After four years of protracted discussions and negotiations, the General Data Protection Regulation (the “GDPR”) gained final approval from the European Parliament 14 April. It will enter into force 20 days after publication in the Official Journal of the European Union (expected imminently), and it comes into force two years after that date – i.e., mid-2018.
The GDPR replaces the Data Protection Directive 95/46/EC (the “Directive”) and the legislation enacted by Member States to implement it. As a regulation, the GDPR will be directly applicable in all Member States; indeed, one of its core aims is to harmonise legal requirements across the EU, eliminating many of the inconsistencies that developed under the Directive.
The GDPR constitutes the single biggest change to EU data protection rules for 20 years and is considerably more comprehensive and onerous than the regime it replaces. We set out below some of the most significant changes.
The GDPR will apply to controllers and processors that process personal data “regardless of whether the processing takes place in the [European] Union or not.” This extra-territorial effect will be triggered where the personal data of individuals in the EU are processed in relation to:
- the offering of goods or services, irrespective of whether payment is required, to individuals in the EU; or
- the monitoring of their behaviour as far as that behaviour takes place in the EU.
Organisations which do not have an establishment in the EU – and which have considered themselves to operate outside the scope of EU data protection law – should now examine their business model in order to determine whether they could be subject to direct regulation.
The end of the “processor exemption”
The concept of the processor (an organisation, such as service providers which are solely processing personal data in accordance with instructions from a controller) is well known from the Directive. For the first time, processors are subject to direct regulation by supervisory authorities under the GDPR. Although processors have several obligations, two of the most notable are to:
- Implement sufficient security measures, having regard to the state-of-the-art, costs of implementation, and the nature, scope, context and purposes of processing
- Maintain records of all categories of processing activities carried out on behalf of a controller, including details of any international data transfers, and where possible, a description of the technical and organisational security measures put in place
Controllers must only engage processors who provide sufficient guarantees to implement technical and organisational security measures, and processors must gain specific or general written consent before engaging sub-processors. We expect to see a significant impact on contracts with service providers, as traditional “data processors” will be in line for greater liability now that they will be directly regulated.
Regulators, investigations and sanctions
Organisations established in the EU will have a “lead supervisory authority”, which will be the data protection authority of the jurisdiction in which they have their main or sole establishment. There are complex rules on cooperation between an entity’s lead supervisory authority and other supervisory authorities, which take effect where a complaint is made by a data subject.
Supervisory authorities (formerly called data protection authorities) have a wealth of powers under the GDPR, including the power to order a controller or processor to provide information, to obtain access to all personal data and information necessary to perform its function, and to obtain access to the premises of the controller or processor.
Sanctions for non-compliance with the GDPR are immensely higher than those under the Directive, with the maximum fine that can be imposed set at EUR20 million or 4% of annual worldwide turnover of the preceding financial year, whichever is higher.
International data transfers
In these times of turbulent trans-Atlantic data flows (R.I.P. Safe Harbor), it is reassuring that the arrangements for international data transfers remain substantially the same as under the Directive. One difference is that Binding Corporate Rules (“BCRs”) are explicitly recognised in the text of the GDPR, which infers a level of legitimacy. BCRs are a method of legalising the international transfer of personal data within a group of companies and are available for both controllers and processors.
Against the backdrop of uncertainty caused by the invalidation of Safe Harbor, organisations with frequent and complex international transfer operations may wish to explore the possibility of implementing BCRs.
The standard to obtain a valid consent has increased. Under the GDPR, consent must be a “freely given, informed and unambiguous indication of the data subject’s wishes” and must be given “by a statement or by a clear affirmative action”. It also states that when the processing of data has multiple purposes, consent should be granted for all of the processing purposes. Controllers must be able to demonstrate that consent has been given, and there are specific requirements to be followed where the consent is to be gained in writing. Organisations will therefore need to review their existing data collection practices to ensure these achieve the new standards.
Automated decision-making, including profiling
The GDPR provides a broad definition of what activities constitute “profiling”, and includes rights for individuals in relation to decisions based solely on automated processing, including profiling, where they would produce legal effects or otherwise “significantly affect” them. There is considerable uncertainty over what interpretation will be given to “significantly affect”; however, it looks likely that many instances of profiling will become unlawful under the GDPR. Businesses that heavily rely on profiling should therefore consider the implications of this change and what adjustments need to be made to the business model.