On 15 December 2015, the trilogue parties (European Commission, European Council and European Parliament) agreed on a compromise version of the EU General Data Protection Regulation (GDPR). The Council and the Parliament are expected to vote on the agreed version in January/February 2016. The Regulation will then enter into force two years and 20 days from publication in the Official Journal, i.e. presumably in the spring of 2018.
The GDPR ensures that all Member States apply the same substantive law since the Regulation – different from a Directive – is directly applicable law. Therefore, the Regulation will replace material parts of local data protection laws. An exemption applies to employee data protection laws, which will continue to be subject to local legislation. However, also employee data protection laws need to take into account the fundamental rights and freedoms provided for under the Regulation. The following provides an overview on the most important changes:
The GDPR extends the territorial scope of application of EU data protection laws. It applies companies located outside the EU already where the data processing activities are related to (a) the offering of goods or services to data subjects in the Union; or (b) to monitoring of their behaviour in as far as their behaviour takes place within the Union. Hence, foreign websites may be subject to the Regulation as soon as they make offers in a local European language or currency; or evaluate the user behaviour of EU residents through their website.
One-stop shop – “lead supervisory authority”
In the future, companies with establishments in various Member States will benefit from the so-called “one-stop-shop” principle. This means that the supervisory authority of the main establishment of a processor or controller is competent to act as “lead supervisory authority”for the cross-border processing of this controller or processor. “Main establishment” means the place of central administration in the Union, unless the decisions on the purposes and means of processing are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented. Hence, the one-stop-shop is limited in that it does not apply to processing operations owned by another establishment. Also, the Regulation provides that supervisory authorities in other Member States will be involved in the proceedings in case (a) a data subject files a complaint with them; or (b) the case “concerns” the territory for which the supervisory authority is competent. The Regulation then provides for a cooperation proceeding in which – should the supervisory authorities be in disagreement – the newly introduced “European Data Protection Board” can issue a binding decision which is then implemented locally by the competent supervisory authority. The Board will be composed of representatives of the national supervisory authorities.
Enhanced accountability of companies
Companies will increasingly be held accountable for managing data protection risks. To this end, the GDPR provides for the following instruments:
- Higher penalties of up to EUR twenty (20) million or 4 % of the annual worldwide sales volume.
- Obligation to report any data breaches, in particular illegitimate access to or loss of personal data, within 72 hours.
- Extended requirements concerning the management and organisation of data protection risks (in each case on pain of penalties):
- Appointment of a data protection officer (“DPO”) in some cases: Appointment is obligatory where the company‘s core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or where sensitive data are processed on a large scale. In addition, company may voluntarily appoint a DPO; or national laws may provide for such mandatory appointment in other cases. For example, in Germany, it is likely that the requirement to appoint a DPO for any kind of business that employs more than 9 persons in the processing of personal data will remain to be in force. Where the controller or processor is not established in the EU, it shall designate in writing a “representative”in the Union.
- Maintaining records of processing activities: Companies are obliged to document the details of any data processing operations.
- “Data Processor Agreements”: Carrying out of processing by a processor requires a contract setting out details such as the subject-matter and duration of the processing, nature and purpose of the processing, type of personal data, categories of data subjects, audit rights, technical and organizational measures etc.. The requirements are similar to what the Controller-Processor Standard Contractual Clauses 2010/87/EU require or the requirements provided for under Sec. 11 of the German Federal Data Protection Act.
- Privacy by Design: Companies shall design products and services in such a way that by default they process only those personal data which are required for the purpose concerned.
- Privacy Impact Assessments (“PIA”): Companies are required to perform an internal risk assessment concerning any processing which implies high risks to the rights and freedoms of data subjects (such as video surveillance).
- Stronger Consumer rights One of the major goals of the Regulation is strengthening the rights of data subjects, mainly through providing the following rights:
- Right of representative Action: Data subjects may commission non-profit associations with the assertion of their rights to a supervisory authority or in court.
- Right to be forgotten: As before, any personal data must be immediately erased in case no longer necessary for the purpose for which they were collected. In addition, the GDPR now provides that where the controller has made the personal data public it shall take reasonable steps, including technical measures, to inform controllers which are processing the data, that the data subject has requested erasure.
- Right of data portability: Data subjects now have a right to receive the personal data concerning him or her, which he or she has provided to the controller based on consent or a contract. Such data shall be provided in a structured and commonly used and machine-readable format. This is to ensure that users of services such as Facebook can switch to another provider, transferring the data from their account.
- Right to object: Data subjects have at any time the right to object to data processing based on the legitimate interest exception or in case data are processed for direct marketing purposes, which includes profiling to the extent it is related to such direct marketing.
- Ban on automated decision making: Companies may not subject the individual to decisions based on automated processing alone, i.e. with no human intervention. Exceptions apply if this is necessary for the contract (e.g. credit rating) or based on explicit consent.
- Bar for valid of consent raised: Under the GDPR, declaration of consent is effective only if it was made freely, specifically, unambiguous, and on an informed basis. This means that affirmative action is required, i.e. implied consent, pre-checked boxes or inactivity are not to be regarded as valid consent. Also, consent may be regarded as not freely given if performance of a contract is made conditional on consent.
- Limitation on processing “for another purpose”: Processing of personal data is only permissible if and to the extent that this is compliant with the original purpose for which data was collected. Processing “for another purpose” later on requires again a legal permission or consent. The only exception applies if the “other purpose” is“compatible” with the original purpose. Indications for this will be any link with the original purpose, the context in which the personal data have been collected, the nature of the personal data, the possible consequences of the intended further processing for data subjects, or the existence of appropriate safeguards.
- Transfer of personal data to countries outside the EU
Similar to existing rules, the Regulation prohibits the transfer of personal data to third countries, unless (a) the Commission adopted an adequacy decision regarding the target country; (b) the parties provide for sufficient guarantees (e.g. through standard contractual clauses); or (c) Binding Corporate Rules (for intra-group data transfers) are in place. What is new is that the Regulation defines exact criteria for an adequacy decision by the EU Commission, e.g. whether enforceable data subjects rights and effective administrative and judicial redress for the data subjects are available. The background of this is certainly the Safe Harbor decision of the European Court of Justice of 6 October 2015 (case no. C 362/14 – Schrems vs. Data Protection Commissioner). Moreover, the – rather politically motivated – provision remains that any inquiries by courts or authorities from third countries may only be recognised or enforceable if based on an international agreement, such as a mutual legal assistance treaty. This will pose problems for many companies, e.g. when they receive pre-trial discovery requests from the United States. In cases like these, it should be considered whether aggregated (anonymous) data may suffice as evidence. Often, though, this may not be an option.