On 15 December 2015 representatives from the European Commission, Parliament and Council reached agreement on the long-awaited EU General Data Protection Regulation (GDPR). The GDPR, which is expected to be passed into EU law in the first quarter of 2016 and become effective in Member States two years later, constitutes the biggest change to the data protection regime in the EU since the 1995 Data Protection Directive.
The GDPR introduces fundamental changes to the data protection regime, including the:
- harmonisation of regimes across the EU;
- extension of the regime to apply to non-EU businesses that operate in the EU; and
- potential for businesses to be fined EUR 20 million or up to 4% of their worldwide turnover for serious breaches of the GDPR.
Shifting the balance towards consumers: strengthening of rights and controls
Current data protection law in the EU is based on the 1995 Data Protection Directive, a law drafted in the early 1990s. Since then, technological developments, as well as the arrival of social media and big data, together with the continued divergence of national regimes in addressing these challenges, have created the need for fundamental reform. The EU institutions have long recognised this, and negotiations have been on-going since 2012 on a new legislative regime.
One of the themes running through the GDPR is the strengthening of consumer rights and controls over how their data is processed. For example:
- Access to data: under the GDPR, individuals will be entitled to more extensive information about the data being processed about them, including the legal basis of the processing, the period of data storage, information about access and other rights over the data (including the right to lodge a complaint with a supervisory authority), details of any transfers outside of Europe and safeguards applied to them, plus contact details of the data controller’s data protection officer.
- Data portability: the GDPR is intended to make it easier for individuals to have their data transferred between service providers.
- Right to be forgotten: the GDPR will extend the right to be forgotten so that, where certain conditions apply (for example the data is no longer necessary for the purpose for which it was collected), individuals will be able to demand that their data be permanently deleted.
- Consent by minors: the GDPR will require providers of “information society services” (such as social media companies) to collect parental consent to process personal data of users below the age of 16. However, Member States may lower the age limit to 13 years.
Privacy campaigners have long and vocally fought for these rights, which they see as necessary protections in a world where vast amounts of personal data are collected from today’s connected consumers, and subjected to increasingly sophisticated data mining techniques. For businesses, however, this will impose significant additional burdens and costs.
New-look data protection regime for businesses: the key changes
For businesses, particularly those whose businesses revolve around the use of big data, the data protection regime post-GDPR will be more challenging, present greater risks, and cast its net far wider, but will at least allow more certainty and consistency across pan-European operations.
Key changes for businesses include the following:
- Scope: the GDPR will extend the scope of potential liability under the data protection in several ways:
- the GDPR will apply to data controllers that are not located in the EU, where their activities relate to offering goods and services to EU nationals (whether those goods or services are free or not) or where they monitor the behaviour of individuals who are in the EU; and
- data controllers and data processors will be jointly liable for any damage caused by a breach of the GDPR (currently only data controllers will be liable). This will have a significant impact on many companies currently acting as data processors, such as cloud service providers.
- Harmonisation: as a directly enforceable Regulation, the GDPR does not depend on individual Member States to implement it by passing their own national laws (as Directives such as the Data Protection Directive 1995 and the new NIS Directive would require). This will avoid much of the difficulty faced by international businesses in having to understand and comply with the nuances of several different local regimes within the EU. However, there are some areas where Member States will still have discretion to apply additional requirements.
- Limited “forum shopping”: The GDPR considerably limits the ability of companies to avoid certain national jurisdictions; whilst the supervisory authority of the main establishment or of the single establishment of the data controller or data processor will act as “lead supervisory authority”, other national supervisory authorities may still follow up on complaints lodged by data subjects in their jurisdictions. If, afterwards, both authorities cannot agree on a decision in the respective subject matter, they must ask the European Data Protection Board to resolve the dispute.
- Risk-based approach: Data controllers will be expected to assess their processing activities and the risks to individuals resulting from those activities and then to implement appropriate measures to comply with the GDPR. This puts the onus (and compliance risk) on businesses to decide what measures they put in place, rather than being able to follow specific legal requirements. However, this approach is likely to be underpinned by further guidance that will need to be considered and produced by supervisory authorities before the GDPR comes into force.
- Data breach notification: Under the GDPR, personal data breaches must be notified to the relevant supervisory authority normally not later than 72 hours after the data controller becomes aware of the incident. This obligation has a rather broad scope because it is triggered as a result of any accidental or unlawful destruction, loss, alteration or an unauthorised disclosure of personal data, unless it is unlikely to pose a risk to the individual. Affected individuals will also have to be notified in certain circumstances.
- Appointment of data protection officers: The GDPR requires mandatory appointment of data protection officers, at least for public sector entities as well as for businesses whose core business is the processing of “big data” or sensitive data. Member States might extend this obligation so that it is likely that the even stricter rules in Germany will survive.
- Data protection by design: Another new concept being brought in by the GDPR is the requirement for products and services to be designed with data protection in mind from the outset. Broadly, businesses will need to ensure from the outset that the processing of personal data is limited to that required to achieve the purpose for which it is required, and that access to that data is limited to those who need it.
- Notification scrapped: Controllers will no longer have to notify their data processing activities to supervisory authorities. Instead there is a requirement to keep internal records of data processing.
Next steps: directly applicable EU law
The final text of the draft GDPR is expected to be formally adopted by the Parliament and Council at the beginning of 2016. The provisions of the GDPR will then come into force as directly applicable EU law in Member States two years after that adoption. The Commission and national data protection authorities will need to work together to ensure consistent and uniform application of the GDPR across the Member States.
OC comment: the GDPR’s impact cannot be overstated
The impact of the GDPR cannot be overstated. The global digital economy is underpinned by data and the GDPR means that compliance issues associated with the use of data will need to be central to all personal data-based business operations. In particular, the GDPR’s data handling requirements, and the penalties for getting it wrong, make it clear to businesses across the world that if they intend to use data relating to individuals in the European Union they must proactively address privacy issues from now on.
While it is true that the GDPR will bring about much more harmonization than the current Data Protection Directive, it remains to be seen whether a real level playing field is created for businesses across the EU. The GDPR contains flexibility clauses in important areas. For example, for data processing activities in the employment context (including sharing of staff data across a global corporate group, and use of data in a cloud-based HR system), for journalistic purposes and for the purposes of academic, artistic or literary expression, as well as for data processing related to electronic communication services which are caught by the existing E-Privacy Directive, which remains in force.