The new European General Data Protection Regulation (the “Regulation”) is in force and will apply to EU member states from 25 May 2018, replacing the Directive 95/46/EC (“Directive”). The Regulation could have a significant impact on businesses in the context of data protection issues.
What are the implications?
Key features of the Regulation include:
- Greater harmonisation: the Regulation aims to introduce one set of data protection standards which apply in a uniform manner across all EU member states, which should be a more attractive model for businesses which operate globally.
- Territorial scope: the Regulation has wide territorial application even for businesses outside of the EU. It applies to controllers and processors that have an establishment within the EU even if the processing takes place outside the EU. “Establishment” has a wide meaning. In addition, it will apply to “controllers” and “processors” outside the EU if processing the personal data of data subjects in the EU, where the processing activities are related to services or goods that are offered to data subjects in the EU (whether or not provided for payment) or the monitoring of their behaviour within the EU. For example: simply providing a website, accessible in the EU, which enables goods or services to be ordered in a language or currency generally used in one or more member states may indicate that a controller or processor envisages offering goods or services to data subjects in the EU. This change marks a broadening of the current position and
will impact on many industries, including e-commerce companies and those that provide cloud computing services.
- Accountability: the general obligation for controllers to notify with the ICO is abolished in favour of more proactive accountability requirements for both controllers and processors. Controllers are required, in particular:
- to adopt internal policies and compliance procedures and demonstrate compliance with the Regulation;
- to implement privacy by design and default approach to processing;
- to implement appropriate security measures;
- where processing carries a high risk, to conduct risk assessments known as “Privacy Impact Assessments” and consult with the ICO before processing starts;
- depending on the type of processing, to appoint a data protection officer; and document their data processing activities and make their records available to the ICO upon request (some organisations with fewer than 250 employees will be exempt from this requirement).
Additionally, consents and privacy notices will need to be updated to take account of more detailed requirements to specify data retention periods and transfers outside the EEA.
- Processors: the Regulation places a number of new obligations directly on processors, including the responsibility to implement appropriate security measures when processing personal data on a controller’s behalf (which was previously a contractual requirement). Certain of the accountability requirements, for example record-keeping requirements and the requirement to appoint a data protection officer in certain circumstances, also apply to processors and, for the first time, they are liable to fines and other regulatory action. This is one of the major changes from the existing regime – see our separate note on this topic and the implications for processors.
- Meaning of “personal data:” the definition of “personal data” captures all data from which a living person is identified or identifiable, and extends to online identifiers such as IP addresses and cookies when combined with other identifiers received by servers to identify the individual. The definition of sensitive personal data will also now include specific references to biometric data which uniquely identify an individual and genetic data.
- Consent: consent (if relied upon) must be “unambiguous” – or “explicit” for sensitive personal data, which reflects the current position under the existing EU regime but represents a change from the initial draft of the Regulation. Consent still needs to be freely given, specific and informed and now must be demonstrated by an “affirmative act”. Silence, pre-ticked boxes or inactivity are unlikely to be sufficient, whereas ticking a box when visiting a website or choosing certain technical settings may be. The burden of evidencing and proving consent falls firmly on the controller, so online service providers in particular will wish to consider how they will evidence and record data subject consent in each case.
- Protection for children: the Regulation includes new provisions on how controllers process personal data belonging to children using their online services (eg, email or social networking sites). Where relying on consent, parental or guardian approval will normally be required for children under 16 years old, but individual member states can lower the threshold to children under 13 (but no lower). Service providers may wish to consider what measures they will put in place to verify whether a parent has given or authorised consent.
- Portability of data: the Regulation introduces a few new data subject rights and the controller is responsible for compliance. For example, data subjects have the right to receive in a structured and commonly used and “machine-readable” format, and to transmit to a new controller, a copy of personal data which they have provided to an existing controller. This applies to data which is electronically processed on the basis either of consent or contractual necessity. Where technically feasible, the controller may be required to transmit the personal data directly to the other controller. The right is designed to allow data subjects to move their personal data seamlessly between online providers. The Article 29 Working Party (a body composed of representatives of the national data protection authorities amongst others) has issued guidelines and FAQs which explain how controllers can comply with this new requirement.
- Right to be forgotten: a new “right to be forgotten”, or “right to erasure” is introduced, entitling the data subject to require the controller to erase personal data “without undue delay”, though the right is balanced (amongst other things) against the public interest and the right to freedom of expression. This is broader than the current right to apply to search engine providers to remove outdated personal data from search listings, confirmed by an ECJ ruling in 2014, and is something that businesses across all industries will need to be aware of. If the data are publicly available (eg, can be found and accessed through a search engine), the controller must take reasonable steps to inform third party controllers processing the personal data that the data subject has requested links and copies of the data to be erased. The controller must communicate the fact that it has been erased to any recipients of the data, unless it would be impossible or involve disproportionate effort to do so.
