The EU General Data Protection Regulation (the “GDPR”) was adopted by the EU Parliament last April 14, 2016. The GDPR will replace the EU Data Protection Directive (95/46/EC), which was implemented more than 20 years ago. After a two year transition period to integrate the new obligations, the GDPR will be directly applicable in all EU Member States in June 2018.
The GDPR’s aim is to unify data protection law within the European Union and increase data subjects’ rights (I). This involves strengthened obligations for companies in terms of compliance (II), as well as extended powers of Data Protection Authorities (“DPA”) (III).
I. REINFORCEMENT OF INDIVIDUALS’ RIGHTS
Under the GDPR, consent requirements are more precise: the request for consent must be presented in a clear and unambiguous language (which excludes in particular privacy policies presented in lowercase letters), so that the person is able to give a free, specific and informed consent. Consent must be explicit, rather than implicit. Silence, pre-ticked boxes, or inactivity may thus not constitute valid consent.
While preparing, companies should assess whether they can rely on data subject consent and if so, if consent is freely given and sufficiently informed. They may alternatively be able to show that they have a legitimate purpose for processing. Note that there are no specific provisions for employees; under the GDPR, Member States may implement specific rules for HR data processing. However, it is likely that the Art. 29 Group and certain local DPAs will maintain their current position that employee consent is not deemed to be freely given.
2. RIGHT TO BE FORGOTTEN
The GDPR maintains each individual’s rights of access, correction, deletion, blocking and objection but also introduces new rights, such as the right to be forgotten. Data subjects may require their data to be “erased” if (i) data are no longer necessary in relation to the purposes of the processing, (ii) consent has been withdrawn, (iii) the legal retention period has expired, (iv) the data subject objects to such use or (v) the processing is not in accordance with the GDPR.
Controllers which have made data public and receive an erasure request will need to inform controllers processing the data of the details of the request (e.g., erasure of links to or copies of data).
3. RIGHT TO DATA PORTABILITY
The GDPR confirms the concept of personal data property by establishing a data portability right. Individuals will be able to (i) receive personal data concerning them in a “structured, commonly used, machine-readable and interoperable format”, (ii) transfer the data to another data controller or (iii) request that their personal data be directly transmitted from one controller to another, provided that such transfer is "technically feasible".
Companies should check the data format they use and if it can be easily transferred to another service provider. Transferring data which relates to several data subjects will raise issues.
Children’s privacy is now addressed in the GDPR, which was not the case with the EU Directive. Parental consent is required when offering information services directly to a child under the age of 16. Member States may choose to lower the age level to 13.
This should impact social media providers. Care should be given in drafting notices for services offered to children. Codes of conduct of associations which apply to companies may further provide for additional requirements.
5. EMPLOYEE PRIVACY
Whereas the GDPR’s goal is to harmonize data protection laws throughout the EU, it expressly authorizes individual EU Member States to implement more specific rules for HR data processing. Each Member State will have two years to determine its own rules and disclose these to the EU Commission.
Efforts of harmonization and simplification of the GDPR could thus be undermined by more restrictive local law, still requiring filings for processing of HR data. Note that the CNIL (the French DPA) has not yet taken position in this regard.
II. STRENGTHENING OBLIGATIONS FOR COMPANIES
1. SCOPE OF APPLICATION
The GDPR will expand its territorial reach and apply to any data controller or processor offering goods or services to data subjects located in the EU, as well as to any processing relating to monitoring of data subjects’ behavior within the EU. Data processors or subcontractors having an establishment located in the EU and processing personal data for their activities will also be subject to the GDPR, bearing in mind that the concept of "establishment" has been broadly interpreted by the Court of Justice of the European Union.1
Where a controller or processor is not established in the EU, but is subject to the GDPR, the controller or processor will generally need to designate an EU representative by written mandate. Companies without an EU presence which offer goods or services to EU individuals or monitor their behavior should therefore get prepared to comply with the GDPR.
2. DATA PROCESSOR LIABILITY
Data processors will have limited but direct obligations under the GDPR. This includes, for example, implementing appropriate security measures and notifying controllers in the event of a data breach. A processor will be liable for the damage caused by unlawful data processing only if it has not complied with the GDPR obligations which apply directly to data processors or if the processor acted outside or contrary to lawful controller instructions.
Companies should review existing supply agreements to verify if they cover these new processor data obligations, and if changes are needed who would bear the cost thereof.
