EU data protection legislation is facing huge changes. Data protection laws are built on fundamental rights enshrined in the Charter of Fundamental Rights of the European Union which are the core building blocks of the EU’s legal regime. Privacy issues arising from an exponential growth in consumer and mobile technologies, an increasingly connected planet and mass cross border data flows have pushed the EU to entirely rethink its data protection legislation to ensure that these fundamental rights are fully protected in today’s digital economy.
In 2012, the European Commission published a draft regulation (the General Data Protection Regulation, 'GDPR'). Just over four years later, the final text of GDPR was published in the Official Journal of the European Union on 27 April 2016. Regulation 2016/679 heralds some of the most stringent data protection laws in the world and shall apply from 25 May 2018.
The current EU Data Protection Directive (95/46/EC) was adopted in 1995. It has been implemented differently by EU Member States into their respective national jurisdictions, resulting in the fragmentation of national data protection laws within the EU. As it is a Regulation, GDPR will come into effect immediately on 25 May 2018 without any need for additional domestic legislation in EU Member States. However, with more than 30 areas where Member States are permitted to legislate (differently) in their domestic laws there will continue to be significant variation in both substantive and procedural data protection laws among the EU’s different Member States.
The clock is now ticking with fines of up to 4% of total worldwide annual turnover for failing to comply with the requirements of GDPR. Organisations have a great deal to do between now and 25 may 2018 to be ready for the new regime
II. Current Situation
At present, personal data processed in the European Union is governed by the 1995 European Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive). The Directive establishes a number of key legal principles:
- Fair and lawful processing
- Purpose limitation and specification
- Minimal storage term
- Data quality
- Special categories of data
- Data minimisation
These principles have been implemented in each of the 28 European Union Member States through national data protection law. Although all originating from the same core Directive, there is significant variation among Member State’s substantive and procedural data protection laws.
III. Future Legal Framework
After almost four years of often fractious negotiations, GDPR was published in the Official Journal of the European Union as Regulation 2016/679 on 27 April 2016.
There will be a two year transition period to allow organisations and governments to adjust to the new requirements and procedures. Following the end of this transitional period, the Regulation will be directly applicable throughout the EU from 25 May 2018, without requiring implementation by the EU Member States through national law.
The goal of European legislators was to harmonise the current legal framework, which is fragmented across Member States. A 'Regulation' (unlike a Directive) is directly applicable and has consistent effect in all Member States, and GDPR was intended to increase legal certainty, reduce the administrative burden and cost of compliance for organisations that are active in multiple EU Member States, and enhance consumer confidence in the single digital marketplace. However, in order to reach political agreement on the final text there are more than 30 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws. There continues to be room for different interpretation and enforcement practices among the Member States. There is therefore likely to continue to be significant differences in both substantive and procedural data protection laws and enforcement practice among EU Member States when GDPR comes into force.
We have summarised the key changes that will be introduced by the GDPR in the following sections
Key changes to the current data protection framework include:
A. Wider Territorial Scope
Where organisations are established within the EU
GDPR applies to processing of personal data “in the context of the activities of an establishment” (Article 3(1)) of any organization within the EU. For these purposes “establishment” implies the “effective and real exercise of activity through stable arrangements” (Recital 22) and “the legal form of such arrangements…is not the determining factor” (Recital 22), so there is a wide spectrum of what might be caught from fully functioning subsidiary undertakings on the one hand, to potentially a single individual sales representative depending on the circumstances.
Europe’s highest court, the Court of Justice of the European Union (the CJEU) has been developing jurisprudence on this concept, recently finding (Google Spain SL, Google Inc. v AEPD, Mario Costeja Gonzalez (C-131/12)) that Google Inc with EU based sales and advertising operations (in that particular case, a Spanish subsidiary) was established within the EU. More recently, the same court concluded (Weltimmo v NAIH (C-230/14)) that a Slovakian property website was also established in Hungary and therefore subject to Hungarian data protection laws.
Where organisations are not established within the EU
Even if an organization is able to prove that it is not established within the EU, it will still be caught by GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Art 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Art 3(2)(b)) as far as their behaviour takes place within the EU. Internet use profiling (Recital 24) is expressly referred to as an example of monitoring .
1. Compared to the current Directive, GDPR will capture many more overseas organisations. US tech should particularly take note as the provisions of GDPR have clearly been designed to capture them.
2. Overseas organisations not established within the EU who are nevertheless caught by one or both of the offering goods or services or monitoring tests must designate a representative within the EU (Article 27).
B. Tougher Sanctions
Revenue based fines
GDPR joins anti-bribery and anti-trust laws as having some of the very highest sanctions for non-compliance including revenue based fines of up to 4% of annual worldwide turnover.
