What you need to know
EXPANDED TERRITORIAL REACH
The GDPR catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behaviour of, EU data subjects (within the EU). Many will need to appoint a representative in the EU.
The Recitals provide some helpful guidance. “Offering goods or services” is more than mere access to a website or email address, but might be evidenced by use of language or currency generally used in one or more Member States with the possibility of ordering goods/services there, and/or mentioning customers or users who are in EU. “Monitoring of behaviour” will occur, for example, where individuals are tracked on the internet by techniques which apply a profile to enable decisions to be made/predict personal preferences, etc. This means in practice that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR. This is not the case currently.
DATA PROTECTION OFFICERS
In certain circumstances data controllers and processors must designate a Data Protection Officer (the DPO) as part of their accountability programme. The threshold is
- processing is carried out by a public authority,
- the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, or
- the core activities consist of processing on a large scale of special categories of data.
The DPO will need sufficient expert knowledge. This will depend on the processing activities for which the officer will be responsible.
The DPO may be employed or under a service contract. A group of undertakings may appoint a single DPO (conditional on accessibility by all), as may certain groups of public authorities. The WP29 guidance issued in April 2017 clarifies various things, including that in principle the DPO should be located in the EU and should report directly to the highest management level.
ACCOUNTABILITY AND PRIVACY BY DESIGN
The GDPR places onerous accountability obligations on data controllers to demonstrate compliance. This includes requiring them to:
- maintain certain documentation,
- conduct a data protection impact assessment for more risky processing (DPAs may compile lists of what is caught), and
- implement data protection by design and by default, eg data minimisation
ROLE OF DATA PROCESSORS
One of the key changes in the GDPR is that data processors have direct obligations for the first time. These include an obligation to:
- maintain a written record of processing activities carried out on behalf of each controller;
- designate a data protection officer where required;
- appoint a representative (when not established in the EU) in certain circumstances;
- and notify the controller on becoming aware of a personal data breach without undue delay.
The provisions on cross border transfers also apply to processors, and BCRs for processors are formally recognised. The new status of data processors will likely impact how data protection matters are addressed in supply and other commercial agreements.
Consent must be freely given, specific, informed and unambiguous. Requests for consent should be separate from other terms, and be in clear and plain language.
A data subject’s consent to processing of their personal data must be as easy to withdraw as to give. Consent must be “explicit” for sensitive data. The data controller is required to be able to demonstrate that consent was given. Existing consents may still work, but only provided they meet the new conditions.
There has been much debate around whether consent provides a valid legal ground for processing where there is a significant imbalance between the data subject and data controller. The GDPR states that in assessing whether consent has been freely given, account shall be taken, for example, of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract. This may affect some e-commerce services, among others. In addition, Member States may provide more specific rules for use of consent in the employment context. The Recitals add that consent is not freely given if the data subject had no genuine and free choice or is unable to withdraw or refuse consent without detriment.
Where personal data is processed for direct marketing the data subject will have a right to object. This right will have to be explicitly brought to their attention.
Another topic of huge debate relates to parental consent being required for children to receive information society services. The compromise (that Member States can lower the age from 16 to 13) will result in a lack of harmonisation and companies who operate across several Member States generally choosing to meet the highest standard. The Recitals provide, however, that parental consent is not required in the context of preventative or counselling services offered directly to a child.
FAIR PROCESSING NOTICES
Data controllers must continue to provide transparent information to data subjects. This must be done at the time the personal data is obtained. However, existing forms of fair processing notice will have to be re-examined as the requirements in the GDPR are much more detailed than those in the current Directive. For example, the information to be provided is more comprehensive and must inform the data subject of certain of their rights (such as the ability to withdraw consent) and the period for which the data will be stored.
Controllers will need to consider their forms of fair processing notice with these new obligations in mind, and check in that they are providing the information in a clear way and in an easily accessible format.
DATA BREACH NOTIFICATION
Data controllers must notify most data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness. A reasoned justification must be provided if this timeframe is not met. In some cases, the data controller must also notify the affected data subjects without undue delay.
Expect guidance from the WP29 on data breach notification in the second half of 2017.
The text looks burdensome on both data controllers and DPAs. However, in some sectors, organisations already have an obligation to notify data breaches. Additionally, the UK ICO, for example, already expects to be informed about all “serious” breaches.
The text also contains a welcome threshold. Notification does not need to be made to the DPA if the breach is unlikely to result in a risk to the rights and freedoms of individuals. The threshold for notification to data subjects is that there is likely to be a “high risk” to their rights and freedoms. While this may lessen the impact, all companies will have to adopt internal procedures for handling data breaches in any case.
The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and €20 million (eg breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and €10m. A list of points to consider when imposing fines (such as the nature, gravity and duration of the infringement) is included.
The percentage applies to an “undertaking” and a last minute clarification in the Recitals adds that this is as defined in Articles 101 and 102 of the TFEU. The increased fines are certainly attracting the attention of board level executives.
The ‘One-Stop-Shop’ mechanism is one of the key elements of the GDPR. It was hoped that it would provide supervision by one lead authority to companies with a presence in more than one Member State. However, the mechanism is in fact more complicated than many had anticipated as it distinguishes between cross-border and domestic processing.
