The General Data Protection Regulation – are you compliant?
The European Union’s (EU) General Data Protection Regulation 2016/679 (the ‘regulation’), applying to the EU and European Economic Area (EEA) is enforceable from Friday, May 25th 2018. This date marks the conclusion of a two year transition period which enabled businesses to bring their data policies in line with the new regulations.
No article is complete without something about Brexit. The regulation has become national data protection law and, post 2019, we expect the UK will largely follow judgments of the Court of Justice of the European Union (the ‘CJEU’) on the interpretation of the regulation to keep the UK in line with the wider European consensus on data protection. It is not expected that the UK will be treated as outside the standards that allow data to freely flow post 2019.
Expanded territorial scope – The Regulation applies to everyone even outside Europe
The new regulation means that if a controller or a processor:
- Offers free or paid for goods or services to data subjects in the EEA; or
- Monitors the behaviour of data subjects, and that behaviour takes place in the EEA
then that controller or processor, notwithstanding that they are non- EU controllers or processors, will be subject to the control of the regulation. This means that wherever you are based you need to pay attention to the European regime if you are dealing with data from Europe.
This follows developments in EU case law where the scope of an organisation’s operations has been relevant to whether the entity is caught by a national data regime, as happened in Weltimmo  EUECJ C-230/14 (1 October 2015):
In that case, the Hungarian national data protection authority (‘NDPA’) sought to fine Weltimmo, a Slovakian- registered online property company, which advertised properties in Hungary. The Hungarian NDPA received complaints that Weltimmo committed breaches of local data protection laws in Hungary (as existed by reason of the transposition of the directive).
The CJEU ruled that the data protection laws of one EU member state may apply to a controller even when it is registered in a different EU member state, if, in relation to its data processing activities, there is ‘any real and effective activity, even a minimal one, exercised through stable arrangements’ in the first EU member state.
The CJEU also ruled that, on the other hand, an NDPA may determine that the law of another EU member state applies. In such circumstances, the NDPA may only exercise its intervention powers within its own territory and may not impose a sanction on a controller which is not established within its territory. It should instead request the NDPA of the EU member state whose law is applicable to act.
In essence, following the regulation, many non-EU businesses that were not required to comply with the Data Protection Directive (the ‘directive’) may be required to comply with the regulation. Businesses established outside the EU that are not subject to the directive but have some presence in the EU (e.g. a regional office or a subsidiary), or who process EU subjects’ data, or do both, should consider if they need to comply with the regulation.
The one-stop shop
Under the directive, each NDPA may exercise authority over businesses operating on its territory. Under the regulation, a firm will be able to deal with a single NDPA as its ‘lead supervisory authority’ (‘lead SA’) across the EEA so far as concerns transfers between member states or in and out of the EEA.
Where a controller or processor has more than one establishment in the EU (whether or not it is an EU concern), the regulation anticipates that if cross-border processing is involved they will have a main establishment, and work with the NDPA for the main establishment. The lead SA will be responsible for all regulation of cross-border processing activities carried out by that controller or processor.
The lead SA must work with all other ‘concerned SAs.’ All concerned SAs may participate in decisions on enforcement relating to cross-border processing activities. It is conceivably possible that a business can be the subject of joint or even several actions by more than one regulator. If the relevant SAs cannot agree then the matter is referred to the European Data Protection Board (EDPB).
Purely local cases will continue to be handled by the local NDPAs.
Recent CJEU decisions have emphasised the independence of NDPAs and their competence to enforce data protection law where the controller is ‘established’ in their member state or substantially affects subjects in its member state:
- Schrems v Data Protection Commissioner (Case C-362/14, 23 September 2015).
- Weltimmo (see above).
Increased enforcement powers – The Regulation has Teeth
Currently, local fines are comparatively low (e.g. in the UK the maximum fine is £500,000). The regulation will change the landscape, and NDPAs will be able to impose fines on data controllers and data processors on a two-tier basis, as follows:
- Up to 2% of annual worldwide turnover of the preceding financial year or €10m (whichever is the greater) for infractions relating to record keeping, contracts with processors, notifications in the case of a data security issue, data protection officers, and failure to implement data protection by design and default.