To compound the risk for multinational businesses, fines are imposed by reference to the revenues of an undertaking rather than the revenues of the relevant controller or processor. Recital 150 of GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully the Treaty doesn’t define the term either and the extensive case-law is not entirely straightforward with decisions often turning on the specific facts of each case. However, in many cases group companies have been regarded as part of the same undertaking. This is bad news for multinational businesses as it means that in many cases group revenues will be taken into account when calculating fines, even where some of those group companies have nothing to do with the processing of data to which the fine relates provided they are deemed to be part of the same undertaking. The assessment will turn on the facts of each case.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to 20,000,000 Euros or in the case of an undertaking up to 4% of total worldwide turnover of the preceding year, whichever is higher apply to breach of:
- the basic principles for processing including conditions for consent
- data subjects’ rights
- international transfer restrictions
- any obligations imposed by Member State law for special cases such as processing employee data
- certain orders of a supervisory authority
The lower category of fines (Article 83(4)) of up to 10,000,000 Euros or in the case of an undertaking up to 2% of total worldwide turnover of the preceding year, whichever is the higher apply to breach of:
- obligations of controllers and processors, including security and data breach notification obligations
- obligations of certification bodies
- obligations of a monitoring body
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Broad investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors. In particular:
- any person who has suffered "material or non-material damage" as a result of a breach of GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress and hurt feelings even where they are not able to prove financial loss.
- data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80). Although this falls someway short of a US style class action right, it certainly increases the risk of group privacy claims against consumer businesses. Employee group actions are also more likely under GDPR.
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or proessor (Article 79).
1. The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal and compliance challenge – it is much broader than that, requiring organisations to completely transform the way that they collect, process, securely store, share and securely wipe personal data. Engagement of senior management and forming the right team is key to successful GDPR readiness.
2. GDPR will apply throughout the EU on 25 May 2018. Organisations caught by GDPR will need to map current data collection and use, carry out a gap analysis of their current compliance against GDPR and then create and implement a remediation plan, prioritizing high risk areas.
3. GDPR will require suppliers and customers to review supply chains and current contracts. Contracts will need to be renegotiated to ensure GDPR compliance and commercial terms will inevitably have to be revisited in many cases given the increased costs of compliance and higher risks of non-compliance.
4. The very broad concept of 'undertaking' is likely to put group revenues at risk when fines are calculated, whether or not all group companies are caught by GDPR or were responsible for the infringement of its requirements. Multinationals even with quite limited operations caught by GDPR will therefore need to carefully consider their exposure and ensure compliance.
5. Insurance arrangements will need to be reviewed and cyber and data protection exposure added to existing policies or purchased as stand-alone policies where possible. The terms of policies will require careful review as there is wide variation among wordings and many policies may not be suitable for the types of losses which are likely to occur under GDPR.
C. More Data Caught
Personal data is defined as "any information relating to an identified or identifiable natural person". (Article 4) A low bar is set for "identifiable" – if anyone can identify a natural person using “all means reasonably likely to be used” (Recital 26) the information is personal data, so data may be personal data even if the organisation holding the data cannot itself identify a natural person. A name is not necessary either – any identifier will do such as an identification number, location data, an online identifier or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30 with IP addresses, cookies and RFID tags all listed as examples.
Although the definition and recitals are broader than the equivalent definitions in the current Directive, for the most part they are simply codifying current guidance and case law on the meaning of 'personal data'.
GDPR also includes a broader definition of "special categories" (Article 9) of personal data which are more commonly known as sensitive personal data. The concept has been expanded to expressly include the processing of genetic data and biometric data. The processing of these data are subject to a much more restrictive regime.
A new concept of 'pseudonymisation' (Article 4) is defined as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Organisations which implement pseudonymisation techniques enjoy various benefits under GDPR.
1. If in any doubt, it is prudent to work on the assumption that data is personal data given the extremely wide definition of personal data in GDPR.
2. GDPR imposes such a high bar for compliance, with sanctions to match, that often the most effective approach to minimise exposure is not to process personal data in the first place and to securely wipe legacy personal data or render it fully anonymous, reducing the amount of data subject to the requirements of GDPR.
3. Where a degree of identification is required for a specific purpose, the next best option is only to collect and use pseudonymous data. Although this falls within the regulated perimeter, it enjoys a number of benefits for organisations in particular that in the event of a data breach it is much less likely that pseudonymous data will cause harm to the affected individuals, thereby also reducing the risk of sanctions and claims for the relevant organisation.
4. Organisations should only use identifiable personal data as a last resort where anonymous or pseudonymous data is not sufficient for the specific purpose.
D. Suppliers (Processors) Caught Too
GDPR directly regulates data processors for the first time. The current Directive generally regulates controllers (ie those responsible for determining the purposes and means of the processing of personal data) rather than 'data processors' - organisations who may be engaged by a controller to process personal data on their behalf (eg as an agent or supplier).
Under GDPR, processors will be required to comply with a number of specific obligations, including to maintain adequate documentation (Article 30), implement appropriate security standards (Article 32), carry out routine data protection impact assessments (Article 32), appoint a data protection officer (Article 37), comply with rules on international data transfers (Chapter V) and cooperate with national supervisory authorities (Article 31). These are in addition to the requirement for controllers to ensure that when appointing a processor, a written data processing agreement is put in place meeting the requirements of GDPR (Article 28). Again, these requirements have been enhanced and gold-plated compared to the equivalent requirements in the Directive.
