30 January 2017

The General Data Protection Regulation – Are you ready for 2018 changes – Part 1

Greater harmonisation

The start date of the European Union’s (EU) General Data Protection Regulation 2016/679 (the ‘regulation’) is Friday, May 25th 2018. It applies to the EU and European Economic Area (EEA).  In this our first of two notes we highlight what you need to think about.

The regulation is intended to be a single legal instrument which applies in all EU and EEA member states and which is construed consistently in each of the different member states. It is meant to make compliance more efficient. However, noble though this aim is, compliance with the regulation will still involve significant and time–consuming changes for many businesses. It is therefore important to plan ahead and anticipate now, especially since there is still a delay on the publication of the supporting and implementing legislation from the national data compliance entities.  With a year to go before the Regulation is fully in force, now is the time to review your policies and systems.

There remain some areas still under consideration, for example EU and EEA member states will each determine the age at which online service providers must verify that parental consent has been given before providing the service can be set at 13 to 16 years of age. Businesses should therefore start to consider how age verification will be carried out.


No article this year is complete without something about Brexit. Our view is that the regulation will become UK national data protection law and, post 2019, the UK will largely follow judgments of the Court of Justice of the European Union (the ‘CJEU’) on the interpretation of the regulation to keep the UK in line with the wider European consensus on data protection. It is not expected that the UK will be treated as outside the standards that allow data to freely flow post 2019.

Expanded territorial scope – The Regulation applies to everyone even outside Europe 

The new regulation means that if a controller or a processor:

  • Offers free or paid for goods or services to data subjects in the EEA or
  • Monitors the behaviour of data subjects, and that behaviour takes place in the EEA  

then that controller or processor, notwithstanding that they are non-EU controllers or processors, will be subject to the control of the regulation.  This means that wherever you are based you need to pay attention to the European regime if you are dealing with data from Europe.

This follows developments in EU case law where the scope of an organisation’s operations has been relevant to whether the entity is caught by a national data regime, as happened in Weltimmo [2015] EUECJ C-230/14 (1 October 2015):

In that case, the Hungarian national data protection authority (‘NDPA’) sought to fine Weltimmo, a Slovakian-registered online property company, which advertised properties in Hungary.  The Hungarian NDPA received complaints that Weltimmo committed breaches of local data protection laws in Hungary (as existed by reason of the transposition of the directive).  

The CJEU ruled that the data protection laws of one EU member state may apply to a controller even when it is registered in a different EU member state, if, in relation to its data processing activities, there is ‘any real and effective activity, even a minimal one, exercised through stable arrangements’ in the first EU member state.

The CJEU also ruled that, on the other hand, an NDPA may determine that the law of another EU member state applies. In such circumstances, the NDPA may only exercise its intervention powers within its own territory and may not impose a sanction on a controller which is not established within its territory.  It should instead request the NDPA of the EU member state whose law is applicable to act.  
In essence, following the regulation, many non-EU businesses that were not required to comply with the Data Protection Directive (the ‘directive’) may be required to comply with the regulation. Businesses established outside the EU that are not subject to the directive but have some presence in the EU (e.g. a regional office or a subsidiary), process EU subjects’ data or both should consider if they need to comply with the regulation. 

Regrettably, it is currently unclear what constitutes an EU subject since the regulation is not limited to nationals of EU member states, and we shall be monitoring developments. 

The one-stop shop

Under the directive, each NDPA may exercise authority over businesses operating on its territory. Under the regulation, a firm will be able to deal with a single NDPA as its ‘lead supervisory authority’ (‘lead SA’) across the EEA so far as concerns transfers between member states or in and out of the EEA.

Where a controller or processor has more than one establishment in the EEA (whether or not it is an EEA concern), the regulation anticipates that if cross-border processing is involved they will have a main establishment, and work with the NDPA for the main establishment. The lead SA will be responsible for all regulation of cross-border processing activities carried out by that controller or processor. 

The lead SA must work with all other ‘concerned SAs.’ All concerned SAs may participate in decisions on enforcement relating to cross-border processing activities.  It is conceivably possible that a business can be the subject of joint or even several actions by more than one regulator.

If the relevant SAs cannot agree then the matter is referred to the European Data Protection Board (EDPB), which has a range of powers to ensure the consistent application of the regulation across the EU, including the power to make the final decision in enforcement cases (called the consistency mechanism).

Purely local cases will continue to be handled by the local NDPAs.

For businesses which only operate within a single EEA member state, and only process the personal data of subjects residing in that member state, interaction with the local NDPA under the regulation will be similar to the current means of regulation.

Recent CJEU decisions have emphasised the independence of NDPAs and their competence to enforce data protection law where the controller is ‘established’ in their member state or the subject substantially affects subjects in its member state: 

  • Schrems v Data Protection Commissioner (Case C-362/14, 23 September 2015). 
  • Weltimmo (see above).

