A dawn of a new day in EU Data Protection

After four years in the making, on 27 April 2016, the European Parliament and the Council of the European Union adopted and introduced The General Data Protection Regulation (GDPR), also known as Regulation (EU) 2016/679. (full text of the Regulation can be found in this link)

The GDPR entered into force on 24 May 2016, and will apply to all EU states as of 25 May 2018, repealing Directive 95/46/EC regarding data security and the processing of personal data.

The need for a new legislative framework to address the issue of data security has long been in existence. The current directive was adopted more than two decades ago, and as such could not catch up with the new challenges involved in the protection of personal data emanating from the rapid technological developments and globalization.

In addition, a significant drawback in the current directive was the consequence of it being a “directive”, and as such, it required all EU member states to draw up domestic legislation in order to conform with the directive. This resulted in substantial fragmentation in the implementation of data protection across the EU, which damaged the free flow of personal data throughout the EU and ultimately distorted competition.

In order to ensure a consistent and high level of protection, the GDPR was introduced as a regulation. This means it shall be directly applicable to all EU member states without requiring any national implementing legislation, and thus it will facilitate homogenous application of the rules for the protection of personal data throughout the EU.

The adoption of the GDPR marks a significant milestone in EU data protection, and is considered a major step towards a more modern, coherent and harmonized digital single market.

This piece summarizes some of the highlights of the GDPR.

Territorial Scope

In order to maximize the protection of the personal data of data subjects located within the EU, the GDPR takes an elaborative approach regarding its territorial application in comparison to the current directive. Essentially. it applies, under certain circumstances, to data controllers/processors located and established outside of the EU.

Several prerequisites determine the GDPR’s application to data processor/controller established outside of the EU, such as the requirement that the data subjects are located within the EU, and that the processing activities are related to the offering of goods or services to such data subjects. This is further explained by identifying the data controller/processor’s core intentions, inter alia by assessing objective factors as the language being used, the currency, the mentioning of users who are located within the EU, and determining whether such factors imply a clear intention to address the offering to EU citizens.

Additionally, the GDPR applies to data controllers/processors established outside of the EU, when the processing of personal data is related to the monitoring of the behavior of data subjects in so far as the behavior of such data subjects takes place within the EU.

Controllers/processors established outside of the EU, to which the regulation applies based on the foregoing, are required to appoint a representative located within the EU, who shall serve as the addressee for any inquiries and/or investigations from competent supervisory authorities.

The expansion of the GDPR territorial application is a significant change compared to the current directive. It will require many data controllers/processors located outside the EU to adjust their activities accordingly and redefine their data protection practices concerning EU citizens.

Date Subject’s Consent

The GDPR sets specific conditions with regard to the required consent of the data subject to the processing of his personal data. The consent must be clear and affirmative and should clearly indicate that the data subject was well informed of the scope of personal data collected and processed, and to what extent and purpose the data is processed thereof. The consent may be given by an oral or written statement, including by electronic means such as ticking a box, and it’s clearly stated that a pre-ticked box or inactivity do not constitute proper consent.

In case the data subject is a child under the age of 16, processing of his personal data shall be lawful subject to the consent of the child’s parent or custodian. In contrast to the GDPR’s objective to promote consistency regarding data protection across the EU, it permits member states to draw domestic legislation in order to lower this to age 13. As a result, this might lead to a  lack of unity regarding children’s consent.

Unlawful use of personal data is a well-known malicious practice in today’s world. Therefore the regulation requires data controllers/processors to limit the amount of personal data processed to a bare minimum, and to collect only the personal data essential to the specific purpose for which it is collected.

In addition, much emphasis is put on the principal of transparency as the foundation of any data processing. The principal of transparency imposes a great, and arguably an exaggerated amount of accountability on data controllers/processors. It requires them to ensure that the data subject has been provided with all of the information related to collection and processing of its personal data, including any risks, rules, safeguards and rights in relation to the processing of personal data. And if that’s not enough, data controllers/processors are required to provide such enormous amounts of data to data subjects in a simple, coherent and an easy to understand way.

These new obligations will certainly require data controllers/processors to reexamine their data security policies and make necessary adjustments.

Date controllers should be able to demonstrate that the consent given by the data subject was indeed informed and freely given. They must therefore be able to extract and provide the written declaration provided by the data subject upon request from a competent supervisory authority. Furthermore, they must be able to demonstrate that the data subject had the ability to refuse giving their consent as well as the ability to withdraw their consent at any time and without detriment.

Moreover, in order to demonstrate compliance with the regulation, data controllers/processors are required to maintain records of their processing activities, and must also cooperate with any competent supervisory authority should they be required to provide such records.

The GDPR addresses the long discussed controversial issue of whether significant imbalance between the controller and the data subject revokes the legal validity of the data subject’s consent, an issue specifically relevant in cases where the controller is a public authority. According to the GDPR, in such cases, additional measures should be taken by the controller in order to validate the consent. For example, requesting separate consent from the data subject for each different personal data processing operation, and permitting the performance of a contract and/or the rendering of a service even without obtaining the data subject’s consent, provided, however, that such consent is not requisite for the performance thereof.

In light of the aforementioned principal of transparency, data controllers are obliged to provide data subjects with the means to easily access their personal data, review their consent and make any necessary corrections.  The controllers are also required to reply without any delay to any such request from data subjects.