Processors will be directly liable to sanctions (Article 83) if they fail to meet these criteria and may also face private claims by individuals for compensation (Article 79).
1. GDPR completely changes the risk profile for suppliers processing personal data on behalf of their customers. Suppliers now face the threat of revenue based fines and private claims by individuals for failing to comply with GDPR. Telling an investigating supervisory authority that you are just a processor won’t work; they can fine you too. Suppliers need to take responsibility for compliance and assess their own compliance with GDPR. In many cases this will require the review and overhaul of current contracting arrangements to ensure better compliance. The increased compliance burden and risk will require a careful review of business cases.
2. Suppliers will need to decide for each type of processing undertaken whether they are acting solely as a processor or if their processing crosses the line and renders them a data controller or joint controller, attracting the full burden of GDPR.
3. Customers (as controllers) face similar challenges. Supply chains will need to be reviewed and assessed to determine current compliance with GDPR. Privacy impact assessments will need to be carried out. Supervisory authorities may need to be consulted. In many cases contracts are likely to need to be overhauled to meet the new requirements of GDPR. These negotiations will not be straightforward given the increased risk and compliance burden for suppliers. They will also be time consuming and it would be sensible to start the renegotiation exercise sooner rather than later, particularly as suppliers are likely to take a more inflexible view over time as standard positions are developed.
4. There are opportunities for suppliers to offer GDPR “compliance as a service” solutions, such as secure cloud solutions, though customers will need to review these carefully to ensure they dovetail to their own compliance strategy.
E. Data Protection Principles
The core themes of the data protection principles in GDPR remain largely as they were in the Directive, though there has been a significant raising of the bar for lawful processing (see Higher Bar for Lawful Processing) and a new principle of accountability has been added.
Personal data must be (Article 5):
- Processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle")
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle")
- Adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle")
- Accurate and where necessary kept up to date (the "accuracy principle")
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle")
- Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle")
The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle").
1. Controllers will need to assess and ensure compliance of data collection and use across their organisations with each of the above principles as any failure to do so attracts the maximum category of fines of up to 20 million Euros / 4% of worldwide annual turnovers. Data mapping, gap analysis and remediation action plans will need to be undertaken and implemented.
2. The enhanced focus on accountability will require a great deal more papering of process flows, privacy controls and decisions made to allow controllers to be able to demonstrate compliance. See Accountability and Governance
F. Higher Bar for Lawful Processing
The lawfulness, fairness and transparency principle amongst other things requires processing to fall within one or more of the permitted legal justifications for processing. Where special categories of personal data are concerned, additional much more restrictive legal justifications must also be met.
Although this structure is present in the Directive, the changes introduced by GDPR will make it much harder for organisations to fall within the legal justifications for processing. Failure to comply with this principle is subject to the very highest fines of up to 20 million Euros or in the case of an undertaking up to 4% of annual worldwide turnover, whichever is the greater.
- The bar for valid consents has been raised much higher under GDPR. Consents must be fully unbundled from other terms and conditions and will not be valid unless freely given, specific, informed and unambiguous (Articles 4(11) and 6(1)(a)). Consent also attracts additional baggage for controllers in the form of extra rights for data subjects (the right to be forgotten and the right to data portability) relative to some of the other legal justifications. Consent must be as easy to withdraw consent as it is to give – data subjects have the right to withdraw consent at any time – and unless the controller has another legal justification for processing any processing based on consent alone would need to cease once consent is withdrawn.
- To compound the challenge for controllers, in addition to a hardening of the requirements for valid consent, GDPR has also narrowed the legal justification allowing data controllers to process in their legitimate interests. This justification also appears in the Directive though the interpretation of the concept in the current regime has varied significantly among the different Member States with some such as the UK and Ireland taking a very broad view of the justification and others such as Germany taking a much more restrictive interpretation. GDPR has followed a more Germanic approach, narrowing the circumstances in which processing will be considered to be necessary for the purposes of the legitimate interests of the controller or a third party. In particular, the ground can no longer be relied upon by public authorities. Where it is relied upon, controllers will need to specify what the legitimate interests are in information notices and will need to consider and document why they consider that their legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subjects, in particular where children’s data is concerned.
The good news is that the justification allowing processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject to enter into a contract is preserved in GDPR, though continues to be narrowly drafted. Processing which is not necessary to the performance of a contract will not be covered. The less good news for controllers relying on this justification is that it comes with additional burdens under GDPR, including the right to data portability and the right to be forgotten (unless the controller is able to rely on another justification).
Other justifications include where processing is necessary for compliance with a legal obligation; where processing is necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent; where processing is necessary for performance of a task carried out in the public interest in the exercise of official authority vested in the controller. These broadly mirror justifications in the current Directive.
