Privacy Monday - May 4, 2015: Shaping Up -- Update on the EU’s Draft General Data Protection Regulation
On this Privacy Monday, we can definitely say that the long winter of our discontent (at least for some of our readers) is over. Happy spring!
In case you missed it, last Wednesday we presented the fourth in our Wednesday Webinar series on the progress of the EU draft Data Protection Regulation and what we might expect.
The EU’s draft General Data Protection Regulation is moving towards its final form now that the Council of the European Union has provided its views on most of its provisions. Although the Council, Parliament and Commission need to negotiate the final form of the Regulation through the “trilogue” process, the overall outline of the Regulation is fairly clear. Subject to the trilogue process, here’s a re-cap of what we expect to see:
The new Regulation will have a broader definition of personal data and will apply directly to data processors as well as data controllers. Organizations based outside the EU will be covered if:
- the data processing relates to an offer of goods or services to people in the EU (including free goods or services) OR
- the data processing is aimed at monitoring people in the EU.
The Regulation will most likely include the following features:
- Risk of very high fines based on a multiple of group global turnover
- Mandatory appointment of Data Protection Officers in some or most circumstances
- Privacy Impact Assessments
- Data Breach Notification (stringency under negotiation)
- New super-regulator: European Data Protection Board
- One-Stop Shop (potentially with significant modification per the Council draft)
- Non-EEA "adequacy" determinations can be sector-specific
- COPPA-like parental consent for kids
- Privacy Seals/Certifications promoted as a way to help companies show compliance with the law
- Right to Erasure/Right to be Forgotten
- Data portability
- No more registration with national data protection authorities
To access the webinar recording, please click here.
Next up: The Long Reach of COPPA-- Don't forget to mark your calendars for the next presentation in our year-long series - Wednesday, May 27, 2015 from 1-2 pm EDT. Remember, CA and NY CLE credit is available.
This webinar, the fifth in our Privacy series, will explain the Children’s Online Privacy Protection Act and how it is enforced by federal and state governments. We will discuss how to determine whether an online service is subject to COPPA and if so, the various compliance options. We will also focus on lessons learned from the Federal Trade Commission's most recent settlements over alleged COPPA violations. The webinar will be presented by Julia Siripurapu and Ari Moskowitz of Mintz Levin’s Privacy & Security practice group.