Where the ‘One-Stop-Shop’ mechanism does apply, there are complex cooperation and coordination procedures for DPAs. In order to enable individuals to have their cases dealt with locally, the GDPR contains a detailed regime with a Lead Authority and Concerned Authorities working together. It allows for local cases and urgent cases to be handled appropriately. The WP29 has provided guidance on how to identify a Lead Supervisory Authority. How the One-Stop-Shop will work in practice, and whether it can work in such a way that it does not encourage forum shopping, remains to be seen.
REMOVAL OF NOTIFICATION REQUIREMENT
A welcome change for data controllers is the removal of the general requirement to notify the DPA of a controller’s data processing activities and to seek approval from the DPA in some circumstances. The aim appears to be to alleviate the associated administrative and financial burden on data controllers but it will mean DPAs in some countries will need to replace this source of funding from elsewhere.
Instead of general notification, the policy is now to require data controllers to be accountable for their data processing. One example of this in the GDPR is the obligation on data controllers to put in place effective procedures and mechanisms focussing on more high risk operations (eg involving new technologies) and carry out a data protection impact assessment to consider the likelihood and severity of the risk, particularly with large scale processing. The effort required, and the potential fines for getting it wrong, are likely to outweigh the benefit of the removal of the administrative burden of the general notification requirement. In addition, there is a new requirement to consult the DPA in advance where a data impact assessment indicates that the processing would result in a high risk if measures are not taken to mitigate that risk. If the DPA feels that the processing would breach the GDPR, they may provide written advice and use their enforcement powers where necessary. This obligation creates uncertainty for data controllers as they will have to assess the outcome of the impact assessment and decide whether to consult.
NEW EUROPEAN DATA PROTECTION BOARD
An independent EDPB is to replace the Article 29 Working Party and will comprise the EDP Supervisor and the senior representatives of the national DPAs. Its role includes issuing opinions and guidance, ensuring consistent application of the GDPR and reporting to the Commission. It will also have a key role in the One-Stop-Shop mechanism.
BINDING CORPORATE RULES
The GDPR expressly recognises BCRs for controllers and processors as a means of legitimising intra-group international data transfers. The BCRs must be legally binding and apply to and be enforced by every member of the group of undertakings/enterprises engaged in a joint economic activity, including their employees. BCRs must expressly confer enforceable rights on data subjects. The approach will be more streamlined with a clear list of requirements.
This method of compliance is seen by some as the “gold standard” and is likely to become increasingly popular for intra-group transfers.
Those who had hoped for a complete revamp in this area will be disappointed as the GDPR contains essentially the same toolkit. The process has been improved by the removal of the need for prior authorisation for transfers based on approved safeguards such as Commission or DPA approved contracts. However, the GDPR has removed the very useful self-assessment as a basis for transfer: this is currently only used as a stand alone basis in a few Member States and is arguably a necessary sacrifice in order to achieve uniformity.
The consent derogation has also been amended: data exporters who rely on consent to move data outside the EU will need to look carefully at whether data subjects have been sufficiently informed of the risks of transfer.
The legitimate interests concept has been introduced as a new derogation, but its scope is very limited. It may be used where the transfer is not repetitive, concerns only a number of data subjects, is necessary for compelling legitimate interests (not overridden by the rights of the data subject) and where the controller has assessed all the circumstances and adduced suitable safeguards. The DPA must also be informed. It is hard to see how this is useful in practice. It will be a relief to many that an outright ban on transfers to foreign regulators without DPA approval has not survived in the adopted text.
DATA SUBJECTS’ RIGHTS
One of the main ambitions of the European Commission in proposing a new data protection framework was to bolster the rights of individuals. This desire is clearly reflected in the strengthened rights of data subjects. These include, for example, a right to require information about data being processed about themselves, access to the data in certain circumstances, and correction of data which is wrong. There is also a right to restrict certain processing and a right to object to their personal data being processed for direct marketing purposes. Individuals can also ask to receive their personal data in a structured and commonly used format so that it can easily be transferred to another data controller (this is known as “data portability”).
The WP29’s recent guidance clarified how to interpret and implement the right to data portability. The guidance specifies that data controllers that outsource data processing or process data jointly with other controllers must have clear contractual arrangements to allocate responsibilities of each party in answering data portability requests and implement specific procedures in this respect.
One of the rights that received the most attention, particularly following the CJEU decision in the Google v Spain case, is the “right to be forgotten” or “right of erasure” as it has become known. This allows individuals to require the data controller to erase their personal data without undue delay in certain situations, such as where they withdraw consent and no other legal ground for processing applies. Alongside this is an obligation to take reasonable steps to inform third parties that the data subject has requested erasure of any links to, or copies of, that data. This will often be difficult to manage in practice. Note that the data controller must respond to these requests for information within a month, with a possibility to extend this period for particularly complex requests. Data controllers will need to put in place clear processes to enable them to meet these obligations.
The information shall be provided free of charge unless the request is “manifestly unfounded or excessive”.
What happens next?
The General Data Protection Regulation, numbered Regulation 2016/679, entered into force on 25 May 2016. It will apply from 25 May 2018.
Once the GDPR is in effect, the current Data Protection Directive 95/46/EC is repealed. As companies begin the process of moving to compliance with the new requirements, Member States are busily considering the impact on national data protection legislation. Although the GDPR will have direct effect in all Member States, national laws will need to be amended in order to regulate aspects such as the DPA’s position, sectoral regulations, transitional rules or implementation of additional requirements where discretion is given by the GDPR. The first draft national laws with necessary legislative changes have already been published, eg in Germany, the Netherlands and Poland .