Processing for new purposes
It is often the case that organisations will want to process data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data was first collected. This is potentially in conflict with the core principle of purpose limitation and to ensure that the rights of data subjects are protected, GDPR sets out a series of considerations that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:
- any link between the original purpose and the new purpose
- the context in which the data have been collected
- the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
- the possible consequences of the new processing for the data subjects
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are a fresh consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).
Processing of special categories of personal data
As is the case in the Directive, GDPR sets a higher bar to justify the processing of special categories of personal data. These are defined to include "data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation." (Article 9(1)) Processing of these data are prohibited unless one or more specified grounds are met which are broadly similar to the grounds set out in the Directive.
Processing of special categories of personal data is only permitted (Article 9(2)):
- with the explicit consent of the data subject
- where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement
- where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent
- in limited circumstances by certain not-for-profit bodies
- where processing relates to the personal data which are manifestly made public by the data subject
- where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity
- where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards
- where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
- where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices
- where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1)
The justifications and conditions for processing special categories of data is one area where Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.
Processing of personal data relating to criminal convictions and offences
GDPR largely mirrors the requirements of the Directive in relation to criminal conviction and offences data. This data may only be processed under official authority or when authorized by Union or Member State law (Article 10) which means this is another area where legal requirements and practice is likely to diverge among the different Member States.
1. Controllers will need to ensure that they have one or more legal justifications to process personal data for each purpose. Practically this will require comprehensive data mapping to ensure that all personal data within the extended enterprise (ie including data processed by third parties as well as data within the organisation) has a legal justification to be processed.
2. Consideration will need to be given as to which are the most appropriate justifications for different purposes and personal data, given that some justifications attract additional regulatory burdens.
3. The common practice of justifying processing with generic consents will need to cease when GDPR comes into force. Consent comes with many additional requirements under GDPR and as such is likely to be a justification of last resort where no other justifications are available.
4. Where controllers propose to process legacy data for new purposes, they will need to be able to demonstrate compliance with the purpose limitation principle. To do that, controllers should document decisions made concerning new processing, taking into account the criteria set out in GDPR and bearing in mind that technical measures such as encryption or psuedonymisation of data will generally make it easier to prove that new purposes are compatible with the purposes for which personal data were originally collected.
International transfers and particularly those to the US have regularly made front page headline news over the last 12 months with the successful torpedoing of the EU/US Safe Harbor regime by Europe's highest court. Organisations will be relieved to hear that for the most part GDPR will not make any material changes to the current rules for transfers of personal data cross-border, largely reflecting the regime under the Directive. That said, in contrast to the current regime where sanctions for breaching transfer restrictions are limited, failure to comply with GDPR's transfer requirements attract the highest category of fines of up to 20 million Euros or in the case of undertakings up to 4% of annual worldwide turnover.
Transfers of personal data to third countries outside the EU are only permitted where the conditions laid down in GDPR are met. (Article 44)
Transfers to third countries, territories or specified sectors or an international organisation which the Commission has decided ensures an adequate level of protection do not require any specific authorisation. (Article 45(1)) The adequacy decisions made under the current Directive shall remain in force under GDPR until amended or repealed (Article 45(9)); so for the time being transfers to any of the following countries are permitted: Andorra, Argentina, Canada (with some exceptions), Switzerland, Faero Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguary and New Zealand.
The well-publicised gap for transfers from the EU to US following the ruling that Safe Harbor is invalid will, it is hoped, be filled with the new EU/US Privacy Shield.
Transfers are also permitted where appropriate safeguards have been provided by the controller or processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards include amongst other things binding corporate rules which now enjoy their own Article 47 under GDPR and standard contractual clauses. Again, decisions on adequacy made under the Directive will generally be valid under GDPR until amended, replaced or repealed.
Two new mechanics are introduced by GDPR to justify international transfers (Article 46(2)(e) and (f)): controllers or processors may also rely on an approved code of conduct pursuant to Article 40 or an approved certification mechanism pursuant to Article 42 together in each case with binding and enforceable commitments in the third country to apply these safeguards including as regards data subjects' rights. GDPR also removes the need to notify and in some Member States seek prior approval of model clauses from supervisory authorities.
GDPR includes a list of derogations similar to those included in the Directive permitting transfers where:
(a) explicit informed consent has been obtained
(b) the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person
(d) the transfer is necessary for important reasons of public interest
(e) the transfer is necessary for the establishment, exercise or defence of legal claims
(f) the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
(g) the transfer is made from a register which according to EU or Member State law is intended to provide information to the public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanic is available and the transfer is necessary for the purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data subject; notification to the supervisory authority is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48)are only recognised or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU or Member State; otherwise transfer in response to such requests where there is no other legal basis for transfer will breach GDPR's restrictions.
1. Given the continued focus of the media and regulators on international transfer and the increased sanctions to be introduced by GDPR, all controllers and processors will need to carefully diligence current data flows to establish what types of data is being shared with which organisations in which jurisdictions.
