We all know it’s coming, we just don’t know precisely what “it” is yet. The General Data Protection Regulation (“GDPR”) has now moved to the trilogue stage of the EU legislative process, with the three EU institutions – the Commission, Parliament and Council – trying to negotiate a final text. Those leading the charge for the GDPR in Europe are optimistic that the final text will be agreed by the end of the year, leaving organisations that process personal data two years to implement the new law before it comes into force at the start of 2018.
This ‘cheatsheet’ provides a quick overview of the story so far and what has been proposed in each of the draft texts produced by the Commission, Parliament and Council.
The story so far
- The current law is the EU Data Protection Directive 1995 (95/46/EC), implemented slightly differently in the domestic legislation of each member state. In the UK, this is the Data Protection Act 1998.
- The proposal is to replace this with a Regulation, which would therefore be directly applicable in each member state without the need for implementing legislation.
- The legislative process has been ongoing for more than three years, and there are three published versions of the draft Regulation:
- The initial proposal by the Commission, published in January 2012.
- The EU Parliament’s revised version of the Commission’s draft, approved by the Parliament in March 2014.
- The EU Council’s draft, finalised on 11 June this year.
- The process has now entered the ‘trilogue’ stage. This is where the Commission, Parliament and Council conduct informal negotiations, prior to the formal readings of the text before the Parliament and Council, in order to reach a closer agreement on the text before the actual votes take place.
- The current expectation is for the legislation to be approved by the start of 2016. There will then be a two year implementation phase, and the law will come into force at the start of (or mid) 2018.
Highlights from the three drafts
The proposed drafts are very very long (approximately 140 Recitals and nearly 100 Articles); the below is therefore intended to be headline changes only, and not a comprehensive overview. There is also some significant variation between the three drafts which we have tried to highlight below. Where wording is square-bracketed, this indicates that it does not appear in all three texts.
- The general concepts stay the same. The GDPR will still have the concepts of controllers and processors, with the majority of obligations on controllers. The definitions of “personal data” and “sensitive personal data” stay broadly the same. There are the same obligations regarding notice, processing grounds, proportionality, data transfers etc.; the key change is that the rules get a lot more detailed (and therefore more prescriptive).
- Territorial scope: The territorial scope of the existing Directive is somewhat complex (particularly after the Google Spain “Right to be forgotten” ruling). The GDPR will simplify the situation for non-EU based controllers: the GDPR will apply to these organisations if they are offering goods and services to individuals in the EU (irrespective of payment).
- The ‘one-stop-shop’: A highly controversial proposal, since it involves some Data Protection Authorities (“DPA”) potentially giving up their powers to regulate controllers based in more than one jurisdiction. The initial idea was that a controller based in more than one member state could designate a ‘lead’ DPA where their main establishment was based. All regulatory action would then be the lead DPA’s responsibility. However, it looks likely this will be watered down so that other DPAs still have a role – and individuals can still bring complaints to their local DPA. So more of a several-stop-shop then…
- No more obligation to register with the local DPA: A attempt at red-tape cutting by the EU, which is likely to be welcomed by most organisations.
- Data Protection Policies: Requirement to have (concise), transparent, clear and easily accessible policies. There are somewhat prescriptive requirements in this regard e.g. you must identify the purpose of the processing, your retention periods, and state whether the data is encrypted. The Parliament has suggested standardised icons (similar to traffic light food labelling), which controllers can use to quickly inform people.
- An entirely new principle: For the first time, data protection compliance will not only be about what happens when things go wrong. Organisations will also need to be able to demonstrate they are consistently complying with the GDPR in their ordinary course of business. Essentially, this means organisations will need to have compliance policies in place (which may need to be reviewed every (2) years). There is also a requirement to document data processing activities. Under the Parliament text, this principle will also apply to processors.
- Privacy by design & Privacy by default: Privacy can no longer be something you can ‘add on’ afterwards, but should be factored into products and procedures from the design stage onwards.
- Risk assessments and Privacy Impact Assessments: Already good practice, “PIAs” become mandatory under the GDPR.
- European Data Protection Seal: DPAs and/or accredited auditors may have the power to grant a data protection ‘seal’ to organisations who can demonstrate a sufficiently high level of compliance.
4. Individual rights
- Continued strong focus on consent. There is still much debate as to whether consent should be “explicit” (Commission and Parliament texts) or “unambiguous” (Council text); and also whether this makes any difference in reality…
- Subject Access Right is broadened, as individuals will also have a right to know, amongst other things, retention periods and a description of the consequences of the processing. However, the carve-out for ‘mixed’ personal data (i.e. personal data about more than one individual) is stronger than under the UK Data Protection Act.
- A ‘right to be forgotten’: Still up for debate. Introduced in the Commission text, but amended in the Parliament text to be only a ‘right to erasure’; ‘forgotten’ is back in the Council text. It looks likely it will apply when the controller is relying on the “legitimate interests” criteria, unless the controller can demonstrate its compelling legitimate interests override the objections of the data subject.
- Other rights: Right to object to profiling, right to data portability. Note that in the Parliament text this has been deleted, and in the Council text it only applies where the processing is based on consent or performance of a contract.
- Essentially stays the same. A missed opportunity to fix the problem of data transfers in the internet-age. Existing adequacy decisions will remain for five years. “Appropriate safeguards” options continue to be BCRs or Model Clauses, with the potential addition of the European Data Protection Seal. Organisations will need to renew existing Model Clauses every five years.
- Foreign law enforcement access: The Parliament text contains a new Article specifically directed at foreign law enforcement access. It would require organisations to notify and obtain prior authorisation from the local DPA, and inform individuals before giving personal data to foreign law enforcement.
- Direct obligations on processors: The existing contractual obligations (e.g. to process on the instructions of the controller, have appropriate security measures etc.), now become statutory obligations, as does the obligation to have a written contract in place (i.e. it becomes an obligation on both parties). There are also (potential) primary obligations on processors to appoint a Data Protection Officer, to notify the controller in the event of a security breach, and requirements when engaging sub-processors. Processors face the same potential fines as controllers (see below).
- The Parliament text contains significantly more obligations on processors than the other two texts (e.g. the accountability principle, privacy by design/default, documentation).
7. Data security
- Stronger focus on data security, more prescriptive obligations.
- Security breach: The controller must notify the DPA within 24 hours/without undue delay/72 hours of a security breach (Commission/Parliament/Council text). Individuals should also be informed without undue delay. There are potential exceptions to the requirement to notify individuals, e.g. under the Parliament text if the data is encrypted, or in the Council text only if there is a high risk to individuals. Processors have a primary obligation to inform the controller, and assist with the other notifications.
- Data Protection Officers: Possible requirement for controllers and processors to appoint a Data Protection Officer. However there is significant disagreement as to when this will apply: the Commission suggests any organisation with 250+ employees, whilst the Parliament’s proposal is if the data processing relates to 5,000+ individuals. The Council text does not have mandatory appointments – although member states would be able to legislate for this in their national law.
- Penalties(!): Huge increase in fines. Currently, maximum fine in the UK is £500,000. The Commission and Council are proposing EUR 1 million or 2% of global turnover, the Parliament said EUR 100 million or 5% of global turnover. The fines could apply to controllers or processors. There is a relatively low thresho