Information Matters: Christmas comes early with the final text of the General Data Protection Regulation

Posted by: Alan Baker | Date posted : 23/12/2015

Around the Christmas table in the Baker household, a popular topic is: "what is the best Christmas album?"  Adopting the usual exclusions (no compilations) and caveats (I haven't heard them all), I am of the fairly firm view that Phil Spector's A Christmas Gift For You is the holder of that lofty accolade.

That title came to mind when the news broke last week, in a press statement from the European Commission, that consensus has finally been reached on the final text of the General Data Protection Regulation ("GDPR").  Why?  Because this gift is the product of three independent law-making bodies (the European Commission, Parliament and Council) combining their efforts under the guiding genius of one visionary individual: in this case, Jan Philipp Albrecht, the German MEP and Rapporteur on the GDPR.

That is reminiscent of the combined efforts of Bob B. Soxx & the Blue Jeans, The Crystals and The Ronettes, all working together under the soaring vocals of Darlene Love and, yes, Phil Spector himself in order to produce the aforementioned Christmas album (NB any other comparisons between Phil Spector and Jan Albrecht MEP are hereby disclaimed in full).

So, what are the key features of this early Christmas treat?  The Commission's own press release puts the increased rights of data subjects front and centre.  Some highlights of the agreed text include:

  • An increased threshold for obtaining consent – this will now have to be "unambiguous" for all processing of personal data, with the clarification that this requires a “clear affirmative action”, and that consent has to be “explicit” for sensitive data.
  • A "right to be forgotten" – while this was one of the more contentious parts of the legislation, this right (for individuals to have their data deleted if they so wish, and provided there are no legitimate grounds for retaining it) has survived in the final text of the GDPR.  No doubt this will continue to be controversial in some quarters, and indeed the Commission's press release sounds almost defensive when it says "This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press."
  • Also falling in the "pro-data subject" category are new rules concerning data protection by design and by default: privacy safeguards must be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
  • A right to data portability will also make it easier for individuals to transmit personal data between service providers.
  • Rights for data subjects not to be subject to profiling, added to existing rights to prevent automated decision-making – except in certain limited circumstances this would now require explicit consent.
  • Significantly, the GDPR is armed with (massively) increased sanctions and enforcement provisions, meaning that (at the extreme end of the spectrum) data protection authorities will be able to fine companies who do not comply with the GDPR up to 4% of their global annual turnover.  This is towards the higher end of the spectrum of potential fines which were discussed during the various law-making bodies' negotiations. So it's not all tangerines and walnuts at the bottom of Jan Albrecht's stocking, we are afraid to report.

The Commission is however keen to stress the benefits of the GDPR for (small) businesses, namely:

  • Harmonised law across Europe, a "One-stop-shop" regulator, i.e. a single supervisory data protection authority and the abolition of formal notification / registration requirements, reducing red tape and (in theory) costs.
  • Technological neutrality – in the sense that the GDPR applies equally to personal data regardless of the technological means used to process it.
  • And some thresholds for certain compliance obligations, so that only medium to large sized businesses are caught: for example, the requirements to appoint a Data Protection Officer, to keep records of processing activities or to report all data breaches to individuals.

Clearly, though, there are other aspects of the GDPR which will not be so joyfully received by data controllers (and indeed data processors, which will have certain new obligations under the GDPR) this Christmas time.  For example, the duty to notify data breaches to the relevant data protection authority (and, for larger companies, the affected data subjects) and the requirement to appoint full-time Data Protection Officers (in those businesses which process sensitive data on a large scale or routinely monitor large amounts of personal data) will no doubt feel like a proverbial lump of coal for some, especially given the bolstering of the GDPR's sanctions and enforcement regime mentioned above.

In terms of next steps, the agreement reached last week is provisional and the final text of the GDPR now needs to be adopted formally by the European Parliament and the Council of Ministers. The GDPR will then be published in the Official Journal of the EU, probably in the early part of 2016. The GDPR will take effect two years later, in 2018.

As for our next steps, we will be taking some time over our turkey to read the GDPR through and think a bit more deeply, crisply and evenly about its implications before (no doubt) we publish some more thought pieces on it in the New Year. Here's an immediate thought for you, though – inspired by track number four on A Christmas Gift For You, the Crystals' version of Santa Claus Is Coming To Town.

If Saint Nick really is "…making a list, And checking it twice; Gonna find out Who's naughty and nice", we can only assume he will now be reading the GDPR agreed text with interest – and it may have put him off his mince pies. This kind of mass-scale processing of (potentially sensitive) personal data clearly falls into the category of profiling. Children all over Europe will soon enjoy increased rights to prevent this level of automated decision-making, particularly where the decision could significantly affect his or her Christmas present haul (see Article 20(1) of the GDPR).

We would recommend that, from Christmas 2019 (the first after the GDPR will take effect), Santa should seek explicit consent from the parents of children under 12 before making blanket decisions based on the traditional naughty / nice rationale.

A very Happy Christmas to you all.

Click here to read more posts from Information Matters.

If you require further information on anything covered in this briefing please contact Alan Baker (; 020 3375 7441)  or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Data Protection page on our website.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, December 2015