It is a regulation, not a directive: the text will therefore be directly applicable in each member state, without the differences in interpretation to which the 1995 Directive gave rise. This new text introduces substantial reforms in the way of approaching the issue of personal data protection, the main outlines of which are given below.
The territorial scope of the regulation
At present, a company located outside the EU can process the data of EU citizens with no or very limited legal constraints other than those of its country of origin. The future Regulation will apply to any company that processes the personal data of EU citizens, even if it is not established in an EU Member State.
The end of formal declarations/authorisation procedures in favour of a logic of self-analysis of risks
The Regulation, and this is a fundamental difference with the current philosophy of personal data protection, lays down the principle of “accountability”. The principle of accountability means that not only is the company responsible for complying with the obligations set out in the Regulation, but that it must be able to demonstrate that it is complying with them and that it has implemented the appropriate technical and organisational measures to do so. This demonstration covers a very broad spectrum of obligations, including the following:
- – Compliance with the rule of “privacy by design”, requiring that any processing implemented by the company be designed from the outset to protect personal data.
- – The need to assess the level of risk corresponding to each processing operation and to put in place the corresponding proportionate measures.
– For high-risk processing operations, the text is specifically aimed at those using new technologies or profiling techniques, with the obligation to carry out an impact study before the processing operation is implemented. A list of the processing operations concerned must be drawn up by the local protection authority (in France the CNIL) in each country. The protection authority will be able to refuse the implementation of a treatment if it considers that sufficient precautions have not been taken, thus replacing the current authorisation procedure in a much more differentiated way.