EU data protection (privacy) law is changing, albeit slowly. After three years of intense discussions behind the scenes, the Council, the last of the EU institutions to reveal its hand, has finally managed to adopt a negotiating position on the General Data Protection Regulation or GDPR. Three-way talks with the Commission and Parliament are confirmed for this week (24 June). However, quick resolution to the negotiation does not seem in the cards as there remains much controversy. Despite this, optimists believe a deal is possible by the end of the year. But even with a deal by Christmas, the new rules will apply in the first half of 2018 at the earliest, leaving businesses with 24-36 months under the current legislation, essentially the 1995 Data Protection Directive.
Can Business Afford to Wait?
To put it briefly, no. Given the ever increasing role that digital technology plays in everyday life, it is unsurprising that most businesses now routinely collect, store and process personal information. All grapple with the challenges that lawfully protecting that information brings. Few keep up with best practice. Meantime corporate exposure to personal data breach is on the increase, regardless of company size, location or reputation. Business large and small needs to manage that risk and handle incidents professionally both now and under the future legislation. What is clear, whether a social networking/file sharing internet site, or an e-commerce platform for goods and services, if EU citizens use your on-line services, it is increasingly difficult to ignore EU law (see selected case-law such as C-131/12 – Google Spain and Google and the draft GDPR territorial scope which does not require establishment in the EU before the legislation applies to a given business).
Will the New Legislation Bring Clarity?
The anticipated streamlined “digital age” single EU regime seems rather unlikely. At the outset, the Commission proposed a Regulation – directly applicable uniform rules across the twenty-eight Member States. It seems more realistic, though, that we will still have Regulation, but also many national carve-outs. The practical result could be much the same as the existing Directive. Skeptics fear an erosion of rights for consumers. Additionally, as the negotiations have already been very lengthy, front runners such as Belgium, the Netherlands, and Germany have lost patience and have tabled their own national legislation. On-going cases in the European Court may also add to the confusion (see selected cases on the role of national data protection authorities such as C-230/14 Weltimmo and Case C-362/14 Schrems.) In short, as things currently stand, we risk a legal minefield.
What Are the Threats?
- National regulators will gain enforcement muscle. Fines are going up. It seems likely that fines will be calculated as a percentage of global annual turnover of the corporate group (Council wants 2%, whereas the Parliament has called for 5%). Currently, absent such sanctions, other regulators have had to intervene to protect affected consumers. A striking example from the UK is the 2.27 million pounds fine imposed on Zurich UK in 2010 by the then Financial Services Authority for the lack of adequate systems and controls when outsourcing.
- An initial goal in reviewing the legislation was to make it easier for companies to move personal data around, particularly within the corporate group (binding corporate rules). The Snowden revelations have had their impact. In particular, the Parliament is very sensitive about how to deal with requests for personal data from non-EU courts or administrative authorities. Businesses hoping for a solution to the risk of being caught between a subpoena in one jurisdiction and a refusal from an EU jurisdiction for the data to be handed over could be disappointed.
- Liability between operators is blurred. Under the existing legislation the roles and responsibilities of so-called data controllers and processors were relatively clear, but it became a parlour game among lawyers to distinguish which legal entity was the controller, and which the processor. Dividing liability between the two in the draft legislation appears to be the worst case scenario for many operators.
- Keeping it relevant. Once the legislation is adopted, no one will want to contemplate GDPR 2 for a long time. However, as we are all too aware, the digital environment evolves quickly. Agreeing on which aspects of the law can be amended by the Commission by so-called delegated or implementing act, avoiding a root and branch review of the Regulation, will be controversial.
- Additional requirements. GDPR is not comprehensive. Related EU and national laws are going through the legislative process or are being contemplated, e.g. the EU network and information security proposal contains data breach reporting requirements for affected market participants, which risk being different than requirements under the GDPR.
How Should Business React Now?
Now is a very good time to get your house in order. It is not too early to initiate a privacy programme or review existing practices. If the lengthy negotiation has done anything, it has served to raise awareness that Europeans expect organisations to take care of their personal information. As many surveys have revealed, many organisations have deficient practices. These can be resolved. The following (non-exhaustive list) sets out some initiatives that could be taken in the interim:
- Assess how personal information is processed throughout an organisation’s business units, including ensuring personal data is stored and transmitted safely so that access is controlled and only available to authorised personnel.
- Consider how the organisation can react better to consumer and employee requests for information about their personal information held by the organisation (subject access requests).
- Review existing terms & conditions and privacy notices to increase readability, raising awareness among staff of their rights and responsibilities.
- Audit terms & conditions, privacy notices and other corporate documents such as consumer preference testing questionnaires, against existing legal provisions, including commercial and consumer law in the jurisdictions in which the organisation operates.
- Consider whether transfers of personal data outside the EEA meet current requirements (e.g. use of “model clauses,” the EU-US Safe Harbour scheme, and BCRs).
- Assess how resilient the organisation is to data breach (from accidental loss and damage to a fully-fledged cyber-attack): what detection mechanisms and security measures are in place? What risk management techniques are deployed across the organisation, including cyber-insurance? Are there response procedures? Are they sufficient under current law and appropriate for the organisation’s business continuity needs? How quickly could the organisation get back on its feet?
- Analyse obligations from other EU legislative and national implementing measures affecting the business, e.g. for insurers (Solvency II etc.), anti-money laundering (3AML), tax (EU Savings Directive).
2018 is not long in corporate planning terms so companies should identify now potential risk areas, prepare a road map, and initiate plans for implementation projects.