On 15th December 2015, the EU Commission, Parliament and Council of Ministers reached agreement on the General Data Protection Regulation ("GDPR"), after months of "trilogue" negotiations.
Those who process personal data will need to be more accountable; individuals will have stronger rights; there are significantly tougher powers of enforcement for national data protection authorities. The GDPR also applies to organisations outside the EU who sell to, or monitor, EU residents and requires data controllers to implement "data protection by design and default". The Regulation does not address the recent invalidation of the US safe harbor scheme: this must be resolved separately.
The GDPR must now be formally approved by the EU institutions and will then be published in the Official Journal early in 2016. The GDPR will come into force two years and twenty days from date of publication.
Key features are summarised in more detail below. We will be providing more detailed guidance – including actions companies need to take – over the coming weeks and months.
Long-arm jurisdictional reach
The GDPR will apply whenever personal data is processed about EU residents in connection with: (1) the offer of goods or services; or (2) monitoring of behaviour within the EU. This will be the case even if the organisation processing the personal data has no EU presence.
Relevant factors to assess this extra-territorial reach will include use of a language/currency used in EU Member States; ability to place orders in the EU; references to EU users or customers. Tracking EU residents on the Internet, in order to create profiles or to analyse or predict preferences and behaviour is also covered.
Where an organisation has to comply with this long-arm reach of the GDPR, then it must appoint a representative within the EU.
Continued application to EU based organisations
The GDPR will also apply to processing of personal data which is carried out in the context of EU "established" organisations (meaning some kind of stable arrangement in the EU).
What data is covered?
The GDPR applies to data from which a living individual is identified, or is identifiable (by anyone). The current test of 'all means reasonably likely to be used' to identify is retained.
The Regulation highlights the fact that certain categories of online data may be personal – online identifiers, device identifiers, cookie IDs and IP addresses are referenced. With respect to IP addresses, the Court of Justice of the European Union is expected to provide a clarification in the course of 2016 following a referral from the German Supreme Court Bundesgerichtshof lodged on 17 December 2014 (case C-582/14).
The current concept of sensitive personal data is retained and is extended – to cover genetic data and biometric data. As with the current Directive, processing of sensitive personal data is subject to more stringent conditions than other forms of personal data. Sensitive personal data can be processed with explicit consent.
A new concept of 'pseudonymisation' is introduced: this is a privacy enhancing technique where the information which allows data to be attributed to a particular individual is held separately and subject to technical and organisational measures to ensure non-attribution.
Pseudonymous data is still a form of personal data. However, its use is encouraged. For example, this is a factor to be considered when determining if the processing is 'incompatible' with the purposes for which personal data was originally collected and processed.
Pseudonymisation is also included as an example of a technique which may satisfy requirements to implement privacy by design and by default and which may meet obligations to ensure security of data.
Finally, for organisations wishing to use personal data for historical or scientific research or for statistical purposes, use of pseudonymous data is mandated in most situations.
Explicit or unambiguous consent?
Consent must be unambiguous. Consent to process sensitive personal data must be explicit, however, consent to process other types of personal data does not need to be explicit.
Consent must still be specific, informed and active. Consent can be indicated by choosing certain technical settings, or any other statement or conduct which clearly indicates acceptance. However, silence or inactivity is not sufficient.
Consent must be freely given and individuals must be able to withdraw consent (without detriment). Entering into a contract, or receiving a service, should not be 'tied' to the user giving consent to the processing of data which is not, in fact, necessary for the service to be delivered. Organisations must also seek separate consents for separate processing operations. There is a presumption that these types of forced or omnibus consent mechanisms will not be valid: organisations will need to redesign consent mechanisms so as to present genuine and granular choice for consent to be valid.
Processing does not need to be based on consent: other bases for processing still exist, including contractual necessity, compliance with a (Member State or EU) legal obligation and where the processing is necessary for legitimate interests of the controller (or another organisation), where these interests are not overridden by the data protection rights of the individual. Processing in order to prevent fraud, for direct marketing and for network security are all cited as examples of processing carried out for a legitimate interest. Sharing data (both employee and customer) within a group of undertakings may also be a legitimate interest.
Public bodies are, however, not able to rely on this legitimate interests justification.
Can children give consent?
Children under 13 can never give consent to processing of personal data required for online services (e.g. provision of an email or Facebook account). Children 16 and over can give consent themselves. In between, the default is parental consent unless Member States legislate to reduce the age threshold.
There are no specific rules relating to parental consent for offline data processing: usual Member State rules on capacity would apply here.
