The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now.
General Regulatory Approach
The EU Data Protection Directive (“Directive”) that is now in effect takes a more administrative, “check the box” approach to data protection. There is this assumption that if companies are subject to the law, and they go through the prescribed steps, then data will be protected. The new GDPR moves away from this philosophy in a significant way. Under the new approach, companies will now have to actually demonstrate their accountability to the obligations of the GDPR by implementing compliance programs and business processes that embrace internal controls which are both capable of implementing data protection, as well as monitoring data protection. The concept of “Privacy by Design” now must be built into how businesses process personal data (Article 25). Audits must be done on a periodic basis to ensure compliance. Privacy impact assessments (PIAs) are now required where a business is going to engage in “high risk” processing. Note that the DPAs get to decide what constitutes “high risk”.
Additionally, risk-based obligations are spread throughout the GDPR. While this can be seen as a positive development (low risk systems shouldn’t need the same level of protection as high risk systems), it will mean that companies will have to go through the process of actually doing risk assessments on the lines of business that process EU personal data. These types of assessments take time, and many businesses haven’t had data protection risk as part of their internal governance structure in the past. Consequently, risk assessment processes will need to be built.
New and “Improved” Obligations for Businesses
The GDPR has added some specific obligations for businesses which, while not surprising, are not present in the current Directive. For example, there is now a list of criteria which must go into a privacy notice. Specific contractual requirements are set out for data transfer agreements.
The two most challenging additions to the data protection landscape come in the issues of consent and breach notice. The current Directive does not specify modes of consent which are acceptable. As a result, there is inconsistent application across different Member States as to what constitutes consent. For example, it is permissible to use implied consent (“opt-out”) for some processing in the UK. Whereas express consent (“opt-in”) is the standard for other countries. The GDPR now requires all consent to be express – Article 4(11) states that consent must be evidenced by a “clear affirmative action”. Thus, reliance on an opt-out system will not work under the GDPR.
As for breach notifications. The GDPR brings the EU into the same place which the US has been for some time – and adds to it. The GDPR’s breach notice requirements place a 72 hour clock on reporting breaches to the relevant DPA. This is a particularly challenging requirements as often a company doesn’t discover the full scope of a breach until weeks after it becomes aware of the breach. A good incident response protocol can help mitigate this timing issue, but like noted earlier, many companies don’t currently have a good breach response protocol and will thus have to create, test, and implement one.
There are a number of other tactical requirements for processors and controllers such as the need for contracts with every processor and subprocessor, the new “Right To Be Forgotten” imposing deletion requirements on controllers, and the need to consult with the competent DPA prior to processing personal data where a PIA has indicated the processing will be high risk. These direct obligations will require companies to set up systems and controls to ensure compliance which, for many, were not required previously. Again, these take time and companies would be well advised to start now.
While the local implementations of the Directive each have some form of enforcement mechanism, these are not consistent, and in many cases, not sufficient. There are limits of fining capability, and the competency to address cross border businesses is a challenge. Additionally, there is uncertainty as to who has standing to complain about data protection violations, and how much concurrent jurisdiction a company might be under with regard to multiple DPAs.
The GDPR lays out a fairly comprehensive reworking of the enforcement process. It includes significantly enhances penalties, a “one stop shop” mechanism to simplify which DPA will lead enforcement efforts, as well as allowing Civil Society to engage enforcement efforts without needing to have individuals involved. Finally, a private right of action for individuals is retained.
Most concerning is the way administrative fines are going to be capped. Administrative fines under the GDPR are capped at either €20 Million, or 4% of a company’s gross annual revenue – whichever is greater. This means that EU regulators can now assess fines which are unrelated to the level of revenue generated by a EU subsidiary. The fining capability isn’t limited to profits, or revenue generated in the EU. The consequences of this capability can be significant for multi-national companies with smaller footprints in the EU than other regions.
Finally, while not new, there is always the ability for the DPA to actually enjoin a business from processing or transferring personal data if it is not compliant with the GDPR. This will also have a very real cost, above and beyond fines.
As noted earlier, the GDPR will not come into effect until 2018. However, the significant new obligations, the change in approach to regulation generally, and the significant fining capability of the Member State DPAs behoove businesses processing EU data to seriously review their compliance posture. At a minimum, businesses will need to:
- Develop and implement procedures for doing risk assessments and impact assessments;
- Review business process development methods to make sure “Privacy by Design” and “Privacy by Default” are embedded;
- Review their vendor management process and make sure standard contractual terms are in the agreements which have personal data aspects;
- Build (or improve) a security breach response protocol;
- Review privacy policies, notices, and similar instruments to ensure they contain the right information; and
- Review (and revise where needed) what basis the business uses for processing. If it is implied consent, that will need to be changed or another basis will be needed.
It is not a complete list, but all of the above items are elements in a scalable and sustainable global data protection program. This takes time and expertise to develop. Since the very real penalties for noncompliance are substantial, businesses are well advised to start down this path sooner rather than later.