2. Current transfer mechanics will need to be reviewed to assess compliance with GDPR and, where necessary, remedial steps implemented before GDPR comes into force.
3. For intra-group transfers, consider binding corporate rules which not only provide a good basis for transfers but also help demonstrate broader compliance with GDPR helping to comply with the principle of accountability.
H. Data Breach Notification
One of the most profound changes to be introduced by GDPR is a European wide requirement to notify data breaches to supervisory authorities and affected individuals.
In the US, data breach notification laws are now in force in 47 States and the hefty penalties for failing to notify have fundamentally changed the way US organisations investigate and respond to data incidents. Not notifying has become a high risk option.
In contrast, Europe currently has no universally applicable law requiring notification of breaches. In the majority of Member States there is either no general obligation to notify or minimal sanctions for failing to do so; for many organisations not notifying and thereby avoiding the often damaging media fall-out is still common practice in Europe. That is set to change fundamentally when GDPR comes into force.
GDPR requires "the controller without undue delay, and where feasible, not later than 72 hours after having become aware of it, [to] notify the … breach to the supervisory authority" (Article 33(1)). When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals the controller is also required to notify the affected individuals "without undue delay" (Article 34). Processors are required to notify the controller without undue delay having become aware of the breach (Article 33(2)).
The notification to the regulator must include where possible the categories and approximate numbers of individuals and records concerned, the name of the organisation’s DPO or other contact, the likely consequences of the breach and the measures taken to mitigate harm (Article 33(3)).
Although the obligation to notify is conditional on awareness, burying your head in the sand is not an option as controllers are required to implement appropriate technical and organisational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing (Article 32). Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits by the supervisory authority.
Failing to comply with the articles relating to security and data breach notification attract fines of up to 10 million Euros or 2% of annual worldwide turnover, potentially for both the controller and the processor. As data breach often leads to investigations by supervisory authorities and often uncovers other areas of non-compliance, it is quite possible that fines of up to 20 million Euros or 4% of annual worldwide turnover will also be triggered.
1. Notification will become the norm: Sweeping breaches under the carpet will become a very high risk option under GDPR. Organisations that are found to have deliberately not notified can expect the highest fines and lasting damage to corporate and individual reputations. Notifying and building data breach infrastructure to enable prompt, compliant notification will be a necessity under GDPR.
2. A coordinated approach, including technology, breach response policy and training and wider staff training. Data breaches are increasingly a business as usual event. Lost or stolen devices; emails sent to incorrect addresses in error and the continuing rise of cybercrime means that for many organisations, data breaches are a daily occurrence. To deal with the volume of breaches, organisation's need a combination of technology, breach response procedures and staff training.
a. Technology requirements: these will vary for each organisation but will typically include a combination of firewalls, log recording, data loss prevention, malware detection and similar applications. There are an increasingly sophisticated array of applications that learn what “normal” looks like for a particular corporate network to be able to spot unusual events more effectively. The state of the art continues to change rapidly as organisations try to keep pace with sophisticated hackers. Regular privacy impact assessments and upgrades of technology will be required.
b. Breach response procedures: to gain the greatest protection from technology, investment is required in dealing with red flags when they are raised by internal detection systems or notified from external sources. Effective breach response requires a combination of skill sets including IT, PR and legal. Develop a plan and test it; regularly.
c. Staff training: the weak link in security is frequently people rather than technology. Regular staff training is essential to raise awareness of the importance of good security practices, current threats and who to call if a breach is suspected. It is also important to avoid a blame culture that may deter staff from reporting breaches.
3. Consider privilege and confidentiality as part of your plan. Make sure that forensic reports are protected by privilege wherever possible to avoid compounding the losses arising from a breach. Avoid the temptation to fire off emails when a breach is suspected; pick up the phone. Don’t speculate on what might have happened; stick to the facts. Bear in mind that you may be dealing with insider threat – such as a rogue employee – so keep any investigation on a strictly need to know basis and always consider using external investigators if there is any possibility of an inside attack.
4. Appoint your external advisors today if you haven’t done so already. When a major incident occurs, precious time can be wasted identifying and then retaining external support teams when you are up against a 72 hour notification deadline. Lawyers, forensics and PR advisors should ideally be contracted well before they are needed for a live incident. Find out more about DLA Piper's breach response credentials and team.
5. Insurance: many insurers are now offering cyber insurance. However, there is a lack of standardisation in coverage offered. Limits are often too small for the likely exposure. Conditions are often inappropriate such as a requirement for the insured to have fully complied with all applicable laws and its own internal policies which will rarely be the case. That said, it is usually possible to negotiate better coverage with carriers in what continues to be a soft insurance market. Now is a good time to check the terms of policies and work with your legal team and brokers to ensure that you have the best possible coverage. You should clarify with brokers and underwriters what amounts to a notifiable incident to insurers under your policies as again there is no common standard and failing to notify when required may invalidate cover. You should also ensure that your insurance policies will cover the costs of your preferred external advisors as many policies will only cover advice from panel advisors.
