Political agreement on EU data protection reform
18 December 2015 – On 15 December 2015, the European Commission, the European Parliament and the Council of the European Union reached a long-awaited political agreement at their final “trilogue” meetings on the reform of EU data protection law. The Committee on Civil Liberties, Justice and Home Affairs (LIBE) confirmed the reform in a vote on 17 December 2015. The political agreement is expected to be formally adopted by the European Parliament and Council of the European Union at the beginning of 2016. The new EU data protection rules will enter into force in 2018 after a transition period of two years. The EU data protection reform consists of a new General Data Protection Regulation (the Regulation) and a new Data Protection Directive for the police and criminal justice sector.
The Regulation will establish new rights for individuals and additional obligations for data handlers. At the same time, data protection authorities will have the competence to impose significant fines for non-compliance. Hence, companies are advised to start adapting to the new rules early in order to be prepared for the new regime. The reform will allow a more centralised enforcement by establishing a single set of directly applicable rules and will allow undertakings to deal primarily with a single national privacy regulator on the EU level.
As Switzerland is neither a member of the EU nor of the EEA, the reform does not have a direct impact on Swiss data protection law. However, the reform will nevertheless be relevant from a Swiss perspective in at least two ways:
Firstly, the new rules will be relevant for Swiss companies doing business in the EU. On the one hand, the Regulation will be applicable, e.g., to any data processing by group companies located in the EU. On the other hand, and most importantly, the Regulation will also apply to the processing of personal data of data subjects residing in the EU by a controller established in Switzerland (or any other country), where the processing activities relate to the offering of goods or services to data subjects in the EU or the monitoring of data subjects’ behaviour in the EU.
Secondly, it is expected that the EU data protection reform will have a strong factual influence on the content of the currently pending reform of the Swiss Federal Act on Data Protection (DPA) [cf. news of 01.04.2015].