, our Secretary of State, Mr. Tommelein, has announced that after the summer, he too will file a proposal to modify the existing Belgian Data Protection Act. The changes should also allow the Belgian Data Protection Authority to impose fines (a power that it currently does not have) in case of violation of the Belgian Data Protection Act (again, prior warnings would be the rule). Amounts similar to the maximum amount in the Netherlands (810,000 Euro) have been mentioned. The new legislative proposal will also include obligations for companies and authorities to report data breaches similar to those that have been adopted in the Netherlands. Again, this is something to watch for.
These are only some examples on how the mere existence of and debate around the draft GDPR, are already changing the data protection landscape.