DLA Piper Shared Insights at Bloomberg Law’s 2016 Outlook on Privacy and Data Security in Washington DC

On February 3rd, the day after announcement of the US-EU Privacy Shield provisional agreement, DLA Piper’s Carol Umhoefer, Jim Halpert and Giangi Olivi discussed EU data protection developments at Bloomberg Law’s 2016 Outlook on Privacy and Data Security, in Washington DC, following a presentation by Shannon Coe, privacy leader at the U.S. Department of Commerce’s International Trade Administration, that summarized the terms of the provisional agreement. Here is a short analysis of the issues they discussed, which will be of relevance also for companies operating in the media, sport & entertainment sectors.

Shield 1.0? – While US and EU negotiators have reached agreement, the Privacy Shield is not (yet) a fully forged or final agreement. There is reason for optimism because of the Shield’s greater transparency and new dispute resolution mechanism, combined with an increased level of co-operation on both sides of the Atlantic. However, questions remain whether the ECJ’s concerns in Schrems have been fully addressed, and EU DPAs have reserved three months to comment on the agreement and may demand adjustments. This means that the Privacy Shield may not be fully operational as quickly as hoped.

Awaiting the Shield – BCRs vs. Model Clauses – However, the G29 affirmed on February 3 that it still views model clauses and BCRs as valid transfer options. Until the Privacy Shield is approved, most companies will likely continue using the model clauses as the preferred route to transfer data. Binding Corporate Rules require a more complex process of implementation and approval, and are more a milestone in a wider compliance project than a timely solution to Schrems. Both mechanisms may soon find themselves subject to DPA recommendations on how to reinforce protection under model clauses and BCRs – and elements of the Shield itself could conceivably be widened to apply to model clauses and BCRs.

Sanctions – The GDPR provides for fines of as much as 4% of global turnover in cases of violation of data subjects’ rights. Whether the DPAs will make full use of their new power remains to be seen, but the GDPR does state that fines are to be proportionate, effective and dissuasive. An illustration of the new rule: The biggest fine ever issued by the Italian DPA, the Garante, was Euro 1,000,000 against Google for a breach relating to the Google Car. Google’s 2015 revenue was USD 74.54B, so 4% would translate to… USD 2.9B. Moreover, the GDPR will foster greater consistency in fines, by setting out specific elements to be taken into account when deciding fines (for example, the nature and gravity of the breach, its intentional character, the degree of responsibility, cooperation with the authority, losses avoided and financial benefits gained), and requiring the European Data Protection Board (EDPB, an entity established under the GDPR to ensure consistent application of the GDPR) to issue guidelines on fines. Some key differences in member state sanctions will persist, as criminal law sanctions are not addressed by the GDPR and DPAs are likely to have some degree of discretion about what fines to seek.

“Global” GDPR? – Companies outside the EU will need to start thinking through compliance with the GDPR. Unlike the EU Data Protection Directive (“EU Directive”), the GDPR will apply to processing by a controller or a processor not established in the European Union if the processing activities are related to the offering of goods or services to EU data subjects, as well as to profiling of EU data subjects’ behavior while subjects are in the EU. Although mere accessibility to a website will not be sufficient to trigger liability under the GDPR, there is no definitive list of the criteria to determine when goods or services will be considered offered to EU data subjects. The general principles used to identify active sales under EU anti-trust and competition laws may give broad guidance.

The Notification Dilemma – The GDPR requires breach notification to the DPA as soon as the controller becomes aware of the data breach (and in any event within 72 hours), unless the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. Unless the new European Data Protection Board (EDPB) provides very specific guidance, when in doubt companies may rather opt to notify, or seek direction from the DPA. A similar “play it safe” approach may also apply for notification to individuals, which is required when there are high risks to the rights and freedom of the individuals.

Role of Data Processors – Under the current EU Directive, the data controller bears almost all responsibility for compliance. This has led to complaints that data processors located outside the EU have not been sufficiently invested in helping data controllers with compliance. Under the GDPR, the data processor will have specific (and independent) obligations such as immediately informing the controller in case of data breach, appointing a DPO and, in the case of processors outside the EU subject to the GDPR, designating a representative in the EU whom DPAs can hold accountable for non-compliance. The GDPR also sets out in detail the required terms for any processing agreement. Most importantly, the GDPF establishes joint and several liability for controllers and processors to indemnify data subjects in certain circumstances. The arrangements between controllers and processors will accordingly end up being more prescriptive and in time the EU Commission may adopt standard processor clauses. While traditional “negotiated” outsourcing arrangements may not see significant changes, the GDPR will challenge parties operating in the cloud environment, particularly for standardized services. Adherence to a code of conduct or certification processes may well play a key role in solving certain impasses.

The Devil is (Also) In the Details – The GDPR’s fines and broader territorial scope are grabbing a lot of attention, but there are many changes for companies already subject to and compliant with the EU Directive. The GDPR will require providing much more extensive notices to data subjects about processing of their data, honoring new rights for individuals like the right to be forgotten and the right to restrict/opt-out of processing, establishing internal policies and procedures enshrining the GDPR’s principles including privacy by design and privacy by default, and conducting privacy impact assessments and maintaining internal records of all processing, just to name a few.