- Up to 4% of annual worldwide turnover of the preceding financial year or €20m (whichever is the greater) for infractions relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.
- In addition NDPAs can be given the power to impose fines for other breaches.
The NDPA can carry out audits, carry out site inspections and may require the provision of information. What was perceived as low-risk is likely to become high-risk in the light of the power to impose substantial fines.
Consent, as a legal basis for processing, will be harder to obtain
The directive distinguished between ordinary consent (for non-sensitive personal data) and explicit consent (for sensitive personal data). The position under the regulation is to explain what these expressions mean in a little more detail.
The regulation requires a clear and affirmative action, establishing consent is freely given, specific, informed and unambiguous that the individual agreed to their personal data being processed.
Where consent is necessary (and it is not always so) businesses must be able to demonstrate that the data subject gave their consent to the processing and they bear the burden of proof that consent was validly obtained.
When the processing has more than one purpose, the data subject should give their consent to each purpose.
The execution of a contract or the provision of a service cannot be conditional on consent to processing or use of data, if the data is not necessary for the execution of the contract or the provision of the service. Controllers cannot rely on consent as a legal basis for processing if there is a ‘clear imbalance’ between the parties, as consent is presumed not to be freely given. The point of this rule is to stop a controller from making the provision of a service conditional upon consent, unless the processing is necessary for the provision of that service.
A controller must ensure that a subject can withdraw consent at any time. It must be as easy to withdraw consent as to give it.
Consent mechanisms are likely to be the subject of intense scrutiny by the regulator.
The risk-based approach to compliance
The regulation requires controllers to assess the degree of risk that their processing activities pose to subjects. The regulator has published a guide to assist businesses, which, in summary, recommends that businesses:
- Create awareness among the senior decision makers in the business.
- Audit and document the personal data they hold, recording where it came from and who it is shared with.
- Review the legal basis for the various types of processing that they carry out and document this.
- Review privacy notices and put in place a plan for making any changes to comply with the regulation.
Privacy by design and by default, privacy impact assessments, prior consultation and standardised icons
Mandatory privacy by design and default
Businesses will be required to implement data protection by design, for example, when creating new products, services or other data processing activities, ensuring there is adequate security in place and that compliance is monitored. The nature and extent of such measures are determined with reference to the state of the art and the cost of implementation, taking into account the nature, scope, context and purposes of the processing as well as the risk to individuals. Privacy by default (for example, data minimisation), requires that default privacy settings apply for each customer at the time of the determination of the means for processing and at the time of the processing itself.
Mandatory privacy impact assessments
Controllers will be required to perform privacy impact assessments before carrying out any processing that uses new technologies (and taking into account the nature, scope, context and purposes of the processing) that is likely to result
in a high risk to data subjects. The purpose of a privacy impact assessment is to ensure:
- That there is a systematic and extensive evaluation of automated processing, including profiling, and in relation to which decisions are based which produce legal effects concerning the subject or otherwise significantly affect the subject.
- That processing of special categories of personal data or data relating to criminal convictions and offences on a large scale is properly understood and considered.
- That there is a systematic monitoring of a publicly accessible areas in cyberspace.
The NDPA will publish a list of the kind of processing operations that require a privacy impact assessment.
Controllers can carry out a single assessment to address a set of similar processing operations that present similar high risks.
Mandatory prior consultation
Where a privacy impact assessment suggests that the processing is high risk to the subject then the controller must consult with the NDPA, before any processing takes place.
In addition, standardised icons to indicate important features of the relevant data processing activities in a simplified format may be prescribed by the member state or the commission.
In particular, the regulation requires controllers to implement technical and organisational measures (such as pseudonymisation) to ensure that the requirements of the regulation are met. Businesses must both:
- Take data protection requirements into account from the get-go where any new technology, product or service that involves the processing of personal data is used on an ongoing basis.
- Conduct privacy impact assessments where appropriate.
Instead of registering with an NDPA, the regulation will require businesses to maintain detailed documentation (known as article 30 information) recording their processing activities and the regulation specifies the information this record must contain.
Data processors must keep a record of the categories of processing activities they carry out on behalf of a controller. The regulation specifies what this record must contain.
These obligations do not apply to an organisation employing fewer than 250 people unless the processing is likely to result in high risk to individuals, the processing is not occasional or the processing includes sensitive personal data.
