It is well know that the European Union has stringent cyber-regulation for firms looking to do business within their jurisdiction. The EU Data Protective Directive, under which the EU has operated since 1995, is in the process of being updated with a new General Data Protection Regulation (“GDPR”). This is an attempt at unifying data protection in the EU under a single law in order to strengthen online data protection rights and to modernize principles contained in the original directive. A draft was presented in January 2012 (here) and lawmakers are looking to implement the new regulation between late 2014 and 2016 (however they have been a vague on an operational timeline).
Some of the most significant changes are as follows. First, a current myriad of national laws that apply to those doing business in different jurisdictions in the EU will be replaced with a uniform law, the GDPR. Further, companies will only have to deal with the supervisory authority in the country in which they principally operate. Currently, they may have to deal with as many as 28 authorities.
Second, the GDPR will provide enhanced protection for personal data. This will include a right to have personal data erased if there is no longer a reason for it to be retained by an organization, limits on individual profiling and stricter requirements for notifying individuals whose personal data has been compromised in the case of a breach. The GDPR would also require a firm to seek prior authorization with a national data protection authority in the EU before disclosing any EU citizen’s personal data to a non-EU country.
Finally, penalties and fines would be significantly increased for those who fail to comply with the new policies. The national data protection authorities would be given the power to fine companies up to €100 million or 5 percent of their annual global turnover, whichever is greater.
The GDPR will not only apply to those located in the EU, but in certain circumstances, could apply to anyone doing business in the EU or anyone with personal information about an EU resident, if their activities relate to the monitoring of the data subjects. For those who believe they fall within this description, the time to start preparing for this change is now.