In recent years, the United States has been roiled by one instance after another of high-profile, large-scale breaches of data security. The list of such episodes include a foreign power’s access of politically sensitive Democratic Party emails during the 2016 election cycle, two huge breaches of Yahoo! user account data, and the hacking of the personally identifiable information (PII) of customers of major retailers Target and The Home Depot, among many others. Yet the legislative and regulatory response in the United States to the exponentially growing problem of data privacy violations has been largely muted, or at least far from uniform or systematic. A plethora of governmental agencies—such as the Department of Justice, the Federal Trade Commission, and the Securities and Exchange Commission—have made clear that each understands data protection issues as being within its respective purviews. But a compliance officer looking for comprehensive, non-agency-specific guidance as to what a company must do to protect PII and other sensitive data in the United States is not likely to be satisfied. Perhaps even more importantly, as a general matter, a U.S. citizen can point to little that is definitive, let alone uniform, across various industries and contexts regarding how (and to what extent) her PII will be safeguarded.
By contrast, the European Union (EU) has in recent years manifested a clear intention to maximize protection of personal data, and has sought to do so in a reasonably comprehensive and ascertainable manner. A particularly noteworthy product of that intention is the new European General Data Protection Regulation (GDPR), which will come into force throughout the EU on 25 May 2018. The GDPR will replace existing data protection laws throughout the EU and will introduce significant changes and additional requirements that will have a wide-ranging impact on individual rights, business requirements, and the police and criminal justice sectors. This article offers an overview of the history and key components of the GDPR, and some comments on how it might fare as an attempt to stem the rising tide of cyberbreaches.
EU legislation on data protection has been in place since 1995. The core aspect of that legislation has been a Data Protection Directive (formally, Directive 95/46/EC) that guarantees effective data protection. The right to such protection is deemed fundamental in the EU pursuant to Article 8 of the EU’s Charter of Fundamental Rights; however, each member state has, to some meaningful extent, implemented the law differently. Consequently, there has been uncertainty as to how the law should be interpreted and applied, as well as higher-than-desirable costs associated with administering the law.
Moreover, in recent years there has been growing recognition that the EU’s data protection rules need to be updated in any event. Processing of personal data has grown exponentially since 1995, with the proliferation of digital media, cloud computing, and location-based technology. The EU perceived that a more modernized, robust set of regulations would afford greater protections at a time when they were sorely needed and could also serve as a boon to the development of the digital economy within its borders.
In December 2015, an arduous process of agreeing to specific reform legislation was completed. Ratification of the new legislation occurred in early 2016. There are two major components of the reform:
The General Data Protection Regulation (GDPR), which is designed to enable individuals to better control their personal data. The GDPR reflects the EU’s hope that modernized and unified rules will permit businesses to derive maximum benefit from the opportunities of a contemplated “Digital Single Market,” by reducing regulation and benefiting from enhanced consumer trust that personal data will be protected.
The Data Protection Directive, which requires the police and criminal justice sectors to ensure that the data of victims, witnesses, and suspects of crimes are appropriately protected in the context of a criminal investigation or a law enforcement action. More harmonized laws across member states will also facilitate better cross-border cooperation of police or prosecutors in their efforts to combat crime and terrorism more effectively across Europe.
Member states have now completed roughly one-half of a two-year implementation period. A clearer view is now emerging of various practical implications of the two aforementioned components of the new legislation:
Consistency Throughout the EU—and Even Beyond It
Organizations outside the EU are deemed to be made subject to the jurisdiction of the EU regulators merely by collecting data concerning an EU citizen. While foreign companies might be inclined to challenge that assumption of jurisdiction, it is currently estimated that only having to deal with a single supervisory authority within the EU will produce an estimated savings of €2.3 billion per year (according to EU figures).
What Is “Personal Data”?
“Personal data” is defined in both the Directive and the GDPR as any information relating to a person who can thereby be identified, directly or indirectly.1 A matter of particular focus will be information that includes references to identifiers such as a name, an identification number, location data, online identification, or other specifying factors. Of special note here is that online identifiers such as an IP address, “cookies,” and other trackable online data will now in many instances be regarded as personal data. Those instances will typically arise when the potentially identifying data can be linked to a specific individual without extensive effort. For these purposes, no real distinction exists between personal data about individuals arising from activities in their private lives and personal data generated in their performance of work functions.
Data Protection Officers
Data protection officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data” (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like).2 This rule is expected to apply to, among other types of businesses, larger-scale marketing companies and even research organizations.
An early draft of the GDPR limited mandatory appointment of a data protection officer to organizations with more than 250 employees, but the final version has no such limitation.