In addition, controllers or processors can be required to appoint a data protection officer, and it remains best practice to do so.
- Check any current compliance programmes to ensure compliance with the regulation.
- Ensure that records of all processing activities are kept.
- Engage a data protection officer (it is mandatory to do so for businesses with 250 or greater employees) with expert knowledge of data protection.
New obligations of data processors
The regulation introduces direct compliance obligations for processors. Under the directive processors generally were not subject to fines or other penalties, under the regulation they are treated more like controllers. The regulation impacts both processors and controllers that engage processors, in the following ways:
- Processors will have their own compliance obligations.
- In controller/processor negotiations, processors should seek to ensure that the scope of the controller’s instructions is clearer.
Strict data breach notification rules
The regulation requires businesses to notify, the NDPA of data breaches without undue delay and where feasible within 72 hours.
If the breach is likely to result in high risk to the individuals, the regulation requires businesses to inform data subjects ‘without undue delay,’ unless an exception applies. Processors must notify the controller.
A data breach response plan, designating specific roles and responsibilities, training employees, and preparing template notifications and enabling them to react promptly in the event of a data breach will need to be compiled. A single plan will suffice for the whole of the EU.
The regulation introduces a new concept of ‘pseudonymisation’ (that is, the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual, without additional information but where those data can be re-married with identity information).
There are currently differing approaches to anonymisation and pseudonymisation. The criteria for determining whether data are truly anonymised or pseudonymised are different between EU member states.
Binding Corporate Rules (BCRs)
BCRs are agreements used to provide a basis for the lawful transfer of personal data out of the European Economic Area (EEA). The regulation formally recognises BCRs, which will still require NDPA approval. The approval process should become less onerous than the current system.
BCRs will become available to both controllers and processors.
The regulation provides for a number of mechanisms to regulate the transfer of personal data out of the EEA. The regulation also formally recognises BCRs as a lawful data transfer mechanism (the directive does not). Under the regulation it is easier for businesses to obtain approval from NDPAs of their BCRs.
The right to be forgotten
The actual right is the right not to have one’s personal data aggregated indiscriminately by an aggregating service such as Google.
Subjects will have the right to request that controllers delete their personal data in certain circumstances (for example, the data are no longer necessary for the purpose for which they were collected or the data subject withdraws their consent). It remains unclear precisely how this will work in practice especially since there is an informal practice that records are kept for accounting purposes of at least 7 years.
In May 2014 in Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C-131/12, 13 May 2014, on a referral from a Spanish court, the CJEU looked at that aggregation problem and ruled that in an aggregation case an individual has a right to rectification, erasure or blocking of that information so as to stop aggregation, and a right to object to the processing of the information so as to result in aggregation. The case is no authority for token or single uses on the internet.
The right to object to profiling
In certain circumstances, subjects will have the right to object to their personal data being processed (which includes profiling).
‘Profiling’ is defined broadly and includes most forms of online tracking and behavioural advertising, making it harder for businesses to use data for these activities. Profiling must be disclosed to the subject, and a privacy impact assessment is required.
The Regulation prohibits profiling decisions based solely on automated processing unless one of the following conditions is met:
- It is necessary to perform a contract between the subject and Controller.
- It is authorised by EU or Member State law.
- It is based on the subject’s explicit consent.
Subjects will have an unconditional right to object to profiling done for direct marketing purposes. As such, companies carrying out profiling for marketing purposes may be obliged to remove a subject’s personal data from their profiling databases, erase the subject’s data all together, or to not even begin the profiling process for that subject.
The right to data portability
Subjects have a new right to obtain a copy of their personal data from the controller in a commonly used and machine-readable format and have the right to transmit those data to another controller (for example, an online service provider). In exercising their right, the data subject can request the information be transmitted directly from one controller to another, where technically feasible. It is well known that the reason for this rule is to enable users of Facebook to defect to competing social networks.
Data subject access requests
Business must reply within one month from the date of receipt of the request and provide more information than was required under the directive. No fee is payable and the old 40 day rule will not apply (allowing data which are processed for no more than 40 days not to be disclosed).
Businesses should plan how they will respond to data subject access requests within the new time scale and how they will provide the additional information required.