3. DATA PROTECTION OFFICER
Under the GDPR, only certain companies will be required to appoint a Data Protection Officer (“DPO”). The GDPR requires a DPO where the core activities of the controller or processor consist of (i) processing, which by its nature, scope, or purposes, requires regular and systematic monitoring of data subjects on a large scale, (ii) processing special categories of personal data on a large scale, or (iii) if processing is carried out by a public authority. Member States may also provide for stricter rules and require a DPO in other cases.
The DPO may be an employee or an outside provider; s/he will need to have expert knowledge. A group of companies may appoint a single DPO to act for the group.
4. BREACH NOTIFICATION
The GDPR provides for a general personal data breach notification regime applicable to both data controllers and data processors. Controllers must notify the competent DPA of a breach within 72 hours after the company’s knowledge of the breach, unless such breach is unlikely to result in a risk to the rights and freedoms of individuals. Affected data subjects must also be informed of the breach without undue delay, if the breach is likely to result in a high risk to their rights and freedoms.
Processors must notify the controller without undue delay after becoming aware of a personal data breach.
From a practical standpoint, notifying a breach to the DPA within the required period (72 hours) may prove to be quite challenging in terms of investigating regarding the nature and scope of the breach. Companies will need to adopt internal procedures to handle such data breaches. Companies operating in the United States may be able to use existing procedures used in the U.S. Further bear in mind that some local DPAs currently already require companies to notify data breaches, such as the UK ICO for “serious” data breaches.
5. INTERNATIONAL DATA TRANSFERS
The GDPR maintains the general prohibition of transfers of personal data to non-EU countries that do not provide for an adequate level of protection unless appropriate safeguards are in place. In addition to the existing EU Commission approved Standard Contractual Clauses (“SCC”), the GDPR expressly recognizes the use of “BCRs” (Binding Corporate Rules), as well as SCC adopted by a DPA and approved by the Commission. Obtaining the prior authorization of DPAs for transfers based on SCCs will however no longer be required in jurisdictions which required such prior authorization. The GDPR does not refer to the safe-harbor scheme, nor to its envisaged replacement, the privacy shield.
SCCs and BCRs in place should therefore remain appropriate and not require any changes. Companies should also ensure they have a legitimate reason for transferring personal data outside the EU, to avoid potential fines.
The GDPR defines in greater detail the information requirements that have to be met in order to duly inform and notify data subjects about the processing of their personal data.
It will be important to review existing privacy notices and policies to make sure that information is sufficiently extensive and given in a transparent and concise way.
Under the GDPR, controllers and processors will have a diverse set of rules to follow in order to insure and prove accountability and compliance. For example, they must maintain documentation on the personal data being processed and purpose, provide for data protection impact assessments for more risky processing (e.g., cases of high risk for the rights and freedoms of individuals, such as large scale processing of sensitive data or profiling activities) and implement data protection by design and data protection by default (by integrating data compliance measures to their data processing activities).
Privacy impact assessments (“PIAs”) must include a description of the processing and their purpose and an assessment of the processing need, proportionality, risks and measures. Industry codes in relation to PIAs will most likely be adopted. Adopting policies or pseudonymisation are examples of privacy by design or by default measures to ensure compliance by minimizing data use.
III. ENFORCEMENT BY DATA PROTECTION AUTHORITIES
The penalty scheme for violating the GDPR will drastically differ from the type of penalties to which companies are accustomed under the EU Directive. DPAs will have authority to impose fines that may reach the greater of 20 million Euros or 4 % of the company’s total annual worldwide turnover, for example for breach of requirements relating to international transfers or basic processing breaches, such as conditions for consent. Other infringements will give rise to fines of up to 2% of the annual worldwide turnover or 10 million Euros. DPAs will have enhanced powers, such as investigatory powers (access to premises, power of injunction) or corrective powers (binding orders).
If the infringement is minor or if the fine is likely to constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Various factors, such as actions taken to mitigate damage suffered by data subjects, degrees of responsibility of the controller or processor, will be taken into account to determine the issuance and amount of the fine.
It is recommended to assess possible liability under existing customer, supplier and/or partner agreements (i.e., review of contract liability limitation and exclusion clauses) and modify insurance coverage, if needed.
2. REMOVAL OF ADMINISTRATIVE NOTIFICATION REQUIREMENT
The Directive provided for a general obligation to notify DPAs about the processing of personal data. This requirement was considered by many organizations as burdensome; the GDPR removes this obligation. Data controllers will instead need to put into place effective procedures, especially as regards high risk processing, and in some cases carry out PIAs.
Hopefully, processing of HR data, which may give rise to specific local rules will not require any notifications to DPAs.