8. Eduardo Ustaran, Partner
A practical overview of the new privacy framework
How will the EU Data Protection
Regulation affect you?
9. Hogan Lovells | 9
• A single set of rules
• Extraterritorial reach
• Putting people in control
• Focus on practical compliance
• Stronger enforcement powers
The aim behind the EU's privacy reform
“A strong, clear and
uniform legal
framework.”
10. Hogan Lovells | 10
• January 2012 - Proposed EU Data
Protection Regulation
• March 2014 - Parliament's preferred
draft
• June 2015 - Council's preferred draft
• 24 June 2015 - Trilogue kick-off
• 15 December 2015 - GDPR agreed
• Q1 2016 - Formal adoption
• Q2 2016 - Official publication
• 2 years + 20 days from the day of
publication:
GDPR in force and enforceable
A long legislative process
11. | 11Hogan Lovells
• One single law for the EU
– Interpreted nationally
• Applicability based on
establishment in the EU
– Economic activity in EU Member State
• Applicability based on individuals
being in the EU
– Offering of goods or services to them
– Monitoring of their behaviour
Geographical applicability
12. | 12Hogan Lovells
• Strengthening of consent
– consent cannot be bundled with T&Cs
– consent can be withdrawn at any time and in an easy
way
– if ‘take it or leave it’ not freely given
Putting people in control of their data
• Provision of information
• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object to the processing
• Right on automated processing
13. Hogan Lovells | 13
• Data protection policies
• Data protection by design and by default
• Record keeping obligations (controllers & processors)
• Co-operation with DPAs (controllers & processors)
• Data protection impact assessments
• Prior consultation with DPAs in high-risk cases
• Mandatory DPOs for public sector and Big Data (controllers &
processors)
• Security and notification of breaches (controllers & processors)
Accountability obligations
14. Hogan Lovells | 14
• Life after Safe Harbor
• Privacy Shield?
• Binding Corporate Rules
• Standard contractual clauses
– Adopted by European Commission
– Adopted by DPAs
• Approved code of conduct
• Approved certification mechanism
• Ad-hoc contracts authorised by DPAs
International data transfers
15. | 15Hogan Lovells
• Still national regulators
• Greater international cooperation
• One-stop-shop?
• Massive fines
– up to 20 million euro or
– up to 4% of the total worldwide
annual turnover
whichever is higher
Supervision and enforcement
16. Hogan Lovells | 16
#1 Don't panic
#2 Assess the true impact
#3 Prioritise accountability
#4 Think strategically about dataflows
#5 See it as an opportunity
Action plan
17. The GDPR and Digital Advertising
Nick Stringer, Chair EDAA