The European Commission’s publication of a new General Data Protection Regulation in January 2012 sparked a lengthy process of debate and negotiation. At the end of this process emerged a new law which will transform European data protection legislation, in a digital age where information systems are pivotal to business. In this briefing, Keystone’s Carolyn Bertin summarises the key changes to the law and shares some tips on how to ensure you are compliant.
The EU General Data Protection Regulation (“GDPR”) is an ambitious and complex law which will replace the Data Protection Directive 95/46/EC and, unlike its predecessor, it will be directly applicable in each EU member state. Member states have two years to transpose the GDPR into national law. Controllers and processors of personal data under its remit have until Spring 2018 to establish compliance.
The penalties for non-compliance are severe: the greater of €20 million or 4% of gross annual turnover for the more serious offences, and the greater of €10 million or 2% of gross annual turnover for lesser offences.
The GDPR will apply to organisations with an establishment in the EU and to organisations without an establishment in the EU who:
- offer goods or services to individuals in the EU (even if the goods or services are free); or
- monitor behaviour of individuals in the EU.
Thus almost every website and app that analyses or predicts personal preferences will be subject to the GDPR irrespective of their geographic location.
There are a number of obligations designed to make businesses more accountable for their data practices including carrying out data impact assessments, implementation of data protection policies and privacy by design, prior consultation with regulators for high-risk processing and co-operation with regulators by controllers and processors, with it being mandatory for both to appoint a Data Protection Officer. There are also detailed requirements for controllers to impose contractual obligations on processors and sub-processors. The accountability obligations apply equally to data processors.
One of the main tenets of the new law is putting people in control of their data with increased rights for data subjects and emphasis on transparency, portability and erasure (the so-called ‘right to be forgotten’). These, coupled with a right to compensation for damages, are likely to be crucial tools in the protection of data in the ever-growing digital age.
Emphasis is given to obtaining “consent” of data subjects in relation to the use of their personal data, and the standards determining valid consent have been raised considerably. Not without controversy is the need for parental consent for the use of personal information of those under 16 years old. Each member state has a discretion to reduce the age limit (but not to below 13), which is bound to lead to a lack of harmonisation across the EU. That, together with the requirement to take reasonable steps to confirm parental consent, is likely to make it difficult to find mechanisms which comply.
International Data Transfers
Controllers and processors may only transfer personal data outside the EU to a country or an organisation deemed adequate by the EU Commission or if they have put in place adequate and appropriate safeguards, and on condition that enforceable rights and effective legal remedies are available to the data subjects whose data is transferred.
In addition to Binding Corporate Rules (BCRs), Standard Contractual Clauses adopted by the EU Commission (SCCs), and ad-hoc contractual clauses (approved by a regulatory authority and the EU Commission), the GDPR also provides some additional mechanisms to legitimise transfers:
- an approved code of conduct;
- an approved certification mechanism; or
- other contractual clauses authorised by a regulatory authority in accordance with the “consistency” mechanism.
The codes of conduct and certifications are undeveloped. The future of SCCs is to be determined by the ECJ following the recent challenge by the Irish regulator of their validity as a basis for international transfers. BCRs are growing in popularity but for most will only be relevant to intra-group transfers. (They should not be overlooked though, as they are a good framework for establishing privacy by design and achieving global privacy compliance.) Ad-hoc contractual clauses are likely to become a more realistic solution for many, but they still require considerable effort in terms of bespoke drafting and interaction with regulators.
Enhanced Data Security and Breach Notification Obligations
There are stricter obligations on controllers and processors with regard to security, but more guidance is provided on appropriate security standards. Pseudonymisation is one of the new recommended security standards and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.
There is a wide definition of “personal data breach”: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
In the event of a personal data breach, controllers must notify the “competent [under Article 55] supervisory authority” (most likely the data protection authority of the member state where the controller has its main or only establishment) “without undue delay, and, where feasible, not later than 72 hours after having become aware of it”. The controller must provide a reasoned justification for delay if notification is not made within 72 hours. Notification is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons”.
If the controller determines that the personal breach is likely to result in a high risk to the rights and freedoms of individuals, it must also communicate the information regarding the breach to the affected data subjects unless:
- it has implemented appropriate measures that render the data unintelligible to any person not authorised to access it, e.g. encryption;
- it takes actions subsequent to the breach to ensure that the high risk is unlikely to materialise; or
- notification to each data subject would involve disproportionate effort (but then alternative communication measures must be used).
When a processor experiences a personal data breach, the only obligation for it under the GDPR is to notify the controller.
Most acknowledge that 100% compliance is not achievable. However, doing nothing is not an option. The increased rights of data subjects, including rights to compensation for damages and the level of administrative fines, should be sufficient incentive to prioritise compliance with the key requirements. Organisations need to act now to assess their risk and start prioritising according to their risk tolerance level.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.