Increased enforcement powers – The Regulation has Teeth

Currently, local fines are comparatively low (e.g. in the UK the maximum fine is £500,000). The regulation will change the landscape, and NDPAs will be able to impose fines on data controllers and data processors on a two-tier basis, as follows:

  • Up to 2% of annual worldwide turnover of the preceding financial year or €10m (whichever is the greater) for infractions relating to record keeping, contracts with processors, notifications in the case of a data security issue, data protection officers, and failure to implement data protection by design and default.
  • Up to 4% of annual worldwide turnover of the preceding financial year or €20m (whichever is the greater) for infractions relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.
  • In addition NDPAs can be given the power to impose fines for other breaches, though we are not aware of what the UK government’s plans are in this regard.

The NDPA can carry out audits, carry out site inspections and may require the provision of information. 

What was perceived as low-risk is likely to become high risk in the light of the power to impose substantial fines.  Compliance checks should be carried out now to enable you to adjust your processes by the end of May if that is needed.

Consent, as a legal basis for processing, will be harder to obtain

Consent mechanisms are likely to be the subject of intense scrutiny by the regulator.  The directive distinguished between ordinary consent (for non-sensitive personal data) and explicit consent (for sensitive personal data). The position under the regulation is to explain what these expressions mean in a little more detail.

The regulation requires a clear and affirmative action, establishing consent is freely given, specific, informed and unambiguous that the individual agreed to their personal data being processed.

Where consent is necessary businesses must be able to demonstrate that the data subject gave their consent to the processing and they bear the burden of proof that consent was validly obtained.

When the processing has more than one purpose, the data subject should give their consent to each purpose. 

The data subject shall have the right to withdraw their consent at any time though.

The execution of a contract or the provision of a service cannot be conditional on consent to processing or use of data, if the data is not necessary for the execution of the contract or the provision of the service.

Controllers cannot rely on consent as a legal basis for processing if there is a ‘clear imbalance’ between the parties, as consent is presumed not to be freely given. The point of this rule is to stop a controller from making the provision of a service conditional upon consent, unless the processing is necessary for the provision of that service. 

A controller must ensure that a subject can withdraw consent at any time. It must be as easy to withdraw consent as to give it.

The risk-based approach to compliance

The regulation requires controllers to assess the degree of risk that their processing activities pose to subjects. The regulator has published a guide to assist businesses, which, in summary, recommends that businesses prepare for the Regulation:

  • Create awareness among the senior decision makers in the business.
  • Audit and document the personal data they hold, recording where it came from and who it is shared with.
  • Review the legal basis for the various types of processing that they carry out and document this.
  • Review privacy notices and put in place a plan for making any changes to comply with the regulation.

Privacy by design and by default, privacy impact assessments, prior consultation and standardised icons

Mandatory privacy by design and default: Businesses will be required to implement data protection by design, for example, when creating new products, services or other data processing activities, ensuring there is adequate security in place and that compliance is monitored.  The nature and extent of such measures are determined with reference to the state of the art and the cost of implementation, taking into account the nature, scope, context and purposes of the processing as well as the risk to individuals.  Privacy by default (for example, data minimisation), requires that default privacy settings apply for each customer at the time of the determination of the means for processing and at the time of the processing itself. 

Mandatory privacy impact assessments: Controllers will be required to perform privacy impact assessments before carrying out any processing that uses new technologies (and taking into account the nature, scope, context and purposes of the processing) that is likely to result in a high risk to data subjects, takes place. The purpose of a privacy impact assessment is to ensure:

  • That there is a systematic and extensive evaluation of automated processing, including profiling, and in relation to which decisions are based which produce legal effects concerning the subject or otherwise significantly affect the subject.
  • That processing of special categories of personal data or data relating to criminal convictions and offences on a large scale is properly understood and considered.
  • That there is a systematic monitoring of a publicly accessible areas in cyberspace.

The NDPA will publish a list of the kind of processing operations that require a privacy impact assessment.

Controllers can carry out a single assessment to address a set of similar processing operations that present similar high risks.
Mandatory prior consultation: Where a privacy impact assessment suggests that the processing is high risk to the subject then the controller must consult with the NDPA, before any processing takes place.

In addition, standardised icons to indicate important features of the relevant data processing activities in a simplified format may be prescribed by the member state or the commission.

In particular, the regulation will mandate controllers to implement technical and organisational measures (such as pseudonymisation) to ensure that the requirements of the regulation are met. Businesses must both:

  • Take data protection requirements into account from the get go where any new technology, product or service that involves the processing of personal data is used on an ongoing basis.
  • Conduct privacy impact assessments where appropriate.

Helpful guidance on when and how to implement privacy impact assessments has been provided by the UK Information Commissioner’s Office. 

data which are processed for no more than 40 days are not disclosable.

Businesses should plan how they will respond to data subject access requests within the new time scale and how they will provide the additional information required.