EU Data Protection Regulation

16 June 2015       Authors: Noirin M. McFadden, Andrew R. Danson

On 15 June 2015 the European Council released its final proposed text for the new General Data Protection Regulation. The Regulation is being adopted to provide legal certainty and transparency for businesses and to provide individuals with the same level of rights and obligations in all EU Member States.

The Regulation will apply to data controllers located outside of the EU whose processing activities relate to the offering of goods or services to data subjects within the EU, as well as to data controllers located within the EU. Moreover, the Regulation will for the first time introduce a requirement on companies (in either a processor or controller role) to conduct data protection impact assessments where processing activities are likely to be intrusive in relation to the rights of individuals.

The Regulation has been subject to much debate. The final proposed draft raises two new specific areas of regulation which will likely be onerous for data controllers:

  • Introduction of mandatory reporting requirements. The Regulation requires data controllers to notify any personal data breaches to the supervisory authority in their jurisdiction upon becoming aware of such a breach and if possible, within 72 hours. Unless the affected data has had appropriate technological protection measures applied to it, the data controller will also be required to notify the data subject as soon as practicable and in accordance with any guidance provided by the supervisory authority. This represents a significant departure from previous practice in many EU Member States.
  • Introducing increased fines for infringement of the Regulation. The relevant supervisory authority will determine on a case-by-case basis the level of fine to be imposed in accordance with the Regulation's criteria and upper limits. The maximum fine will now be EUR 1 million or 2% of the worldwide annual turnover of the company, whichever is the higher.

A copy of the published text can be found here.

The next step is for trilogue discussions to take place between the European Council, European Commission and European Parliament to reach a final version of the text; the first trilogue meeting is to be held in Brussels on 24 June 2015. It is expected that these discussions will last until the end of 2015 or into 2016. Once the final text is agreed and adopted it will take approximately two years to come into force.

If you would like to discuss how this might affect your business, please contact one of the authors.


This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm’s clients.

If you are having difficulty printing this article, please use Internet Explorer.

EU Data Protection Regulation