Accountability, Impact Assessment and DPOs
It is not enough for organisations to be responsible for compliance – they must be able to demonstrate compliance with data protection principles, including, where proportionate, through adoption of policies. Adherence to approved codes of conduct is suggested as a way of demonstrating compliance (for both controllers and processors).
Where new technologies are used which may involve a high risk for the privacy of individuals (such as monitoring activities, systematic evaluations or processing of specific categories of data), the controller must undertake and document a detailed privacy impact assessment, i.e. evaluate the risks and how he can limit them. Again, compliance with established code of conducts helps. Where the impact assessment results in the conclusion that there is indeed a high risk for the data subjects, the controller must involve the data protection authority and obtain their view.
In addition, each controller and processor which is a public body or involved in certain listed sensitive activities must appoint a data protection officer. Group of companies can have a combined DPO
Organisations will need to provide extensive information to individuals about the processing of their data. The GDPR combines the various transparency obligations which apply across the EU. The lists of information to be provided run to 6 pages in the GDPR – however organisations have to achieve what EU bodies have failed to do – and must provide information in a concise, transparent, intelligible and easily accessible way. Use of standardised icons is a possibility, if the Commission chooses to introduce these via delegated acts at a later stage.
Enhanced Individuals' Rights
Rights of access and rectification are retained. There are some protections for data controllers where access requests are unreasonable or excessive.
The right to be forgotten is confirmed and controllers who have made personal data public must take reasonable steps to notify others of the data subject's request for erasure of personal data. The right to be forgotten is not absolute: controllers may still process personal data, notwithstanding an objection from the individual, if there are compelling legitimate grounds for the processing to continue.
Individuals are also given rights to object to certain types of processing. Again, this right is not absolute and the controller's interests can outweigh the individual's. There is an absolute right to object to processing for purposes of direct marketing – and this also covers profiling which is related to direct marketing.
The ability for controllers to engage in entirely automated-decision-taking is restricted if the decision could produce legal effects or similarly significantly affect the individual. The individual has a right to object to such processing. Appropriate protections for the individual must also be put in place. If the processing is necessary to enter into, or to perform, a contract then the individual will not have a right to object to the processing – but will have a right of human intervention and appeal. Automated decisions involving sensitive personal data are further restricted.
There is a new right to data portability. Where individuals have provided personal data to a service provider, they will often be able to require the provider to 'port' the data to another provider, provided this is technically feasible. It is however still unclear how such right interacts with the requirement of data protection by design and by default imposed on data controllers.
Data Controllers and Data Processors
The current system, whereby controllers are responsible for the acts of processors is maintained. However, in some areas (eg data transfers) responsibilities are now placed on data processors directly as well.
The contract for appointing a processor must be more detailed: in particular, the GDPR stipulates that processors must seek approval to appoint sub-processors and to transfer personal data out of the EEA. The GDPR also enshrines the controller's right to audit the processor. Standardised contracts are foreseen.
Where two organisations jointly determine purposes and means of personal data processing, they will be joint data controllers. They must determine between themselves how they will comply with their obligations, however, individuals can exercise rights against either of the joint controllers.
Damages and penalties
Individuals are entitled to claim compensation for material, or immaterial, damage from the controller or processor, however, processors will only be liable for breach of those provisions of the GDPR which are directed to processors, or if they act outside the lawful instructions of the controller.
Organisations have the burden of proving that they are not responsible for the event which has caused the damage.
Where multiple controllers or processors are involved in data processing, if any one of them is responsible for any of the damage, then it will be responsible to the individual for all of the damage – albeit with an ability to claw back compensation from the other controllers.
Supervisory authorities have the ability to impose monetary penalties against controllers or processors (depending on the particular provision of the GDPR which is breached). The penalty can be tailored to reflect aggravating or mitigating factors. The maximum fine will be 4% of an undertaking's total worldwide annual turnover in the previous year. There is a 'low' cap of 2% of turnover for breach of more minor provisions in the GDPR.
"One-stop shop" (or not?)
The GDPR will revolutionise the process by which data protection laws are supervised. Other than where specified national law considerations apply, a lead supervisory authority located in the EU member state in which an implicated organisation has its "main" or single establishment will regulate the GDPR. A detailed structure by which that authority will liaise and co-operate with other authorities is set out, as are processes for situations where authorities disagree with one another including the creation of a European Data Protection Board (EDPB) which, amongst many other things, will issue opinions on particular decisions. The EDPB will be comprised of one representative of each EU member state's supervisory authorities and a representative of the European Commission (on a non-voting basis.) Organisations will need to work out which their supervisory authority is – factors such as the location of management functions relevant to data processing will be relevant to "main" establishment identification, including where one company controls the operations of a group. Developing a good working relationship with one's supervisory authority will be key.
