Now that it’s been approved by the EU Parliament’s Civil Liberties Committee, Europe’s General Data Protection Regulation (the “GDPR” or the “Regulation”) is well on its way to replacing the 20-year-old Data Protection Directive (the “Directive”) as the EU’s omnibus data protection law. Although it won’t officially become law until it receives the approval of the EU Parliament, now is the time to study the most important aspects of the GDPR so you can be prepared for the new regime.
Why replace the Directive?
The technology landscape was very different 20 years ago, when the Directive was first adopted. Today, with the widespread usage of social media, apps, and the Internet generally, personal data is being shared and transferred across borders more than ever before, and many felt that the Directive was due for an overhaul in light of all these changes.
Moreover, the Directive was limited because it was just that – a directive. As a directive, it could only set the minimum legal standards the EU member states had to meet in their own data protection laws; the member states otherwise could craft their own laws as they saw fit. This led to a patchwork of data protection laws across Europe, with some countries implementing more stringent (and occasionally more unique) laws than others.
The GDPR is meant to solve this problem. As a regulation, as opposed to a mere directive, it directly imposes a uniform data security law regime on all EU members. There is no need for a member state to enact legislation in order to make the GDPR law within that country; once the GDPR is passed, it will become the law in every member state, thereby harmonizing EU data protection law from A(msterdam) to Z(agreb).
What are some of the major ways the GDPR differs from the Directive?
- Territorial scope. Article 3 of the GDPR states that the Regulation applies to the processing of personal data of data subjects located in the EU, even if the relevant controller or processor is not established in the EU, provided that the processing relates to the offering of goods or services to the data subjects (whether or not payment is required), or the monitoring of data subjects’ behavior. In practical terms, this means that any company that markets goods or services to EU residents may be viewed as subject to the GDPR, regardless of whether the company is located or uses equipment in the EU or not. This provision essentially makes the GDPR a worldwide law, as many entities – think app developers to e-commerce companies and multinational corporations – want or need access to the European market, even if they do not have any European offices. In contrast, the Directive was not as expansive in its geographic reach.
- Increased fines for violations. One of the provisions getting the most attention is Article 79, which states that a company that violates certain provisions of the GDPR – such as the basic processing principles (see description of Article 5 below) or the rules relating to cross-border data transfers – may be subject to fines amounting to 4% of the company’s total worldwide annual turnover. Four percent may not seem like much, but in reality this could mean millions, even billions, of dollars in fines for large companies that violate the GDPR. Also, given the risk of incurring a significant fine for a violation, this provision underscores the importance of implementing a mechanism that allows for the legal transfer of personal data from the EU to the US, such as binding corporate rules (see below).
- Greater control for data subjects. Article 18 of the GDPR grants data subjects a “right to portability” with regard to personal data of theirs that is automatically processed. This provision allows data subjects to more easily transfer their personal data from one controller to another, which will come in handy when, for example, a data subject wishes to change service providers and transfer his or her personal data from one service provider to another. A data subject also has the right to receive any personal data he or she provided to the controller and is being processed via automated means “in a structured and commonly used and machine-readable format.” Also, Article 17 sets out the “right to erasure,” also known as the “right to be forgotten,” which gives a data subject the right to order a controller to erase any of the data subject’s personal data in certain situations. Article 17 requires a controller to erase a data subject’s personal data “without undue delay” when the personal data is no longer necessary in relation to the purposes for which it was collected or processed, or the data subject withdraws his or her consent or objects to the processing and there is no other legal basis for the processing, among other grounds. A controller may be obligated to restrict processing where the data subject contests the accuracy of the data, as well as in certain other situations set out in Article 17a.
- Data protection officers. Article 35 requires companies whose “core activities” involve large-scale processing of “special categories” of data – defined as information that reveals a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data (if processed in order to uniquely identify a person), health or sex life, or sexual orientation – to designate a data protection officer. Companies should be aware that even if they do not collect this type of information from their customers, they may collect some of this information from their employees for human resources purposes, and therefore may need to appoint a data protection officer. Under Article 37, data protection officers must provide advice about, and monitor compliance with, the Regulation, as well as serve as the contact person for communications with the relevant supervisory authority.
