As most will be at least vaguely aware, Europe is expecting… the arrival into force of the EU General Data Protection Regulation – the GDPR – is now only 9 months away. This significant overhaul and enhancement of European data protection legislation is the brain-child of the EU Commission, Parliament, and Council. It has also most likely been sired by Germany, with many of the new rules regarding data subject rights to access, deletion, and portability heavily influenced by German legal thinking in this area. As Dr. Sebastian Golla has pointed out, the German Constitutional Court has stated in its decisions that the basic right to informational self-determination (Informationelle Selbstbestimmung) is the basis of German Data Protection Law.
However, despite the GDPR becoming enforceable from 25 May 2018 after a two-year transition period, a number of businesses and organisations which will be impacted still seem to be either unaware of the magnitude of this regulatory change, or otherwise unable to sufficiently prepare for it. The Financial Times recently quoted Vanessa Leemans, cyber chief operating officer at insurance broker Aon, that “[m]any companies are woefully unprepared for the significant changes to how we see personal data that the regulation will bring”. In particular, given the significant powers to levy fines which are being given to national regulators, the financial implications for non-compliance and data breaches may be quite the headache for the unprepared. As the FT points out;
Tim Richards, principal consultant at Consult Hyperion, said that not only were financial penalties for a data breach substantial, but that executives could also face criminal penalties if deemed responsible.
“Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders,” he said.
Assuming European financial institutions’ data were breached 384 times over the three-year period, and were fined at the lower end of the GDPR scale at €260m per breach, penalties would total €4.7bn, he said.
German Green MEP Jan Philipp Albrecht posted, back in 2015, a short video which helpfully explains the basics of the GDPR, aimed as citizens and users;
HPE Software also posted a video this year about the road to GDPR compliance, aimed more at giving a quick overview to businesses as to what implications the looming changes might have for them;
There is a heavy focus in the GDPR on protecting users from privacy and data breaches and giving more control over what is done with personal data, particularly through changes to the consent model. Some of the key changes include;
The GDPR applies to all companies processing the personal data of users or ‘data subjects’ residing in the EU, regardless of where the company itself is located, and regardless of whether processing takes place in the EU or not. This was less than clear under the old/current system, and lead to creative interpretation,the use of loopholes, and much litigation, especially for data-driven tech companies.
Enforcement and Penalties
One of the key concerns for data processors or controllers is, or at least should be, the new fines of up to 4% of annual global turnover or €20 Million (whichever is greater) for breaches of the GDPR. Such a fine can be imposed for serious infringements such as not obtaining sufficient consent, or failing to implement privacy by design. As these fines plly to both controllers and processors, companies providing services such as cloud services won’t be able to escape the wrath of the regulators.
The requirements regarding the obtaining of consent are more onerous under the GDPR, with companies no longer be able to hide behind legalese-heavy, user-unfriendly terms and privacy policies. A request for consent must now be in an intelligible and easily accessible form, including the purpose for which the data will be processed. It will also have to be as easy for the user to withdraw consent as to give it.
Notification of Breaches
Under Articles 33 and 34 of the GDPR, it will become mandatory to inform both the supervisor and the data subject of any personal data breaches, in all member states where the breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be without undue delay and (regarding informing supervisors), where feasible, not later than 72 hours after having become aware of it.
Privacy by Design
Privacy by design is a core concept of European data protection, and is put on a statutory footing by the GDPR. Article 25 requires privacy by design and by default, at the stage of designing systems, and technical measures for collecting, processing, and controlling data. In particular “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
Data Protection Officers
Chapter 4, Section 4 deals with data protection officers (DPOs), an appointment which will be mandatory for certain data controllers and processors, such as public authorities and those whose core activities involve large scale systematic monitoring of data subjects, or special categories of data. The DPO must be a staff member or external service provider, and shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. They must be provided with appropriate resources to carry out their tasks, report directly to the highest level of management, and not carry out any other tasks that could results in a conflict of interest.
Data Subject Rights
Of particular interest to both users and data processors or controllers will be Chapter 3, which covers Articles 12 to 23, dealing with the rights of the data subject, including rights of access, rectification, erasure, objection, and a right to data portability.
Right to Access
Data subjects will have a right to know whether or not personal data concerning them is being processed, where, and for what purpose(s), in particular under Article 15. This change tilts the balance of power and control much more in the direction of the user and away from the data processor/controller. Furthermore, the data controller must also provide a copy of the personal data, free of charge, in an electronic format to the data subject, if requested.
