EU data protection legislation is facing huge changes. Privacy issues arising from the growing popularity of Internet services have pushed the EU to entirely rethink its data protection legislation.
In 2012, the European Commission published a draft regulation (the General Data Protection Regulation, 'GDPR'), which will impose new obligations relevant to almost all businesses. Almost four years later, a political agreement on the GDPR was reached in December 2015. The final text will be formally adopted by the European Parliament and Council at the beginning of 2016 and become applicable two years thereafter.
The current EU Data Protection Directive (95/46/EC) was adopted in 1995. It has been implemented differently by EU Member States into their respective national jurisdictions, resulting in the fragmentation of national legislations within the EU. The GDPR will replace the Data Protection Directive and will be directly applicable in every EU Member State, thereby eliminating the current fragmentation of national data protection laws.
At present, personal data processed in the European Union is governed by the 1995 European Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive"). The Directive establishes a number of key legal principles:
Fair and lawful processing
Purpose limitation and specification
Minimal storage term
Special categories of data
These principles have been implemented in each of the 28 European Union Member States through national data protection law.
FUTURE LEGAL FRAMEWORK
The first step towards a new legal framework was taken when the European Commission presented its draft proposal for a new Data Protection Regulation on 25 January 2012. The proposal was presented as a comprehensive reform of the current data protection rules and aims to 'strengthen online privacy rights and boost Europe's digital economy'.
Subsequently, both the European Parliament (in March 2014) and the Council (in June 2015) adopted amended versions of the Commission proposal.
After six months of negotiations among the members of the European Parliament, the Member State delegations assembled in the European Council and the European Commission, a common position by the three institutions on the final text was reached in December 2015.
After formal approval at the beginning of 2016, followed by the official publication of the Regulation, there will be a two year transition period to allow organisations and governments to adjust to the new requirements and procedures. Following the end of this transitional period, the Regulation will be directly applicable throughout the EU, without requiring implementation by the EU Member States through national law.
The goal of European legislators was to harmonise the current legal framework, which is fragmented across Member States. A 'Regulation' (unlike a Directive) is directly applicable and has consistent effect in all Member States, and should increase legal certainty, reduce the administrative burden and cost of compliance for organisations that are active in multiple EU Member States, and enhance consumer confidence in the single digital marketplace.
We have summarised the key changes that will be introduced by the GDPR in the following sections.
Key changes to the current data protection framework include:
- Adoption of a single set of rules on data protection, directly applicable in all EU Member States.
Although each Member State has implemented data protection laws locally which transpose the EU Data Protection Directive, there are material differences in the approach taken by national legislators. This has led to fragmentation in terms of compliance requirements across Member States.
The Regulation is intended to adopt a harmonised approach to compliance across all Member States by implementing legislation that will be directly applicable in all 28 Member States. There will be no opportunity for local transposition.
A revised enforcement regime underpinned by power for regulators to levy heavy financial sanctions of up to 4% of the annual worldwide turnover of the organisation.
The Regulation provides for considerably higher sanctions than under the current privacy framework.
Regulators will be able to issue administrative fines of up to 4% of the annual turnover of the organisation and its affiliates worldwide, which will create a sea-change in risk for global businesses.
- Each national supervisory authority will have the power to impose these sanctions. This is a major change from the current regulatory framework, where enforcement powers are inconsistent across the EU.
These changes will significantly increase the risk associated with privacy non-compliance.
OFF SHORE PROCESSING
Application of the EU regulatory framework to companies established outside the EU, if they target EU citizens.
The new rules will have a broader territorial scope since they will even apply to non-EU established companies targeting the EU market by either offering their goods or services to EU citizens or by monitoring their behaviour.
- Currently, European data protection legislation only applies to non-EU established controllers if they make use of equipment on EU territory for the purposes of processing personal data, and to processing taking place in the EU.
The requirement in current data protection laws to notify the national data protection authority about data processing operations is abolished and replaced by a more general obligation on the controller to keep extensive internal records of their data protection activities.
Controllers must ensure all personal data is processed in compliance with the Regulation and be able to demonstrate compliance to a supervisory authority if requested.
The minimum measures to be taken include:
Increased responsibility and accountability on organisations to manage how they control and process personal data.
Performing data protection impact assessment for high risk projects. A data protection impact assessment will become a mandatory pre-requisite before processing personal data for operations that are likely to present specific (higher) privacy risks to individuals due to the nature or scope of the processing operation. We expect this to become a routine governance tool in managing privacy risk across the organisation.
Designating a data protection officer Organisations – both controllers and processors – whose core activities require regular and systematic monitoring of data subjects on a large scale or consist of processing on a large scale of special categories of data or data relating to criminal convictions will have to appoint a data protection officer (DPO). The DPO, who may be either a staff member or a service contractor, will report to the highest management level. His or her tasks will include informing and advising the controller / processor (and employees) of their obligations, monitoring compliance with the GDPR, advising on data protection impact assessments and cooperating with the supervisory authority (including acting as point of contact).
Notifying the regulator of data breaches Controllers will be required to notify the local supervisory authority and (in some cases) the data subjects involved of significant data breaches. Mandatory breach notification is not currently a requirement in most EU Member States and so this represents a significant departure from current practice.