- Data breach notification. Under the Directive, member states were free to adopt different data breach notification laws, which meant that companies that suffered data breaches in the EU had to research and ensure compliance with the appropriate requirements. However, Article 31 of the Regulation sets out a single data breach notification requirement designed to be applicable across the EU. The rule requires controllers to notify the appropriate supervisory authority of the personal data breach within 72 hours of learning about the breach. The notification must describe the nature of the personal data breach, the categories and approximate number of data subjects implicated, the contact information of the organization’s data protection officer, the likely consequences of the breach, and the measures the controller has taken or proposes to take to address and mitigate the breach. Additionally, a processor is required to notify a controller of a data breach “without undue delay.” Article 32 requires controllers to notify data subjects of breaches “[w]hen the personal data breach is likely to result in a high risk [to] the rights and freedoms of individuals” and must notify data subjects of the breach “without undue delay.” The notification must include the contact information of the company’s data protection officer, the likely consequences of the breach, and the remediation and/or rectification measures the company has taken or intends to take to address the breach. However, the controller does not have to provide notice to data subjects if the controller (1) had implemented “appropriate technical and organisational protection measures” and applied those measures to the affected data; (2) took subsequent measures to ensure that the risk to data subjects’ rights and freedoms would be “no longer likely to materialize;” or (3) notification would require “disproportionate effort,” in which case a public communication would be sufficient as long as the data subjects were notified “in an equally effective manner.”
Are there any important points on which the GDPR is similar to the Directive?
Yes – one of the most significant of these is consent. Similar to the Directive, the Regulation provides that consent is a valid basis for processing personal data, and in Article 4 defines consent as “freely given, specific, informed and unambiguous” (the Directive defines consent, in Article 2, as “freely given specific and informed”). Under the Directive, employees generally could not be viewed as freely giving consent to their employers’ processing or cross-border transfer of their personal data given the inherently unbalanced power dynamic in the employer-employee relationship. As the Regulation’s language on consent mirrors that of the Directive, we may assume, for now, that the same restrictions on employee consent will remain.
What about the Directive’s data protection principles? Does the Regulation change those in any way?
One of the key components of the Directive is its list of “Principles Relating to Data Quality” in Article 6. Under Article 6, member states had to require that that personal data be processed fairly and lawfully; collected for specified and legitimate purposes; adequate, relevant, and not excessive given the purposes for which the data was collected and processed; accurate and kept up to date, where necessary; and kept in a form that allowed for the identification of data subjects for no longer than necessary given the purposes for which the personal data were processed.
Article 5 of the Directive maintains and expands upon these principles, even giving each principle a name – the first principle, for example, is labeled “lawfulness, fairness and transparency.” It also adds an additional “integrity and confidentiality” principle, which requires that data be “processed in a way that ensures appropriate security of the personal data.” The Regulation, like the Directive, also states that controllers must demonstrate compliance with these principles.
How does this affect the US-EU Safe Harbor?
As you may recall, the US-EU Safe Harbor program was declared invalid this past October. While the GDPR does not provide for a new Safe Harbor program, it is important to note that the Directive did not envision a Safe Harbor program either; instead, the Safe Harbor program was implemented five years after the Directive, pursuant to Decision 2000/520/EC. (It was this Decision that the European Court of Justice invalidated this past October, which in turn essentially ended the Safe Harbor program.) In other words, just because the GDPR doesn’t specifically provide for a Safe Harbor program doesn’t mean there isn’t a new Safe Harbor program on the horizon. Indeed, American and European officials have been negotiating the contours of Safe Harbor 2.0 and hope to reach an agreement by January.
In the meantime, Chapter V of the GDPR, which deals with cross-border data transfers, indicates that binding corporate rules (“BCRs”) and standard contractual clauses remain valid tools for transferring personal data outside the EU. Unlike the Directive, the GDPR even details the basic requirements for BCRs in Article 43; until this point, the BCR requirements had been set out in a series of Working Documents published by the Article 29 Working Party, and those drafting the BCRs had to cross-reference the various documents in order to piece together a truly comprehensive picture of what to include. Moreover, the GDPR’s approval of mechanisms such as BCRs and standard contractual clauses alleviates the concern that some member states’ data protection authorities will follow Germany’s lead in declaring that these tools offer insufficient protection for personal data transfers to the US.
When would the GDPR become effective?
If approved, the GDPR would not become effective until 2018, giving companies time to ensure compliance with the new law.