6. Develop standard notification procedures: Perhaps the greatest challenge facing organisations and regulators is the sheer volume of data breach and the lack of standards or guidance as to how breaches should be notified and at what point they become notifiable. In the absence of guidance organisation's will need to make an informed decision as to how to develop internal operations for the detection, categorisation, investigation, containment and reporting of data breaches. Similarly, supervisory authorities will need to develop standard approaches and standard categorisations of incidents to ensure that limited resources are focussed on the most serious incidents first.
I. More RIghts for Individuals
GDPR builds on the rights enjoyed by individuals under the current Directive, enhancing existing rights and introducing a new right to data portability. These rights are backed up with provisions making it easier to claim damages for compensation and for consumer groups to enforce rights on behalf of consumers.
One of the core building blocks of GDPR’s enhanced rights for individuals is the requirement for greater transparency. Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data is obtained:
- the identity and contact details of the controller
- the Data Protection Officer's contact details (if there is one)
- both the purpose for which data will be processed and the legal basis for processing including if relevant the legitimate interests for processing
- the recipients or categories of recipients of the personal data
- details of international transfers
- the period for which personal data will be stored or, if that is not possible, the criteria used to determine this
- the existence of rights of the data subject including the right to access, rectify, require erasure (the “right to be forgotten”), restrict processing, object to processing and data portability; where applicable the right to withdraw consent, and the right to complain to supervisory authorities
- the consequences of failing to provide data necessary to enter into a contract
- the existence of any automated decision making and profiling and the consequences for the data subject.
- In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.
Slightly different transparency requirements apply (Article 14) where information have not been obtained from the data subject.
Subject access rights (Article 15)
These broadly follow the existing regime set out in the Directive though some additional information must be disclosed and there is no longer a right for controllers to charge a fee, with some narrow exceptions. Information requested by data subjects must be provided within one month as a default with a limited right for the controller to extend this period for up to three months.
Right to rectify (Article 16)
Data subjects continue to enjoy a right to require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure ('right to be forgotten')(Article 17)
This forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.
The right to be forgotten now has its own Article in GDPR. However, the right is not absolute; it only arises in quite a narrow set of circumstances notably where the controller has no legal ground for processing the information. As demonstrated in the Google Spain decision itself, requiring a search engine to remove search results does not mean the underlying content controlled by third party websites will necessarily be removed. In many cases the controllers of those third party websites may have entirely legitimate grounds to continue to process that information, albeit that the information is less likely to be found if links are removed from search engine results.
The practical impact of this decision has been a huge number of requests made to search engines for search results to be removed raising concerns that the right is being used to remove information that it is in the public interest to be accessible.
Right to restriction of processing (Article 18)
Data subjects enjoys a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data is no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller and whether these override those of the data subject are contested.
Right to data portability (Article 20)
This is an entirely new right in GDPR and has no equivalent in the current Directive. Where the processing of personal data is justified either on the basis that the data subject has given their consent to processing or where processing is necessary for the performance of a contract, or where the processing is carried out be automated means, then the data subject has the right to receive or have transmitted to another controller all personal data concerning them in a structured, commonly used and machine-readable format.
The right is a good example of the regulatory downsides of relying on consent or performance of a contract to justify processing – they come with various baggage under GDPR relative to other justifications for processing.
Where the right is likely to arise controllers will need to develop procedures to facilitate the collection and transfer of personal data when requested to do so by data subjects.
Right to object (Article 21)
The Directive's right to object to the processing of personal data for direct marketing purposes at any time is retained.
In addition, data subjects have the right to object to processing which is legitimized on the grounds either of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject or that the processing is for the establishment, exercise or defence of legal claims.
The right not to be subject to automated decision taking, including profiling (Article 22)
This right expands the existing Directive right not to be subject to automated decision making. GDPR expressly refers to profiling as an example of automated decision making. Automated decision making and profiling "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" are only permitted where
(a) necessary for entering into or performing a contract
(b) authorized by EU or Member State law, or
(c) the data subject has given their explicit (ie opt-in) consent.
The scope of this right is potentially extremely broad and may throw into question legitimate profiling for example to detect fraud and cybercrime. It also presents challenges for the online advertising industry and website operators who will need to revisit consenting mechanics to justify online profiling for behavioral advertising. This is an area where further guidance is needed on how Article 22 will be applied to specific types of profiling.
1. Controllers will need to review and update current fair collection notices to ensure compliance with the expanded information requirements. Much more granular notices will be required using plain and concise language.
2. Consideration should be given to which legal justifications for processing are most appropriate for different purposes, given that some such as consent and processing for performance of a contract come with additional regulatory burden in the form of enhanced rights for individuals.
3. For some controllers with extensive personal data held on consumers, it is likely that significant investment in customer preference centers will be required on the one hand to address enhanced transparency and choice requirements and on the other hand to automate compliance with data subject rights.
4. Existing data subject access procedures should be reviewed to ensure compliance with the additional requirements of GDPR.
