Database

Tthe General Data Protection Regulation (GDPR), which entered into force in May 2018, introduces burdensome administrative fines that can be imposed by the supervisory bodies. The upper limits for these fines are:
- EUR 10,000,000, or 2% of the infringing organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's obligations on data controllers, data processors, certification bodies, and monitoring bodies.
- EUR 20,000,000, or 4% of the organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's principles on data processing (including conditions for consent), data subject's rights, data transfer to third countries and international organizations, and non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows.

The Network Information Security (NIS) Directive requires that an operator of an essential service relying on the service of a digital service provider for the provision of an essential service must notify the relevant authority of any incident affecting the digital service provider which has a 'significant impact' on the continuity of the essential service. “Digital service providers” include to online marketplaces, online search engines, and cloud computing services. The NIS applies to essential service providers and digital service providers with more than 50 employees or an annual balance sheet over 10 millon EUR.

The Directive was adopted by the European Parliament on July 6th 2016 and entered into force in August 2016. Member states have 21 months to transpose the directive into their national laws and 6 months more to identify operators of essential services.

The proposed EU's e-Privacy Regulation stipulates that firms must inform users of security risks when they identify them and, if the risk "lies outside the scope of the measures to be taken by the service provider", inform them of the remedies that users can take and provide an indication of the likely costs involved. As a result of this requirement, firms that are not able to remedy security risks timely would put themselves at greater risk in disclosing the vulnerabilities of their system to their users, increasing the risk of data breaches by actors capable of exploiting them. This is the case, for example, if information on security risks is leaked to the wider public.

According to the e-Privacy Directive (Directive 2002/58/EC) and Regulation 611/2013, personal data breaches in electronic communication services must be notified to the competent national authority. Notification to the authority shall be done no later than 24 hours after the detection of the personal data breach where feasible, extensible to 72 hours in some cases. When the personal data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller shall also notify the data subject of the breach without undue delay.

An opinion adopted by the Working Party 29 on 25 March 2014 expanded the personal data breach notification requirement in the e-Privacy Directive to controllers beyond electronic communication providers. The General Data Protection Regulation, effective since May 2018, enshrines this measure into EU law.

The proposed e-Privacy Regulation will replace the e-Privacy Directive. It is currently unclear how the overall regime will change as a result.

Since May 2018, the General Data Protection Regulation requires that organizations conducting "regular and systematic monitoring of data subjects on a large scale" or whose activities include the processing of sensitive personal data on a large scale, must appoint a Data Protection Officer (DPO). Previously, only European institutions and bodies were required to appoint at least one person as a DPO, with some Member States imposing such requirements also on private companies.

In May 2014, the European Court of Justice ruled that individuals are entitled to seek the deletion of links on search engines about themself if "the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed". The ruling is therefore recognizing the so-called right to be forgotten.

The General Data Protection Regulation enshrines the right to be forgotten under the "right to erasure", stipulating that this right should be enforced "without undue delay". Finally, should the controller have made the personal data public, it has to erase the personal data, and take reasonable steps to inform controllers which are processing the personal data that the data subject has requested the erasure of the data.

The General Data Protection Regulation (GDPR), entered into force in May 2018, stipulates that "consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement". These requirements are stricter than the previous regime in the sense that pre-ticked boxes or inactivity cannot be considered consent (Recital 32). Furthermore, "consent should cover all processing activities carried out for the same purpose or purposes", and therefore the user has to provide separate consent for separate purposes of processing. In addition, the consent must be withdrawable.

According to the Directive 2002/58/EC, traffic and location data generated by using electronic communications services must be erased or made anonymous when no longer needed for the purpose of the transmission of a communication, except for the data necessary for billing or interconnection payments.

The General Data Protection Regulation prohibits the retention of records containing personal data for a period longer than is necessary for achieving the purposes for which the personal data were collected or subsequently processed.

Under the Data Retention Directive, operators were required to retain certain categories of traffic and location data for a period between six months and two years. In addition, they were required to make the retained data available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

The EU's General Data Protection Regulation (GDPR), entered into force in May 2018, expands considerably the scope of EU privacy rules. In addition to companies established in the EU, the Regulation applies extra-territorially to companies offering goods or services to data subjects in the EU and companies that monitor the behavior of EU citizens (Art. 3).

The Regulation mandates that data is freely allowed to flow outside the European Economic Area (EEA) only in certain circumstances listed in Chapter 5 of the Regulation. The main conditions for such a transfer are the following: the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or, the transfer is necessary for the performance of a contract between the data subject and the controller.

The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. Currently, 12 jurisdictions have been deemed adequate: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Jersey, the Isle of Man, Israel, New Zealand, Switzerland and Uruguay. In addition, the EU/US Privacy Shield acts as a self-certification system open to certain US companies for data protection compliance.