On 15 December 2015, after almost four years of negotiations, the envoys of the European Parliament, the EU Council and the Commission finally reached an informal agreement by way of a so‐called trilogue relating to the future EU General Data Protection Regulation (GDPR). The GDPR will replace the current Data Protection Directive 95/46/EC. The extraordinarily controversial deliberations started in January 2012, following the Commission's proposal for a corresponding Regulation. The Commission's aim was to create a uniform set of data protection rules for all companies and authorities in the EU. In future, even non‐European companies will be bound by the GDPR when they conduct business inside the EU. For all companies, the GDPR poses considerable challenges.
As before, companies and authorities will be permitted in future to only process personal data with the data subject's consent or if this can be based on statutory law. Regarding the latter one of the main debates in the legislative process for the GDPR centred around the question whether, in future, data processing without the data subject's consent will be possible only under stricter conditions. This point of view, however, was rejected. Specifically, personal data processing will, inter alia, still be permitted in future, provided it serves the legitimate interests of the processing body and is proportionate. Also, processing for the benefit of third parties will continue to be permitted. This is good news for companies.
Not so good, however, is the fact that the Member States' legislators are no longer permitted to for define their own principle of proportionality – as was previously the case. For instance, the detailed special rules and sectoral regulations of German data protection law will cease to apply. This means a considerable degree of legal uncertainty. In future, the highly abstract standards of the GDPR will apply instead.
One of the issues that was debated right through to the end, was the principle of purpose‐limitation. Under present law, companies and authorities are only permitted to use personal data for the very reason for which they were initially collected. In practice, this raises the highly significant question under which conditions exceptions may be made from the said principle. For instance, data initially collected to perform a contractual relationship may, in principle, no longer be used for any other purposes, e.g. economic analyses or advertising. Under present law, however, using data for a different purpose than the original one may be legitimate if such derogating use is proportionate. This exemption and other exceptional rules of national law will no longer apply.
Instead, the GDPR henceforward provides for a new “compatibility test”. Every use of data must be “compatible” with the initial purpose for which it was collected. The GDPR requires a complex evaluation. But the criteria it provides for such an evaluation are insufficiently precise. It can be safely assumed that some uses of data contrary to their initial purpose, which today are lawful, will in future be unlawful. In any case, legal uncertainty in this area will rise significantly. All the more, because the numerous special rules of national data protection law, e.g. under the German Federal Data Protection Act, will cease to apply in future.
On the other hand, the principle of purpose may also open up new possibilities. Under current law, every incident of data processing, even subsequent processing, must be based on a separate legal basis. In future, however, according to the EU legislator, subsequent processing will no longer require such legal bases. Instead, a successful purpose compatibility test will suffice.
Old wine in new skins: the Regulation on international data transfers. Data transmission at international level is part of daily business for most companies, today. In legal terms, the mere possibility for persons outside the European Economic Area of accessing personal data already constitutes a data transfer to third countries. This refers, for instance, to standard Cloud services and Software as a Service (SaaS), which are used by most companies in Europe, whether medium‐sized companies or international corporations. With its ground‐breaking judgment in the Schrems case on 06 October 2015, the ECJ raised doubts about the legitimacy of such data transfers, despite the fact that the judgment in itself only relates to transfers to the U.S. The GDPR does not solve the massive problems that the ECJ's judgment created for companies in their daily business. As regards data transfers to the U.S., it remains to be seen what the outcome of the current negotiations between the EU and the U.S. regarding a new legal framework – at least in respect of transatlantic data exchanges (Safe Harbor) – will be.
The agreement the negotiators of the EU legislative bodies reached today now requires formal confirmation by the plenary of the European Parliament and the EU Council. In practice, this is a mere formality and is expected to take place in the first quarter of 2016. The GDPR will enter into force 20 days after its publication in the EU Official Journal. However, its application will only be mandatory 2 years later, i.e. from April 2018. Until then, the national laws on data protection such as the German Federal Data Protection Act (BDSG) and the current Data Protection Directive 95/46/EC will continue to apply. Whilst the current Directive allowed the Member States some leeway in the specific implementation of European law and its transposition to national law, the GDPR must be directly applied in all Member States. This means that from the end of the two‐year transition period, national data protection laws will largely be a thing of the past.