To establish common rules on data protection and to help implement the Digital Single Market Strategy, the European Union set forth two instruments to reform the 1995 data protection rules (see here):
- the General Data Protection Regulation (“GDPR”)
- the Data Protection Directive to ensure cross-border cooperation and protect personal data in the police and criminal justice sector (“Directive”)
Status. In December 2015, trilogue meetings between the European Council, Parliament and Commission resulted in an agreement on the reform (see here). On December 18, 2015, the Council Permanent Representatives Committee (Coreper) confirmed the GDPR’s final compromise text. On January 28, 2016, the Coreper made publicly available the latest text of GDPR. The text will have to be adopted by the Council and, subsequently, by the Parliament. Both the GDPR and the Directive are likely to enter into force in spring 2016 and be applicable as of spring 2018 (see here for more information).
We will discuss here some key aspects of the GDPR. References to the GDPR in this blog reflect numbering in the draft released by Coreper on January 28, 2016. In the final version the numbering of the articles is likely to change.
Scope of application. First, the new rules protect all individuals (“natural persons”), “whatever their nationality or place of residence” (see Whereas 12) in relation to the processing of personal data. In addition, the GDPR applis to all organizations that process data of data subjects who are in the European Union when the processing activities (i) if the companies provide services or goods to “data subjects in the Union” or (ii) relate to the monitoring of the data subjects’ behavior. (Article 3).
The GDPR expands slightly on the Directive’s definition of personal data. The Regulation now includes
any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Article 4(1).
“Sensitive” personal data (called now “special categories of personal data” – Article 9 GDPR) include two new categories of information: genetic and biometric data, which reveal information about the health and the physical characteristics of individuals. Sensitive personal data require the subject’s explicit consent to be processed.
More control by data subjects. The GDPR give data subjects more control over their personal data by establishing:
- Easier access to data. Individuals will have more information on how their data is processed, in a clear and understandable way (Article 12, and followings);
- Data subject consent. Consent must be given in relation to specific purposes (Article 6(1)(a)) and it may be withdrawn at any time (Article 7(3)). Consent must have the characteristics indicate in Article 4(8). Most importantly, consent must be “informed”. Processing can be without consent only in the cases listed in Article 6(1)(b)-(f) but note that GDPR “narrows” the existing grounds for lawful processing – including where the processing is necessary for “legitimate interests” The (Article 5 and 6);
- Principle of “data minimisation”. The principle of data minimisation is spelled out and provides that data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” Article 5(1)(c).
- Clear “right to be forgotten”. The GDPR clarifies that the data shall be deleted when there are no legitimate grounds for retaining it (Article 17);
- Right to “data portability”. The GDPR specifies the right to transfer personal data between service providers (Article 18);
- Right to know of data breaches. Serious data breaches must be (i) notified to the national supervisory authority “without undue delay”, no later than 72 hours after having become aware of it (Article 31); (ii) When “the personal data breach is likely to result in a high risk the rights and freedoms of individuals” communicated to the data subject as “without undue delay”. (Article 32).
- Right to representation. Data subjects shall have the right to have non-profit associations to protect their rights and freedoms before a DPA or in court (Article 76);
- Right “not to be profiled”. ”The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”. Article 20. Examples of these decisions “automatic refusal of an on-line credit application or e-recruiting practices without any human intervention”. Recital 58;
- Pseudonymisation and encryption. The GDPR indicates controllers’ duty to use pseudonymisation and encryption as a way of securing processing of personal data. Article 30. This would reduce risks for the concerned data subjects and help controllers and processors meet their data protection obligations;
- More protection for children. The GDPR specifies that the holder of parental responsibility over a child younger than 16 using mobile applications and services on the internet must provide her consent for the processing of the child’s personal data to be legitimate. Article 8.
