On December 15, the European Commission, European Parliament, and Council of the EU reached agreement on the text of a new law governing the protection of personal data. The new General Data Protection Regulation will replace the 1995 EU Data Protection Directive and will have significant bearing for all companies doing business in the EU or offering products or services – including even free online services – to individuals in the EU. Although the new Regulation will not be formally adopted until the first quarter of 2016, and compliance with its provisions won’t be required until early 2018, companies should begin to familiarize themselves with the new obligations, compare these new requirements to existing practices, and develop a compliance plan. Penalties for non-compliance can be severe.

As always, if you have any questions or concerns about this alert you can contact the authors or your usual Drinker Biddle contact. See below for a brief description of our service offerings.

Brief Overview of General Data Protection Regulation 

New or increased obligations appear in bold; reduced obligations and other positive features appear in italics.

Background Terminology

  • Processing of dataThe processing of personal data relates to any activities performed upon personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • ControllerThe controller is the person or entity, whether alone or jointly with others, that determines the purposes and means of the processing of personal data.
  • ProcessorThe processor is a person or entity who processes personal data on behalf of the controller.

Scope of Application

  • Regulation applies to processing of “personal data” in the context of the activities of an establishment of a controller or a processor in the EU. (An “establishment” implies the exercise of activity through stable arrangements, not necessarily a legal personality.) It also applies where a controller or processor is not established in the EU but its processing activities are related to the offering of goods or services to, or monitoring the behavior of, EU residents, regardless of whether payment is provided. A controller not established in the EU must appoint an EU-based representative, unless the processing is only occasional and does not include processing of sensitive personal data on a large scale.
  • “Personal data” is defined as any information relating to an identified or identifiable natural person. An identifiable person is someone who can be directly or indirectly identified, including by reference to a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person. Personal data expressly includes pseudonymous data.

Rights of Data Subjects

  • Data subjects must receive a detailed notice about the collection and use of their data, including the legal justification being relied upon for the processing, the source of the data, and the retention period.
  • Data subjects may request copies of their data. Controllers should provide a means for requests to be made electronically, and for the data to be provided in a commonly used, electronic form. Controllers must provide the first copy of the data free of charge. Where data subjects have directly provided their data to a controller, they generally can demand that the controller transfer their data to another controller, where this is technically feasible.
  • Data subjects may demand rectification of incomplete or inaccurate records.
  • Data subjects may generally demand erasure of their records.
  • Data subjects may generally object to processing of their data and/or profiling based on their data.
  • Processing that results in decisions concerning an individual that have legal effects or similarly significantly affect an individual are not permitted without the data subject’s explicit consent where such decisions are based solely on automated processing.
  • Limited exceptions apply to each data subject right.

Principles Applicable to Processing of Personal Data

  • All processing of personal data requires a legal justification. Legal justifications include the clear, unambiguous, affirmative consent of the data subject to processing for one or more specific purposes, and processing that is necessary: (i) for the performance of a contract to which the data subject is a party; (ii) for compliance with a legal obligation arising under EU or member state law; (iii) to protect the vital interests of the data subject or another person; (iv) for the performance of a task carried out in the public interest, where such processing is laid down in EU or member state law; and (v) for the purposes of the legitimate interests pursued by the controller or a third party, except where the data subject’s interests are overriding.
  • Stricter requirements apply to processing of sensitive categories of personal data, including data concerning race, ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic dataunique biometric data, health data, data concerning sexual orientation and sexual activity, and data relating to criminal convictions or offences.
  • Where consent is relied upon as a legal basis for processing, the controller must be able to demonstrate that consent was given. Consent does not provide a valid legal justification for processing where there is an imbalance that makes it unlikely that consent was given freely (e.g., employer-employee situations). Consent to processing must be kept separate and distinguishable from other written declarations. Consent may not be considered freely given where it is made conditional to performance of a contract or receipt of a service and such consent is not necessary to performance of the contract or providing the service. In the context of websites and other online services, and with respect to data on minors under the age of 16, reliance on consent as a legal justification for processing requires parental consent. Member states can lower the age at which minors can provide consent to as low as 13 years. Consent can be withdrawn at any time.
  • Where the legitimate interests of the controller are relied upon as a legal basis for processing, these interests must be stated in the notice provided to data subjects.
  • Personal data can only be collected for specified purposes and may not be further processed in a manner incompatible with those purposes. In determining the compatibility of further processing, considerations include not only the reasonable expectations of data subjects based on their relationship with the controller, but also the nature of the personal data, the consequences of the intended further processing for data subjects, and the existence of appropriate safeguards in the intended further processing.
  • Collection, use, storage, and other processing of personal data must be limited to that which is necessary for the specified purposes.
  • Reasonable steps must be taken to ensure that personal data are accurate.