The data protection officer’s tasks, as detailed in the regulation, include:
• Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws;3 • Monitoring compliance including managing internal data protection activities, training data processing staff, and conducting internal audits; • Advising with regard to data protection impact assessments when required under Article 33;4 • Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data;5 and • Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
Data protection officers may insist on access to company resources for the purposes of fulfilling their job functions and assisting the company’s personnel in their ongoing training. The officers must have access to the company’s data processing personnel and operations, significant independence in the performance of their roles, and a direct reporting line “to the highest management level” of the company. Data protection officers are expressly granted significant independence in their job functions and may perform other tasks and duties provided they do not create conflicts of interest.6
Controllers and Processors
The GDPR does distinguish, however, between the responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the regulation’s requirements and to protect data subjects’ rights.7
Controllers and processors must “implement appropriate technical and organizational measures” that take into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.”8
The regulation provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:
• The pseudonymization and/or encryption of personal data;9 • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services processing personal data;10 • The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident;11 and • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.12
Controllers and processors that adhere to either an approved code of conduct or an approved certification may use these tools to demonstrate compliance.13
The controller/ processor relationships must be documented and managed through contracts and protocols that mandate privacy obligations. The upshot is that controllers must assure themselves of processors’ ability to conform to privacy requirements.
According to the regulation, consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”14 Although the consent itself need not be explicit, the purposes for which the consent is gained does need to be “collected for specified, explicit and legitimate purposes.”15 It therefore must be abundantly clear to the data subject what his or her data is going to be used for at the point of data collection.
Consent should be demonstrable and must, not surprisingly, be freely given. Organizations need to be able to show clearly how and when consent was obtained. Consent, once given, can also be withdrawn as to future uses of personal data.
Information Provided at Data Collection
• The information that must be made available to a data subject when data is collected is defined to include: • The identity and the contact details of the controller and the data protection officer;16 • The purposes of the processing for which the personal data is intended;17 • The legal basis of the processing;18 • Where applicable, the legitimate interests pursued by the controller or by a third party;19 • Where applicable, the recipients or categories of recipients of the personal data;20 • Where applicable, that the controller intends to transfer personal data internationally;21 • The period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period;22 • The existence of the right to access, rectify, or erase the personal data;23 • The right to data portability;24 • The right to withdraw consent at any time;25 and • The right to lodge a complaint to a supervisory authority.26
This list changes when the data has not been obtained directly from the data subject. In that circumstance, the disclosure must make reference to the source from which the personal data originated, and how and why the data was obtained from that source.27
This is likely to cause consternation to marketers using multiple sources of third-party data.
The GDPR mandates a risk-based approach through which organizational controls must be, in essence, tailored to correspond to the degree of risk associated with the processing activities. Where appropriate, privacy impact assessments must be made, with a focus on protecting data subjects’ rights. Data protection safeguards must be incorporated into products and services from the earliest stage of development. Privacy-friendly techniques such as pseudonymization will be encouraged, to reap the benefits of big data innovation while protecting privacy. There is also an increased emphasis on effective record-keeping for controllers. The critical objectives in this regard are to help demonstrate compliance with the regulation and to improve the capabilities of organizations to manage privacy and data effectively.
Fines and Enforcement
There will be a substantial increase in fines for organizations that do not comply with the new regulation. Regulators will now have authority to issue penalties equal to the greater of €10 million or 2% of the entity’s global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations.28
Violations of obligations related to legal justification for processing, data subject rights, and cross-border data transfers may result in penalties of the greater of €20 million or 4% of the entity’s global gross revenue.
Legitimate Interests and Direct Marketing
The regulation does specifically acknowledge that the processing of data for “direct marketing purposes” can be considered as a legitimate interest. Legitimate interest is one of the grounds, like consent, that an organization can invoke in order to process data and satisfy the principle that data has been fairly and lawfully processed. Processing is to be considered lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”29
Summary and Conclusions
The new EU data protection regime extends the reach of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of data protection regulations throughout the EU, thereby at least theoretically making it easier for non-European companies to comply with these regulations. This comes with undeniable costs, however. The new regulations include a rigorous set of data protection compliance requirements backed by the prospect of severe penalties for noncompliance. Moreover, that new data protection regime’s rigor is not in all respects matched by clarity. The extent to which invocations of “legitimate interest” will effectively be permitted to trump personal data protection is by no means fully understood at this time, and many of the admonitions to data protection officers, controllers, and processors can rightly be critiqued as vague and general, and thus susceptible to selective enforcement (or none at all).
Final implementation of the GDPR will require sweeping changes to business practices for companies that have not to date implemented a comparable level of privacy protection protocols. The European Commission will have to deploy sufficient resources and exhibit sufficient power to enforce implementation and then compliance. None of this is assured. It is all but impossible, however, to envision an attempt at comprehensive, meaningful data protection reform legislation that would not face major enforcement challenges, or that was in all respects clear, specific, and unambiguous. The EU is, at a minimum, to be commended for making an aggressive and thoughtful attempt to combat a rapidly evolving problem.
Originally published in the International Law Quarterly.