Overview

Agreement on Data Protection Regulation Text

On 14 April 2016 the European Parliament voted to adopt the final draft of the EU General Data Protection Regulation (GDPR). The GDPR was published in the EU official journal on 04 May 2016. The GDPR shall apply from 25 May 2018. The GDPR will fully replace the national data protection legislation (such as the German Federal Data Protection Act or the UK Data Protection Act 1998).

Background

On 25 January 2012, the European Commission published the official version of its proposal for a revised European data protection framework. The proposal comprised a draft GDPR supported by a new Police and Criminal Justice Data Protection Directive (the latter is not covered by this summary).

The GDPR is designed to harmonize the data protection framework across the EU and introduce a single, directly-applicable set of rules to replace the various domestic laws enacted under the Data Protection Directive across EU Member States.

The GDPR has been the subject of lengthy and detailed debate and ultimately a set of three way negotiations between the three EU institutions EU Parliament, the Council and the Commission (so-called “trilogue” meetings) before it was passed in April 2016.

Key changes

While many of the changes in the GDPR take an evolutionary approach to the existing data protection regime, there are a number of new requirements or features in the GDPR, which are summarized in this note: 

Wider territorial scope:

The scope of the existing EU data protection regime has been enlarged to include data controllers that are established outside the EU, in situations where their processing relates to offering goods or services to individuals in the EU or the monitoring of their behaviour. In these circumstances the GDPR will apply whether the processing takes place in the EU or not and even if no payment is required for the goods or services offered. Factors such as the use of a language spoken in a Member State or the use of European currencies (eg € or £) may make it apparent that the controller envisages offering goods or services to data subjects individuals in the EU.

Increased sanctions:

Penalties for infringements of the regulation by a data controller or data processor include fines of up to €20m or 4% of an enterprise's annual worldwide turnover of the preceding financial year, whichever is greater.

Greater, but not full harmonization:

The GDPR, which will be directly applicable and therefore does not require local implementation, is aimed at producing greater consistency to enable companies operating across the EU to comply with one law. However, this goal could not be fully achieved. There are exceptions for the public sector, and Member States shall have the right to adopt (national) rules for certain important categories of data, such as employee data. 

Heavier administrative burden:

The GDPR will require companies to put in place a significant additional layer of process and documentation surrounding data processing activities. Data controllers and processors will have to, amongst other things, keep records of their data processing activities, individuals concerned and the recipients of data. Whereas the current EU data protection regime is focused on “outputs” (e.g. whether data was kept securely) the GDPR is more prescriptive as to the systems and controls that must be used to achieve the desired result. This obligation will not apply to enterprises or organizations employing fewer than 250 persons, unless the data processing is likely to result in a high risk for the right and freedoms of data subjects, is not regular or includes special categories of data.

Data protection impact assessment:

The general obligation to notify data protection authorities of data processing activities (as well as things like international transfers of data) is arguably being replaced by a “data protection impact assessment” - requirement. According to this requirement, companies must conduct (and document) an impact assessment in relation to data processing that is likely to result in a high risk for the rights and freedom of individuals due to its nature, scope, context or purpose. A single assessment may address a set of similar processing operations that present similar high risks. Where risks remain high, the supervisory authority will (still) need to be consulted.

Data breach notification requirement:

In case of a data breach the company responsible for the data will have to, without undue delay and, where feasible, within 72 hours after having become aware of the breach notify the applicable data protection authority. However the notification is not required if the breach is unlikely to result in a risk for the rights and freedoms of individuals. In addition, where the breach is likely to result in a high risk to the rights and freedoms of individuals, the company responsible for the data will also have to notify the affected individuals without undue delay in clear and plain language.

“Personal data” includes online identifiers:

The definition of personal data includes identifiers such as identification numbers, location data as well as online identifiers provided by their devices, applications tools and protocols. According to the GDPR, such online identifiers can be IP-addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This will remove some previous doubt as to whether online identifiers should be qualified as “personal data”. Also pseudonymous data is considered personal data.

Requirements for a valid consent:

The GDPR clarifies that for a consent to be valid there must be a clear, affirmative action by the individual establishing a freely given, specific, informed and un-ambiguous indication of the individual’s agreement to their personal data being processed. Explicit consent will be required for the processing of sensitive personal data if not other valid justification exists. Consent may be given orally, in writing or electronically. This includes ticking a box, when visiting a website, or choosing technical settings for information society services. Inactivity or a pre-ticked box will not constitute consent. Further, the ability to withdraw consent must be as easy for the individual as giving it. Besides these specific requirements there are general requirements about the clarity of communication with individuals.