Privacy Impact Assessments (PIAs) and Privacy by Design (PbD)

  • PIA required when processing is likely to result in high risk to data subjects, including when processing sensitive data on a large scale or profiling.
  • PIA must identify specific risks and describe privacy and security measures implemented to mitigate them.
  • PIA may evaluate an entire category of processing operations if they are sufficiently similar.
  • Controllers must implement technical and organizational measures to ensure that data protection principles are incorporated into all processing activities from start to finish (“privacy by design”).

Data Protection Officers (DPOs)

  • Each entity whose core activities include processing of sensitive data on a large scale or large scale monitoring of data subjects must appoint a DPOcorporate groups may appoint a single, shared DPO, provided that a DPO is easily accessible from each of the group’s establishments.
  • DPO must report to the highest level of management.
  • DPO must perform his/her responsibilities on the basis of independent judgment and cannot be dismissed or penalized for performing his duties.
  • DPO may perform other duties provided that they do not cause a conflict of interest.

Record-keeping; DPA Reporting & Consultation Requirements

  • Data controllers with more than 250 employees must maintain records including: all data processing operations; their scope and purpose; and any international data transfers. Data controllers with fewer than 250 employees must maintain such records concerning regular processing of personal data and processing of sensitive data.
  • Record-keeping replaces the registration requirements currently in place in some EU countries.
  • Mandatory consultation with data protection authority (DPA) where processing poses high level of risk to subjects that cannot be mitigated.

Breach Notification

  • Data controllers must notify the competent DPA without undue delay and, where feasible, within 72 hours of becoming aware of a breach, unless they can demonstrate that the breach is unlikely to result in a risk to data subjects. Risks include, inter alia , physical, material or moral damage to individuals such as discrimination, identity theft or fraud, financial loss, and damage to reputation. Where notification cannot be achieved within 72 hours, an explanation for the delay should accompany the notification.
  • Data controllers must notify data subjects without undue delay of breaches that are likely to result in a high risk to them.
  • Required details include number and contents of affected records; likely consequences, mitigation measures, etc.; notification may be provided in phases as this information becomes available.

International Transfers

  • Commission will identify jurisdictions offering adequate data protection essentially equivalent to that in the EU, taking into account factors such as independent data protection supervision, enforceable rights for EU data subjects, and effective administrative and judicial redress for EU subjects; decisions must be reviewed every four years.
  • For transfers to inadequate jurisdictions, controllers must implement appropriate safeguards such as standard contractual clauses; binding corporate rules (BCRs); non-standard clauses approved by DPAs; explicit consent; certification seals for recipient entities; or approved industry codes of conduct.
  • Prior approval mandates eliminated for transfers under standard contractual clauses or BCRs.
  • Transfers may also be based on the compelling legitimate interests of the controller in limited cases.
  • Any order of a court, tribunal, or administrative authority of a foreign jurisdiction to transfer or disclose personal data shall not be enforceable unless based on an international agreement, unless the transfer or disclosure otherwise complies with the Regulation.

Liability and Sanctions for Non-Compliance

  • Data subjects are given the right to file a complaint with the DPA of their residency, place of work, or place where the alleged violation occurred.
  • Where processing of personal data spans multiple member states, the DPA of the entity’s European headquarters (or, if different, the DPA of the establishment where decisions concerning the purposes and means of the processing of personal data are taken), shall be the lead DPA for oversight and enforcement. Nevertheless, each DPA has a defined level of competency to deal with a complaint or possible violation where the subject matter of the complaint/violation concerns only an establishment in the member state of that DPA or substantially affects data subjects only in that member state. A cooperation mechanism exists where the lead DPA and other concerned DPAs disagree as to how to handle a case.
  • Data subjects have the right to compensation for any material or immaterial damage resulting from a violation of the Regulation. Data subjects can bring proceedings in the courts where they reside or where the controller or processor has an establishment in order to enforce their rights, enjoin violative activity, and obtain compensation. Data subjects can authorize non-profit, public interest bodies to bring complaints on their behalf for the same purposes. Member states are permitted to allow such bodies to independently bring complaints on behalf of data subjects in order to enforce data subject rights and enjoin violations.
  • Where more than one controller or processor are jointly responsible for violating the Regulation, each can be held liable for the entire damage.
  • Violations of a controller’s obligations with respect to record-keeping, security, breach notification, and PIAs would be subject to a maximum administrative penalty of €10 million or 2 percent of the entity’s global gross revenue, whichever is higher.
  • Violations of a controller’s obligations with respect to having a legal justification for processing, complying with the rights of data subjects, and cross-border data transfers would be subject to a maximum penalty of €20 million or 4 percent of the entity’s global gross revenue, whichever is higher.