New EU Data Protection and Cybersecurity Laws Finalised

December 23, 2015

The General Data Protection Regulation places new obligations on businesses to protect personal data with high financial penalties for noncompliance.

The European Commission has confirmed that the new General Data Protection Regulation (the Regulation) has been finalised after almost four years since the first draft was published. The Regulation, together with a new Data Protection Directive that deals with the police and criminal justice sector and a new Network and Information Security Directive (the NIS Directive), will strengthen Europe’s foundations on which to build its Digital Single Market. European Parliament is due to formally adopt these laws in early 2016.

Andrus Ansip, the Vice President for the Digital Single Market, has said that the Regulation will “remove barriers and unlock opportunities . . . with solid common standards for data protection, people can be sure they are in control of their personal information.” He also said that “the Internet knows no border—a problem in one country can have a knock-on effect in the rest of Europe. That is why we need EU-wide cybersecurity solutions.”

The Regulation will become effective two years after it is approved (this approval is expected in early 2016), and the EU member states will need to pass laws that implement the NIS Directive 21 months after it is approved (also expected in early 2016).

The Key Provisions

Increased Data Protection Rights for Individuals

Individuals will be required to give informed, freely given and express consent to the processing of their personal data. Businesses must demonstrate that such consent was provided if consent is challenged as being invalidly given. The right to opt out of marketing data must also be available at the time of the marketing communication.

Individuals will have greater rights to access their data and transfer the data from one service provider to another. Businesses will have to prepare for these expanded rights and also have procedures in place for individuals who exercise their rights to erase personal data (often referred to as the “right to be forgotten”).

Businesses will need to build privacy safeguards in their technology and actively factor privacy considerations into the design and upgrade of systems that hold personal data (“privacy by design”). Privacy-safeguarding default settings will need to be implemented to allow users to reduce privacy controls, if preferred.

Clearer Rules for Businesses

The benefit of a regulation rather than a directive is that one data protection law would apply across the EU instead of 28 different data protection laws implementing a directive (as is currently the case). The potential effect of the Regulation, however, is that countries are still likely to interpret provisions differently across the EU. A consistency mechanism within the Regulation allows the European Data Protection Board to give an opinion on cross-border data protection issues.

Businesses will be able to deal with one data protection authority of their choice (a “one-stop shop”) and will no longer have to file data processing notifications with data protection authorities.

Smaller businesses will not have to appoint a Data Protection Officer or conduct impact assessments of data protection risks.

New Obligations for Businesses

All businesses that offer goods or services in the EU (whether or not for a fee) or that monitor or track individuals within the EU will be subject to the Regulation. This will be more than “mere access to a website or email address” and will cover an individual’s ability in the EU to purchase or register for such goods or services. Methods for monitoring individuals will include the use of tracking techniques and cookie files as well as the ability to profile individuals in the EU. Organisations that do not have a physical presence in the EU will, therefore, be subject to the Regulation. These businesses not based in the EU will need to appoint an EU-based representative for data protection regulatory purposes.

Businesses will need to appoint a Data Protection Officer (except smaller businesses) who will be responsible for implementing the Regulation, including an organisation’s policies and procedures, and also be accountable to the relevant data protection authority in the event of a data breach. The Data Protection Officer will need to be appropriately trained and supported by the business in terms of authority and access to information about the business. A group of companies may appoint a single Data Protection Officer.

In the event of a data breach, businesses will need to notify the relevant data protection authority without undue delay, and in any event, within 72 hours of becoming aware of the breach. In circumstances where individuals are significantly affected, they must also be notified without undue delay. Under the NIS Directive, there are separate security breach notification provisions requiring an operator of “essential services,” such as energy, transport, banking, financial markets, and healthcare to notify the authority without undue delay of a breach that has a significant effect on the provision of such services.

Sanctions for breaching the Regulation will be tiered: up to 2% of annual turnover for some breaches, and up to 4% of annual turnover for other more significant breaches.

Businesses that act in the capacity of “data processors” (i.e., on instructions from a “data controller,” which currently has direct legal obligations under data protection laws) will have some direct obligations under the Regulation. This includes appointing a data protection officer where processing is a core function, notifying the data controller for whom it acts as a data processor of any data breaches without undue delay, and implementing technical and organisational measures to protect personal data processed on behalf of the data controller.

International Data Transfers

The Regulation will mean that businesses can no longer self-assess an international data transfer as being adequate if that country is not already on the list of countries deemed by the European Commission as being adequate. Therefore, unless an individual gives express consent to the transfer or an exemption from the need to obtain consent is applicable, businesses will need to consider model clauses in the forms approved by the European Commission or binding corporate rules. Currently, the European Court of Justice has deemed the Safe Harbor programme invalid.[1] The European Commission has said it will issue guidance for organisations that are Safe Harbor–certified by the end of January 2016.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Matthew Howse

New York
Gary Adler

Stephanie A. Blair
Ezra D. Church
Barbara Murphy Melby
Gregory T. Parks

Doneld G. Shelkey

San Francisco
W. Reece Hirsch

Silicon Valley
Mark L. Krotoski

Washington, DC
Dr. Axel Spies

[1] See our LawFlash on this topic, ECJ Rules EU-US Safe Harbor Programme Is Invalid.