Why having a “regulation” instead of a “directive” is important? The GDPR will substitute Directive 46/1995. Being a regulation rather than a directive means that it will apply directly and uniformly across the EU. See more on this Nathan M. Crystal & Francesca Giannoni, Something’s Got to Give – Cloud Computing, as Applied to Lawyers – Comparative Approach Us and EU and Practical Proposals to Overcome Differences, Opinio Juris in Comparatione Vol.I, n.I, 2014 (available at http://www.opiniojurisincomparatione.org/) at 39. This is a benefit to businesses. If today a company wants to expand from France to Germany, its data processing activities are subject to separate sets of data protection rules and authorities. This entails a big burden for the organization, including the necessity of incurring legal costs. However, with the new GDPR these extra costs will not be needed anymore.
Why the GDPR is a step towards implementing the Digital Single Market Strategy? The GDPR establishes several provisions to that effect (which also benefit organizations in today’s digital economy), such as:
- One continent, one law. As mentioned, there will be one single set of rules for all companies that do business in the EU, rather than 28 different national data protection laws;
- European rules on European soil. Clarity is the benefit here: Non-EU companies offering services in the EU or monitoring the behavior of EU data subjects will know for sure that they must abide to GDPR rules (Article 3);
- One-stop-shop. Businesses will deal with one single supervisory authority (Article 54(a) and followings), saving time and money. The lead DPA will cooperate with the other concerned DPAs. The GDPR establishes a European Data Protection Board, which will issue guidance, also in case of disputes among the national DPAs (Whereas 106, and Article 58 and followings). The Board will include the head of each national DPA and the European Data Protection Supervisor (very similarly to the Article 29 Working Party’s composition. See Whereas 110);
- Risk-based approach. The rules are tailored to companies’ risks and avoid burdensome one-size-fits-all obligations (see in general Article 22, 23, 28, 30, and 33 of Chapter IV on controllers’ and processors’ responsibility).
Requirements for data controllers. The GDPR requires businesses to abide to several obligations to foster an adequate protection for data subjects, among which:
- Impact assessments and prior consultation. Data controller must now conduct data protection impact assessments if conducting high risk processing. (DPAs will produce a list of the types of processing operations that require an impact assessment). Where an impact assessment indicates a high risk, the data controller must consult with the supervisory authority, in the absence of measures taken by the data controller to mitigate those risks (Article 33 and 34);
- “Privacy by design” principle. Data protection safeguards will have to be built into products and services from the earliest stage of development, s.c. “data protection by design” (Article 23);
- Security of processing. The GDPR suggests to implement pseudonymisation, encryption, and other technical measures to ensure confidentiality, and resilience of processing. These provisions, apply to processors as well as controllers (Article 30);
- Appointment of data protection officers. It is likely that most medium to large organizations acting as controllers or processors will have to appoint a data protection officer. The appointment is required where (a) “processing is carried out by a public authority or body”; (b) “the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”; or (c) “the core activities of the controller or processor consist of processing on a large scale of special categories of data pursuant to Article 9 and data relating to criminal convictions and offences referred to in Article 9a.” Article 35.
Penalties. The GDPR establishes that Member States should implement a system “which provides for effective, proportionate and dissuasive penalties”. Non compliance with the Regulation will be punished with administrative fines up to EUR10,0000 or EUR 20,000,000 (depending of the rule which is breached), or in case of an undertaking, up to 2% or 4% (again depending of the rule which is breached) of the total worldwide annual turnover of the preceding financial year, “whichever is higher” (Article 79).
Transfers. Decisions of adequacy under Directive 95/46/EC continue to have effect but will be subject to review. Existing mechanisms for transfer such as binding corporate rules, model clauses, approved codes of conduct or other approved certification mechanisms continue to be valid. (Articles 41, and the following). Article 43(a) prohibits the transfer of personal data required by a third country court decision or administrative authority if this is not compliant with a mutual legal assistance treaty or an international agreement.
More information on the data protection reform is available at http://www.consilium.europa.eu…