Filings and record keeping
The current system of submitting routine notifications to the relevant supervisory authority has been abolished. However, instead, both controllers and processors will need to keep internal records of the processing which they carry out – including name and contact details for processors, controllers and joint controllers. There is an exemption from these documentation requirements for SMEs – organisations who employ less than 250 people. The SME exemption will not apply if the organisation engages in risky processing, processing of sensitive personal data, or data about criminal convictions or the processing is 'not occasional'. This last proviso seems to mean that many online start-ups will still have to maintain processing documentation.
Security Breach Notification
Controllers must notify data breaches:
- To supervisory authorities, without undue delay and where feasible, no later than 72 hours of becoming aware of the breach. Notification can be phased if necessary.
- There is no obligation to report a breach which is unlikely to result in a risk to individuals – however, organisations must still retain records of breaches, so that supervisory authorities can assess compliance
- The notification must contain details of nature of the breach and its scale (types of data; volume of individuals and records affected)
- Likely consequences and mitigating steps should be provided
- To individuals – but only if the breach is likely to pose a 'high risk' to them
- Notice should be without delay, should be in clear language and should include information about mitigating steps and contain a point of contact for more information
- There is no obligation to notify breaches if risk has been mitigated (e.g. by encryption of data or by post breach action of the controller)
- Notice can be given by public announcement in some situations.
Processors must notify breaches to controllers but not to supervisory authorities or individuals.
As an aside, organisations which fall under the ambit of the separate provisions of the Network & Security Information Directive (the so-called Cyber Directive) will need to ensure that they have processes in place to comply with the provisions of both pieces of legislation, in particular those relating to breach notification.
The current system is broadly carried across, with some improvements.
Existing methods for transferring personal data (other than safe harbor) continue to be recognised under the GDPR. Standard contractual clauses and white-listed countries retain their special status – although the Commission must review their status on an ongoing basis. Authorisations for Binding Corporate Rules will remain valid – and the GDPR writes into law the current requirements for BCRs for controllers and processors. This will be helpful in those few Member States which are still not able to recognise BCRs.
The current process, whereby transfers based on standard contractual clauses, have to be notified to, or approved by, data protection authorities, is abolished.
A novelty is that transfers will be permitted based on certifications issued under the newly introduced scheme of Article 39, provided that binding and enforceable commitments are made by the controller or processor to apply the appropriate safeguards, including as regards the data subjects’ rights.
Finally, as widely trailed, the GDPR makes clear that it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country.
Derogations generally: Member States retain the ability to introduce derogations where required for purposes of national security, prevention and detection of crime and in certain other prescribed situations. In line with case law of the CJEU, any such derogations must respect 'the essence' of the right to data protection and be a necessary and proportionate measure.
Health research: Sensitive personal data may be processed for public health purposes (defined widely) in the public interest without consent, provided this is on the basis of EU or Member State law.
Historical and scientific research and statistical processing: sensitive personal data may also be processed for these purposes if EU or Member State law so provides. Data must be pseudyonmised wherever possible.
Member States are specifically given the ability to enact more conditions (presumably, permissive), or limitations, on the processing of genetic, biometric or health data.
LEA Directive implementation
Along with the agreement on the GDPR, the EU trilogue reached an agreement on the Data Protection Directive for the police and criminal justice sector, which is intended to replace the Council Framework Decision 008/977/JHA of 27 November 2008. The GDPR provides that it should not apply to the processing activities for the purposes set out in the Directive, except when expressly referred to in the Directive.
The Directive provides for new rules on data protection in law enforcement area (the "LEA Directive") and is aimed at ensuring a high level of protection of personal data when processed by the police and judicial authorities at purely national level. Furthermore, the LEA Directive provides in general terms that the exchange of personal data shall be facilitated between law enforcement authorities within the EU.
The LEA Directive will build on the GDPR and includes a number of concepts included in the GDPR, such as data protection by design and by default and the appointment of a data protection officer. Also, the supervisory authority established in the GDPR could be the same as that which would deal with matters falling under the LEA Directive. Moreover, notwithstanding the existence of strong rights to the benefit of the data subject inspired by the GDPR, the LEA Directive includes limitations such as to the right of access in order for instance to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences. Also, the LEA Directive grants data subjects the right to receive compensation if they have suffered damage as a result of processing that is not in compliance with the provisions adopted pursuant to the LEA Directive.
The LEA Directive will enter into force on the first day following its official publication. However, Member States will have two years to transpose the provisions into their national laws. In doing so, Member States may set higher data protection standards than the ones set out in the LEA Directive.