In addition, the right to be forgotten, which received a fair amount of attention in recent years, received specific attention in the GDPR.  This stipulates that the data subject has the right to have his personal data erased, so long as there’s no legal ground to retain the personal data. Under the same principal, the controller is obligated to erase any personal data once the data is no longer necessary.

Privacy by design and by default

The GDPR takes a firm stand on this long discussed issue by requiring data controllers to neglect the traditional passive approach to personal data security and replace it with a pro-active approach aimed to ensure the protection of personal data. Accordingly, controllers are required to implement appropriate technical and organizational measures in their data processing activities to ensure the proper protection of the rights of data subjects. Such measures include pseudonymization and data minimization as well as other measures which are in line with the principal that only the bare minimum and necessary personal data for each specific purpose should be processed.

In addition, under certain circumstances which are related to the processing of sensitive data and/or data that is likely to result in high risk to data subjects, controllers are required to conduct a data protection impact assessment in order to have a clear picture of the risks and potential impact involved in the processing of such data.

The requirement to adopt such a pro-active approach is a significant change from the traditional more passive approach, and is likely to result in significant objection and criticism from controllers due to the significant capital expenses required in order to implement such measures.

Data Processors

As already demonstrated above, the GDPR significantly enhances the role of data processors regarding its duties and obligations compared to the current directive, specifically in medium to large processors (with over 250 employees).

These enhanced duties expand further than the aforementioned requirement of data processors located outside the EU to appoint a representative within the EU. It also requires processors to appoint a data protection officer under certain circumstances, as well as maintain records of their processing activities and have these records available upon request to competent supervisory authorities.

Processors also have additional obligations regarding its relationship with the controllers, which must be based on a written agreement. The GDPR specifically defines certain issues that must be addressed in such agreements, such as the requirement of the processor to notify the controller without undue delay when there is a breach in its systems.

The enhanced role of data processors according to the GDPR is likely to have substantial impact on processor-controller relationships, and will definitely effect medium-large enterprises providing cloud based platform services. To this point, these enterprises have enjoyed the advantages deriving from the clear distinctions between processors and controllers as laid out in the current directive, in order to mitigate their risk exposure.

The Data Protection Officer

The regulation introduces us to the data protection officer, which controllers/processors are required to appoint in certain circumstances.  The data protection officer is intended to be the lead authority where the controller/processor’s data security overlaps with the GDPR. This officer is therefore required to be involved in all issues related to the protection of personal data in the controller/processor in order to properly oversee and monitor the controller/processor’s activities. The GDPR specifically states that the data protection officer should only report directly to the most senior management and that no one should instruct, interfere or have any kind of influence that might negatively affect the data protection officer from performing his duties.

Transfer of personal data to third countries:

The GDPR doesn’t bring any significant changes to this issue and generally maintains the current framework. In order to ensure high level of protection to data subjects, the transfer of personal data to third countries is only permitted where such third countries are in compliance with the conditions set forth in the GDPR. The European Commission assesses and concludes a list of countries (or international organizations) that provide an adequate level of protection and to which such transfer of personal data shall be permitted without requiring any additional authorizations.

In addition, controllers/processors may transfer personal data to third countries that were not listed in the aforementioned European Commission’s list provided that the controller/processor has executed appropriate safeguards, as stipulated in the regulation, and that the data subject’s rights are not violated.

Alternatively, the GDPR also lists a number of other circumstances under which the transfer of personal data to third countries is permitted.

Independent supervisory authorities

The GDPR calls for each member state to establish and designate an independent public authority to act as a lead authority with regard to its compliance with the GDPR.

The GDPR provides a detailed description regarding the supervisory authority’s role, requirements and powers. In general, this includes monitoring and enforcing the application of the GDPR, promoting public awareness, handling complaints, conducting investigations and cooperating with other supervisory authorities across the EU in order to maintain proper compliance.

The supervisory authorities are granted with powers to adequately perform their duties. These include such things as the power to issue warnings, reprimands, orders and even impose fines in significant amounts amounting up to 4% of the turnover or €20,000,000 EUR on controllers/processors who fail to comply the GDPR and/or infringe data subject’s rights, and/or fail to remedy a breach in its data protection.

European Data Protection Board

The GDPR announces the establishment of The European Data Protection Board (“Board”) as a body of the EU. The Board shall have a legal personality and shall act independently when performing its duties. The Board shall be comprised of the head of each supervisory authority of each member state and the European Data Protection Supervisor.  The duties of the Board are specified in detail in the regulation, and shall generally be to ensure the consistent application of the regulation across the EU, support the protection of personal data by issuing necessary guidelines, and promoting cooperation, review and report the activities of the supervisory authorities and provide opinions upon request.

In conclusion, the GDPR is a big step for EU data protection. It is aimed to promote a more coherent and consistent single market. While various drawbacks and shortcomings are inevitable, hopefully they will not hinder the accomplishment of the ultimate objective, which is to provide for adequate data protection to EU citizens while facilitating cross border activities and trade. The magnitude of the impact that the GDPR will have on companies doing business in the EU as well as on the member states is yet to be seen, but it is certain that all participating parties shall commence in a process of adjusting their practices and policies in order to ensure proper compliance once the GDPR becomes applicable.

As a side note, it will be interesting to see how the GDPR will interact with the recently adopted EU-US Privacy Shield and which new industry standards and practices will be developed as a result of these two frameworks.GDPR

About the Author
Gil Banyas is an attorney in Israel, with a strong background in law and technology, currently serving as in-house counsel for 365 Technologies Inc., a growing technology company active in the global payments industry.