- Implementing privacy by design & privacy by default. The Regulation introduces the concepts of "privacy by design" and "privacy by default". Privacy by design means taking privacy risk into account throughout the process of designing a new product or service, rather than treating it as an afterthought. This means assessing carefully and implementing appropriate technical and organisational measures and procedures from the outset to ensure that processing complies with the Regulation and protects the rights of the data subjects. Privacy by default means ensuring mechanisms are in place within the organisation to ensure that, by default, only as much personal data is collected, used and retained for each task, both in terms of the amount of data collated and time for which it is kept.
- Ability to nominate a single national data protection authority as the lead regulator for all compliance issues in the EU, where the organisation has multiple points of presence across the EU ("one stop shop");
The Regulation introduces the principle of a "one-stop-shop", which allows the supervisory authority in the country of the controller's (or processor’s) main point of establishment in the EU to be responsible for decisions relating to the controller (or processor) across its EU operations. Although there are some significant exceptions to the one-stop-shop principle, this principle is expected to reduce the administrative burden of compliance for organisations that have an international footprint which may currently need to interact with supervisory authorities in each Member State where they are present.
- Adoption of a more active consent based model to support lawful processing of personal data;
It is an established legal principle that personal data can only be processed by a controller for purposes that are fair and lawful.
The current regulatory regime (under the Directive) allows a controller to lawfully process data with the "consent" of the data subject - which might be either express or implied consent - or where the processing is necessary for the "legitimate interests" of the controller in circumstances that do not cause undue prejudice to the individual.
These gateways to fair and lawful processing have come under scrutiny by EU legislators as part of the regulatory reform process. There is a strong view that the current regime provides controllers with too much flexibility to determine how data are used and that rights need to be re-balanced in favour of the individual, particularly in the context of social media networking and consumer profiling where individuals often have limited ability to control how their data are shared if consent is based on implied consent, or a wide interpretation of "legitimate interests".
The definition of "consent" has been significantly refined in the Regulation. Consent should be freely given, specific, informed and unambiguous. Implied consent, (e.g., by just staying on a website or not responding to a request) will not be sufficient as the Regulation states that the consent should be given "by a statement or clear affirmative action".
Requiring consent from an end user in order to give that person access to a service, where these personal data are not necessary to perform the contract, will no longer be allowed.
Under the Regulation, controllers will be expected to provide much more consideration in their working practices as to what the data subject would like and expect their data to be used for, and allow individual the right to change preferences from time to time, if they wish to withdraw consent previously given, or object to continued processing on grounds that are based on "legitimate interests".
This flexibility is enshrined in new rights to data erasure in the Regulation (see below) and will require organisations to adopt a more dynamic consent model / preference centres type approach to consumer interactions.
- Increased transparency obligations; and
- Privacy notices will need to include much more detailed information.
The Regulation introduces a new obligation on the controller to develop "transparent and easily accessible" policies explaining to data subjects both how their personal data will be processed and what their individual rights are and how they may be exercised. This must be provided in an intelligible form, using clear and plain language that will be understood by the target audience - ensuring for example that any information collected from children is addressed specifically in manner that children will understand.
- The ability for individuals to easily transfer their data files from one service provider to another (right to data portability);
The Regulation introduces a new right to data portability, which grants data subjects the right to receive personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format. The data subject is also entitled to have the data transmitted directly from one controller to another, where this is technically feasible.
RIGHT TO BE FORGOTTEN
- A statutory "right to be forgotten" which will allow individuals the right to require a controller to delete data files relating to them if there are no legitimate grounds for retaining it;
The current Directive includes a right for data subjects to seek a court order to cease data processing in circumstances which may be causing them damage, as recently recognised by the European Court of Justice’s landmark Google Spain ruling.
The Regulation builds upon this principle with a new statutory right to raise objections directly with the controller and force erasure of data files and prevent further disclosures in specified circumstances:
a. where the data are no longer necessary for the purposes for which they were originally collected or processed;
b. where the data were originally collected from the data subject based on consent, but where the individual has indicated that he or she wishes to withdraw that consent;
c. where the data were originally collected from the data subject based on the legitimate interests of the controller, but where the individual has indicated that he or she objects to personal data being processed for those purposes;
d. where the data have been unlawfully processed;
e. where the data have to be erased for compliance with a legal obligation to which the controller is subject; or
f. where the data have been collected in relation to the offering of information society services to children.
Exceptions apply to the erasure requirement where the controller may be able to demonstrate an overriding justification to maintain processing of the data - for example the need to retain records to comply with a legal obligation.
In each case where an objection is raised, the relevant controller is required to take all reasonable steps to inform any third parties to whom the data have been disclosed of the erasure request. This means that the controller must take reasonable measures to manage the way in which any third party publishers make use of personal data passed on to them.
- Direct regulation of data processors;
The Regulation directly regulates data processors for the first time. The current Directive generally regulates controllers (ie those responsible for determining the manner and purposes for which any personal data are processed) rather than "data processors" - organisations who may be engaged by a controller to process personal data on their behalf (eg as an agent or service provider).
Under the Regulation, processors will be required to comply with a number of specific obligations, including to maintain adequate documentation, implement appropriate security standards, carry out routine data protection impact assessments, appoint a data protection officer, comply with rules on international data transfers and cooperate with national supervisory authorities. These are in addition to the requirement that processors are engaged by the controller under a data processing agreement which includes terms mandated by the Regulation.
Processors will be liable to sanctions at the same level as controllers if they fail to meet these criteria.