5. Policies and procedures will need to be written and tested to ensure that controllers are able to comply with data subjects’ rights within the time limits set by GDPR. In some cases, such as where data portability engages, significant investments may be required.
J. Data Protection Officers
GDPR introduces a significant new governance burden for those organisations which are caught by the new requirement to appoint a DPO. Although this is already a requirement for most controllers in Germany under current data protection laws, it is an entirely new requirement (and cost) for many organisations.
The following organisations must appoint a data protection officer (DPO) (Article 37):
- public authorities
- controllers or processors whose core activities consist of processing operations which by virtue of their nature, scope or purposes require regular and systemic monitoring of data subjects on a large scale
- controllers or processors whose core activities consist of processing sensitive personal data on a large scale.
DPOs must have "expert knowledge" (Article 37(5)) of data protection law and practices though perhaps in recognition of the current shortage of experienced data protection professionals, it is possible to outsource the DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved "properly and in a timely manner in all issues which relate to the protection of personal data." (Article 38(1)) The role is therefore a sizeable responsibility for larger controllers and processors.
The DPO must directly report to the highest management level, must not be told what to do in the exercise of their tasks and must not be dismissed or penalized for performing their tasks. (Article 38(3))
The specific tasks of the DPO are set out in GDPR including (Article 39):
- to inform and advise on compliance with GDPR and other Union and Member State data protection laws
- to monitor compliance with law and with the internal policies of the organization including assigning responsibilities, awareness raising and training staff
- to advise and monitor data protection impact assessments
- to cooperate and act as point of contact with the supervisory authority
1. Organisations will need to assess whether or not they fall within one or more of the categories where a DPO is mandated. Public authorities will be caught (with some narrow exceptions) as will many social media, search and other tech firms who monitor online consumer behavior to serve targeting advertising. Many b2c businesses which regularly monitor online activity of their customers and website visitors will also be caught.
2. There is currently a shortage of expert data protection officers as outside of Germany this is a new requirement for most organisations. Organisations will therefore need to decide whether to appoint an internal DPO with a view to training them up over the next couple of years or use one of the external DPO service providers several of which have been established to fill this gap in the market. Organisations might consider a combination of internal and external DPO resources as given the size of the task it may not be realistic for just one person to do it.
K. Accountability and Governance
Accountability is a recurring theme of GDPR. Data governance is no longer just a case of doing the right thing; organisations need to be able to prove that they have done the right thing to regulators, to data subjects and potentially to shareholders and the media often years after a decision was taken.
GDPR requires each controller to demonstrate compliance with the data protection principles (Article 5(2)). This general principle manifests itself in specific enhanced governance obligations which include:
- Keeping a detailed record of processing operations (Article 30)
The requirement in current data protection laws to notify the national data protection authority about data processing operations is abolished and replaced by a more general obligation on the controller to keep extensive internal records of their data protection activities. The level of detail required is far more granular compared to many existing Member State notification requirements. There is some relief granted to organisations employing fewer than 250 people though the exemption is very narrowly drafted.
- Performing data protection impact assessment for high risk processing (Article 35)
A data protection impact assessment will become a mandatory pre-requisite before processing personal data for processing which is likely to result in a high risk to the rights and freedoms of individuals. Specific examples are set out of high risk processing requiring impact assessments including: automated processing including profiling that produce legal effects or similarly significantly affect individuals; processing of sensitive personal data; and systematic monitoring of publicly accessible areas on a large scale. DPOs, where in place, have to be consulted. Where the impact assessment indicates high risks in the absence of measures to be taken by the controller to mitigate the risk, the supervisory authority must also be consulted (Article 36) and may second guess the measures proposed by the controller and has the power to require the controller to impose different or additional measures (Article 58).
- Designating a data protection officer (Article 37) See Data Protection Officers
- Notifying and keeping a comprehensive record of data breaches (Articles 33 and 34) See Data Breach Notification
- Implementing data protection by design and by default (Article 25)
GDPR introduces the concepts of "data protection by design and by default". "Data protection by design" requires taking data protection risks into account throughout the process of designing a new process, product or service, rather than treating it as an afterthought. This means assessing carefully and implementing appropriate technical and organisational measures and procedures from the outset to ensure that processing complies with GDPR and protects the rights of the data subjects.
"Data protection by default" requires ensuring mechanisms are in place within the organisation to ensure that, by default, only personal data which are necessary for each specific purpose are processed. This obligation includes ensuring that only the minimum amount of personal data is collected and proessed for a specific purpose; the extent of processing is limited to that necessary for each purpose; the data is stored no longer than necessary and access is restricted to that necessary for each purpose.
1. Data mapping: every controller and processor will need to carry out an extensive data audit across the organization and supply chains, record this information in accordance with the requirements of Article 30 and have governance in place to ensure that the information is kept up-to-date. The data mapping exercise will also be crucial to be able to determine compliance with GDPR’s other obligations so this exercise should be commenced as soon as possible.