- Data subject access requests: controllers will no longer be permitted (initially) to charge the £10 administration fee, but may charge a reasonable fee if asked to provide more than one copy of the personal data to the data subject. The request must be normally be dealt with within one month (shorter than the current 40 days) and the type of information that must be provided is broader.
- Data protection officers: as part of a drive for greater accountability, public bodies and businesses whose core activities consist either of the regular, systematic and large-scale monitoring of data subjects, or the large-scale processing of sensitive personal data or personal data relating to criminal convictions and offences, must appoint data protection officers. In the case of a group of companies, it will be sufficient to appoint a single officer for the group, although sufficient access to that officer may need to be guaranteed for each group company. The data protection officer must be able to perform their duties independently and must not be dismissed or penalised for doing his or her job. The Article 29 Working Party has issued guidelines and FAQs which clarify when a data protection officer will need to be appointed, who can carry out the role and what it entails.
- Data breach notification: controllers have mandatory breach notification obligations, but there are materiality thresholds. Breaches which pose a high risk to the individuals must be notified to the regulator and (unless steps have been taken to encrypt the data or otherwise minimise the risk) to the affected data subjects. This can be done by a public communication, if it would disproportionate effort to contact each individual. If the breach is lower risk, only a notification to the regulator will be necessary. However, if the breach is unlikely to result in risk for the individuals, there is no requirement to notify at all, though the breach and the remedial actions would need to be documented. Controllers must advise the regulator “without undue delay” and within 72 hours of becoming aware of a notifiable breach, but information can be provided in phases if necessary. In contrast, notifications to data subjects must be carried out without undue delay but there is no deadline. Processors do not have to notify the regulator or data subjects, but must notify controllers of any breach without undue delay.
- Data transfers: transfers to non-EEA countries are still restricted, but there are some changes. The Commission will continue to maintain a list of “adequate” countries to which transfers will be permitted but, following the Schrems case, the EU-US Safe Harbour scheme which permitted transfers to companies in the US has now been replaced by the EU-US Privacy Shield (the US has not yet been deemed adequate). Controllers and processors may make use of existing measures such as binding corporate rules and standard contractual (“model”) clauses, but transfers may also be permitted according to certifications and code of conducts issued under the new regime, provided these are backed up by binding commitments of the non-EEA controller or processor to apply appropriate safeguards. There are still a number of derogations (including where the data subject having been informed of the risk has given “explicit” consent to the transfer).
- Penalties: the maximum fine for controllers and processors for breaches of the Regulation is EUR 20 million or 4% of annual worldwide turnover in the previous year, whichever is higher – for breaches of more minor provisions of the Regulation, the maximum fine is the greater of 2% of annual worldwide turnover or EUR 10 million. The current penalty in the UK is £500,000 so this represents a massive increase in potential sanction. In addition, controllers and processors could be liable to compensate data subjects who suffer “material or non-material damage” as a result of their non-compliance.
- One stop shop: in an attempt to streamline the system of supervision of cross-border processing, controllers and processors will normally only have to deal with the regulator in the country of their single or “main” establishment, a concept which is defined in the Regulation. However, other national regulators would be able to deal with complaints that either only relate to establishments in their member state or substantially affect data subjects just in their member state. Businesses with pan-European operations will want to ascertain the country of their main establishment in order to work out who their lead regulator will be and should consider the relevant Article 29 Working Party guidelines and FAQs.
The Regulation will be relevant to businesses in the UK irrespective of a Brexit – in particular because:
- The Regulation is directly applicable, meaning that it will apply to EU member states without the need for national implementing legislation. As the formal exit process provided by the Treaty of the European Union takes two years (potentially longer if agreed), it is likely the UK will not have left the EU by 25 May 2018 and therefore that the GDPR will apply in the UK from 25 May 2018.
- The UK could adopt the same model as Iceland, Liechtenstein and Norway and remain in the EEA, giving the UK access to the single market. EEA states are required by the EEA Agreement to implement the Directive so, if the UK remained in the EEA, it is possible it would be obliged to implement the Regulation.
- If the UK does leave the EEA, it would be subject to the restrictions on transfers outside of the EEA (in the same way, for example, as the US) and would need to prove its ‘adequacy’. The ICO has indicated that a reform of the existing framework would be required and that the UK would need to adopt equivalent data protection standards to those in the Regulation.
- Even if the Regulation does not apply directly in the UK or is not implemented in the UK, due to its extraterritorial scope, certain UK businesses that process the personal data of EU citizens will need to comply with it (see the section on Territorial scope above).
The Regulation became law on 24 May 2016 but allows for a two-year implementation period, meaning that its provisions will only apply from 25 May 2018. Given the extensive changes that are planned, businesses should however start to consider how to deal with the impact of the Regulation as soon as possible.