EU agrees landmark privacy reforms

The EU has now reached political agreement on the General Data Protection Regulation. Formal adoption is expected in early 2016 and the Regulation should come into force in 2018.

This is the biggest shake up to privacy regulation in 20 years. Whilst the core principles of the law remain broadly the same, there are a number of significant changes. The new law will:

  • extend to companies that are based outside the EU but deal with EU citizens;
  • impose new obligations to notify regulators and individuals of serious data breaches; and
  • grant individuals new rights such as the right to be forgotten and the right to data portability.

These more prescriptive requirements will be backed up by a step change in sanctions. The most serious breaches will be punishable with fines of up to €20 million or 4% of annual worldwide turnover.

We have prepared a one page summary of the changes, here.