It appears that the long debate over EU data protection reform has reached its end after the European Parliament and the Council of the EU concluded a provisional political agreement on 15 December 2015 (see News brief "EU data protection regulation: the long road to reform").

The two bodies are expected to formally approve the texts of the General Data Protection Regulation (the draft regulation) and the Police and Judicial Co-operation Data Protection Directive in early 2016. The current Data Protection Directive (95/46/EC) (the current Directive) will be repealed two years after the new legislation is published in the Official Journal, so the new provisions are likely to come into effect in the first quarter of 2018. The reforms will have a number of practical implications for businesses (see box "Impact on businesses").

Although the draft regulation will be directly applicable, EU member states will need to amend existing laws or create new laws in a range of areas, including:

The draft regulation will have extra-territorial jurisdiction in relation to the offering of goods or services to, or the monitoring of, data subjects in the EU. Where this is applicable to non-EU controllers, they will need to appoint an EU representative unless the processing: is occasional; does not include large-scale processing of sensitive personal data or criminal offences; and is unlikely to result in a risk for the rights and freedoms of individuals. Otherwise, the jurisdictional tests are similar to those under the current Directive.

As expected, the so-called "one-stop shop" originally proposed by the European Commission (the Commission), under which a multinational company operating in different member states would have a single lead supervisory authority (SA) in the member state where its main establishment is located, has been watered down. In the case of multi-jurisdictional infractions, the relevant SAs will need to be consulted and will be able to challenge the lead SA's decision. Where only one jurisdiction is involved, the lead SA may decide that that jurisdiction's SA should control the matter. In addition, data subjects will be able to bring judicial proceedings to enforce their rights and claim damages in the member state where they are habitually resident or where the controller or processor has an establishment, regardless of where the main establishment is.

The maximum administrative fines will be set at the higher of 4% of an undertaking's worldwide turnover or €20 million, with infractions being grouped into tiers attracting different maximum fine levels. Although not at the top end of the scale proposed by the European Parliament, this is at the higher end of expectations. Member states may also enact criminal sanctions.

The European Data Protection Board (EDPB) will be established as a significant decision-making body in interpreting the draft regulation. The EDPB is an extension of the current Article 29 Working Party, except that the EDPB will be charged with issuing guidelines and best practice, rather than member states' SAs.

The draft regulation codifies best practice guidance on consent in the following ways:

The information that will need to be provided to data subjects regarding the processing of their personal data is extensive, including:

All data subject rights will need to be complied with free of charge unless they are manifestly unfounded or excessive. They must be actioned within a month unless they are complex, in which case up to two further months may be claimed. In addition to access and the right to be forgotten, the draft regulation will create a new data portability right in respect of information provided by the data subject.

The structure of controls on profiling and secondary use will be similar to the position under the current Directive, except that the profiling purposes caught will be widened and the controller will have to give meaningful information about the logic involved as well as the significance and consequences for the data subject.

While the notification of processing to SAs will be abolished, controllers and processors will have to maintain detailed internal records of processing, policies and measures that demonstrate an effective compliance system under the draft regulation. They must disclose these to SAs at any time; exemptions are only available to organisations with fewer than 250 employees. Data protection officers are mandated for public bodies and controllers and processors whose core activities consist of processing that requires large-scale and systematic monitoring of data subjects or the large-scale processing of sensitive data or criminal offences. In addition, the draft regulation will allow member states to stipulate further circumstances where data protection officers are required under their national laws. High-risk processing activities will require a data protection impact assessment, and the controller will need to consult with the SA before proceeding.

Data processors will be directly liable for fines and claims by data subjects. Data processors may be jointly and severally liable with controllers where a processor fails to perform its obligations. The draft regulation prescribes the content of data processor agreements, and there is also a possibility of a Commission-mandated standard form processor agreement.

Enterprises will need to notify SAs and affected individuals of security breaches that are likely to result in a high risk for the rights and freedoms of individuals, with notice to SAs due within 72 hours, where feasible, and to affected individuals without undue delay.

Binding corporate rules will remain available for both controllers and processors. Commission adequacy decisions on the level of data protection in third countries will be reviewed at least once every four years, but both country adequacy decisions and decisions approving EU model clauses under the current Directive will remain valid until amended or repealed by a new Commission decision. Article 43a of the draft regulation, which will potentially require transfers to third countries to meet judicial or administrative authority requirements in that country to fall within a mutual legal assistance treaty, will make such transfers even harder.