2. Gap analysis: Once the data mapping exercise is complete, each organization will need to assess its current level of compliance with the requirements of GDPR. Gaps will need to be identified and remedial actions prioritized and implemented.
3. Governance and policy for data protection impact assessments: the data mapping exercise should identify high risk processing. Data protection impact assessments will need to be completed and documented for each of these (frequently these will include third party suppliers) and any remedial actions identified implemented. Supervisory authorities may need to be consulted. A procedure will need to be put in place to standardize future data protection impact assessments and to keep existing impact assessments regularly updated where there is a change in the risk of processing.
4. Data protection by design and by default: in part these obligations will be addressed through implementing remedial steps identified by the gap analysis and in data protection impact assessments. However, to ensure that data protection by design and by default is delivered, extensive staff and supplier engagement and training will also be required to raise awareness of the importance of data protection and to change behaviors.
European data protection laws today are in many cases substantively very different among Member States. This is partly due to the ambiguities in the Directive being interpreted and implemented differently, and partly due to the Directive permitting Member States to implement different or additional rules in some areas. As GDPR will become law without the need for any secondary implementing laws, there will be a greater degree of harmonisation relative to the current regime. However, GDPR preserves the right for Member States to introduce different laws in many important areas and as a result we are likely to continue to see a patchwork of different data protection laws among Member States, for certain types of processing.
Each Member State is permitted to restrict the rights of individuals and transparency obligations (Article 23) by legislation when the restriction "respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society" to safeguard one of the following:
(a) national security
(c) public security
(d) the prevention, investigation, detection or prosecution of breaches of ethics for regulated professions, or crime, or the execution of criminal penalties
(e) other important objectives of general public interest of the EU or a Member State, in particular economic or financial interests
(f) the protection of judicial independence and judicial proceedings
(g) a monitoring, inspection or regulatory function connected with national security, defence, public security, crime prevention, other public interest or breach of ethics
(h) the protection of the data subject or the rights and freedoms of others
(i) the enforcement of civil law claims
To be a valid restriction for the purposes of GDPR, any legislative restriction must contain specific provisions setting out:
(a) the purposes of processing
(b) the categories of personal data
(c) the scope of the restrictions
(d) the safeguards to prevent abuse or unlawful access or transfer
(e) the controllers who may rely on the restriction
(f) the permitted retention periods
(g) the risks to the rights and freedoms of data subjects
(h) the right of data subjects to be informed about the restriction, unless prejudicial to the purpose of the restriction
In addition to these permitted restrictions, Chapter IX of GDPR sets out various specific processing activities which include additional derogations, exemptions and powers for Member States to impose additional requirements. These include:
- Processing and freedom of expression and information (Article 85)
- Processing and public access to official documents (Article 86)
- Processing of national identification numbers (Article 87)
- Processing in the context of employment (Article 88)
- Safeguards and derogations to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89)
- Obligations of secrecy (Article 90)
- Existing data protection rules of churches and religious associations (Article 91)
These special cases also appear in the Directive, though in some cases have been amended or varied in GDPR.
1. Controllers and processors will first need to determine which Member States' laws apply to their processing activities and whether processing will be undertaken within any specific processing activities which may be subject to additional restrictions.
2. These Member State laws will then need to be checked to determine what additional requirements engage. Changes in law will need to be monitored and any implications for processing activities addressed.
3. Derogations will pose a challenge to multi-national organisations seeking to implement standard European-wide solutions to address compliance with GDPR; these will need to be sufficiently flexible to allow for exceptions where different rules engage in one or more Member State.
M. Cross-Border Enforcement
The ideal of a one-stop-shop ensuring that controllers present in multiple Member States would only have to answer to their lead home regulator failed to make it into the final draft. GDPR includes a complex, bureaucratic procedure allowing multiple 'concerned' authorities to input into the decision making process.
The starting point for enforcement of GDPR is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called "lead supervisory authority". (Article 56(1))
However, the lead supervisory authority is required to cooperate with all other "concerned" authorities and there are powers for a supervisory authorities in another Member State to enforce where infringements occur on its territory or substantially affects data subjects only in its territory. (Article 56(2))
In situations where multiple supervisory authorities are involved in an investigation or enforcement process there is a cooperation procedure (Article 60) involving a lengthy decision making process and a right to refer to the consistency mechanism (Articles 63 - 65) if a decision cannot be reached, ultimately with the European Data Protection Board having the power to take a binding decision.
There is an urgency procedure (Article 66) for exceptional circumstances which permits a supervisory authority to adopt provisional measures on an interim basis where necessary to protect the rights and freedoms of data subjects.
1. Controllers and processors will need to determine which Member States' supervisory authorities have jurisdiction over their processing activities; which is the lead authority and which other supervisory authorities may have jurisdiction.
2. An important aspect of managing compliance risk is to try to stay on the right side of your regulator by engaging positively with any guidance published and taking up opportunities such as training and attending seminars.
Prof. Patrick Van Eecke
T +32 2 500 1630