Protection of children:

In relation to information society services (ie e-commerce services) that target children, a parental consent is needed in relation to data processed about anyone below the age of 16 years. Member states may provide for a lower age limit but it may not be below 13 years. Children’s special need for protection is taken into account also in various other provisions. For example, as far as the balancing of interests is concerned, the children’s need for protection of their personal data will outweigh controller’s legitimate interest to process such data.

Legitimate interests to process data:

In general, as is currently the case, the legitimate interests of a data controller may justify the processing of personal data. The GDPR sets out that processing data for direct marketing purposes may be considered a legitimate interest. Furthermore, the GDPR suggests that data controllers that are part of a group of undertakings may have a legitimate interest to transmit a client’s or an employees’ personal data within the group for internal administrative purposes.

Transfer of data outside the EU:

The GDPR leaves the rules on international transfer of personal data largely unchanged. However, probably as a result of the European Court of Justice’s “Safe-Harbor” decision of 06 October 2015, the GDPR now provides for a mechanism for periodic review of any EU Commission’s adequacy decision (at least every four years) as well as the inclusion of enforceable data subject rights and effective legal remedies for data subjects (including the right to claim compensation in the Union or the third country) as far as other safeguards (in particular contractual clauses) are concerned.

Broad obligations for data processors and joint liability:

The GDPR imposes broad obligations on data processors (ie companies processing data on behalf of other companies), in particular the obligation to implement appropriate technical and organisational security measures to ensure protection of the personal data being processed. Further, the GDPR stipulates that there will be joint liability between a data controller and a data processor in case of unlawful data processing. Only where data controller or data processor is able to prove that it is “not in any way” responsible for the event giving rise to the damage, is it exempted from liability. In addition to this joint liability construct the GDPR imposes many more obligations directly on data processors. By contrast, in the current EU data protection regime primary responsibility sits with the data controller using the data processor who may seek to back off liability to the processor in the contract with them.

Appointment of data protection officer:

The GDPR sets out that both data controllers and data processors are required to designate a data protection officer (DPO) in cases where the core activities of the data controller or the data processor consist of processing operations that require regular and systematic monitoring of individuals on a large scale, or where the core activity consists of processing on a large scale sensitive personal data (such as genetic or biometric data as well as data concerning health, ethnic origin, religious beliefs or sexual orientation). As opposed to the initial draft of the GDPR, the appointment of a DPO is neither dependent on a specific number of individuals affected by, nor on a specific number of employees involved in processing such data. Member States have the right to impose additional requirements for the appointment of a DPO and therefore this may well be an area where certain Member States create additional requirements.

“One Stop Shop” approach:

The so-called “one-stop-shop” approach to supervision, whereby a single supervisory authority should have been empowered to make decisions regarding the activities of a pan-European organization, was diluted. The final version of the GDPR rather stipulates broad cooperation duties between a “lead supervisory authority” - located where the organization has its “main establishment” - and any other concerned supervisory authorities. It therefore cannot be excluded that a company still has to deal (at least indirectly) with a number of local authorities and the requirement for authorities to consult and reach agreement on enforcement action.

Right to erasure (right to be forgotten):

The heavily debated “right to be forgotten” remains largely the same as it is under current law: a right to get personal data erased, where it is no longer necessary in relation to the purpose for which they were collected / processed, if the data individual subject withdraws his/her consent or if the data have been unlawfully processed. However, in addition, where the data controller has made personal data public or provided it to third parties, the data controller has to take “reasonable steps to inform” other controllers processing such data about the individual’s erasure-request regarding any links to or copies/replications of its data.

Right to data portability:

Individuals will have the right to “data portability”. This means that the individual may request to receive their personal data in a structured, commonly used, machine-readable and interoperable format. Where technically feasible, the individual should have the right to have the data transmitted directly from controller to another controller.

Transfer or disclosures not authorized by Union law:

The GDPR includes a prohibition on the transfer of personal data that is required by a third country court decision/administrative authority, if the country in question does not have a mutual legal assistance treaty or an international agreement with the EU or relevant Member State.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.