Rights to Rectification, Erasure, and Restriction
The right to erasure is the codified cousin of the right to be forgotten, and entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and, in some cases, potentially to have third parties halt processing of the data. The right to rectification is found in Article 16, and the right to erasure/right to be forgotten in Article 17. For erasure, the data must no longer be relevant to the original purpose for processing, or a data subject must have withdrawn consent. Controllers must also balance the subjects’ rights with the the public interest in the availability of the data. A further right of restriction of processing is available under Article 18.
The GDPR also introduces, in Article 20, a right to data portability; essentially a right for a data subject to receive their personal data in a commonly used and machine readable format, and the accompanying right to transmit that data to another controller. It is envisaged that this right in particular will increase competition and consumer choice in data-driver online services, allowing users to switch providers or platforms without having to ‘start over’.
The Right to Object
Article 21 provides data subjects with a right to object to processing of personal data in certain cases, including profiling, particularly aimed at direct marketing, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for certain scientific, historical, or statistical purposes, the data subject shall have the right to object, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Regarding the ‘right to be forgotten’, which I discussed previously in the wake of the Google Spain case, the EU have created a helpful guide to busting some of the myths which arose in the aftermath. The provisions of the GDPR build on the concepts developed in the Google Spain case, and will presumably lead to some contentious litigation of its own, as the wording of the provisions on data erasure is still loose enough to allow some arguments over its exact scope and application. The UK Information Commissioner’s Office (ICO) has also provided a handy overview of the right to erasure/right to be forgotten under the GDPR.
On another note, EUGDPR.org in their FAQ section, have an interesting take on the implications of GDPR on UK businesses, in light of the ongoing Brexit
In light of a uncertain ‘Brexit’ – I represent a data controller in the UK and want to know if I should still continue with GDPR planning and preparation?
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market. (Ref: http://www.lexology.com/library/detail.aspx?g=07a6d19f-19ae-4648-9f69-44ea289726a0)
Of particular relevance to Ireland will also be the implications for data protection regulators, given that the long-suffering Irish Office of the Data Protection Commissioner will likely bear the brunt of a lot of controversies arising out of enforcement of the GDPR, given the proliferance of tech companies based in Ireland. Out-Law covered in some detail back in 2015 the objections and concerns raised by Irish and UK ministers about the exact functioning of the ‘one-stop-shop’ approach to regulation, arguing the framework is cumbersome, may lead to bureaucracy, and be bad for both businesses and consumers.
A number of sites have helpfully gone into detail on the more controversial aspects of the GDPR, focusing on the areas of disagreement between the text proposed by the Commission, Parliament, and Council during the drafting process; EUGDPR.org focused on the issues of data portability, one-stop-shop regulation, and the designation of data protection officers (DPOs); Mayer Brown, a global legal services provider, gave an overview of some of the differences between the three draft versions in November 2015; and the European Data Protection Supervisor (EDPS – an independent supervisory authority at the EU level) also wrote its own opinion, a four-column document comparing each paragraph of each draft line by line, of the proposals for the GDPR. These perspectives and others give a more detailed, though still concise enough, analysis of the key issues which might be found most controversial about the GDPR.
In any event, it will be interesting to see how both data processors and controllers, as well as national regulators, particularly in Ireland, rise to the challenge of preparing for this new arrival 9 months down the line. Whilst the GDPR may be a welcome bundle of joy for most users, the magnitude of the responsibility and work that is required may result in some sleepless nights for those who don’t prepare their organisations sufficiently for 25th May 2018.
Elizabeth Denham, “Transparency, trust and progressive data protection“, Speech, (ICO, 29 September 2016)
Sebastian Golla, “Is Data Protection Law Growing Teeth? The Current Lack of Sanctions in Data Protection Law and Administrative Fines under the GDPR“, JIPITEC, Vol. 8, (2017)
Sarah Gordon, “Businesses failing to prepare for EU rules on data protection“, Financial Times, (June 2017)
Oliver Yaros, “UK: The General Data Protection Regulation: The Status Of The Negotiations To Implement A New Data Protection Law Throughout Europe“, Mondaq, (November 2015)
“Bureaucracy will prevail in ‘one stop shop’ data protection regime, UK and Ireland warn“, Out-Law, (March 2015)