The European Commission has released its final draft proposal for comprehensive reform of data protection standards in the European Union. This draft of a proposed new General Data Protection Regulation (the “Regulation”) is largely consistent with the earlier draft that was the subject of a post on this blog dated December 5, 2011. But there are a number of changes from the prior version both in the body of the Regulation and in the accompanying explanatory proposal. Notable revisions include:
- Confirmation that a Controller need not make data identifiable in order to comply with the Regulation. This is a concern many commentators had observed to arise from the breadth of the new proposed definition of “personal data.”
- A new mandatory consent standard for the processing of personal data concerning children under the age of thirteen (13).
- A reduction in the maximum penalty for certain negligent and intentional violations to €1 million or 2% of annual worldwide revenue (from €1 million or 5% of global turnover).
Many of the changes reflected in the final draft appear to have been made in an attempt to address negative comments that the EU’s influential Internal Market and Services Directorate General (commonly referred to as the DG Markt) reportedly submitted to the Commission in January. But a number of concerns expressed by DG Markt were not addressed. The issuance of the final proposed Regulation has resulted in extensive additional commentary from policymakers, data protection authorities and the business community, some positive and some negative.
Significant debate and consideration is expected to continue before a final enactment comes up for a vote before the European Parliament. We will continue to monitor these developments for our clients closely.