The EU’s General Data Protection Regulation (679/2016/EU), the GDPR, comes into force across the EU on 25 May 2018. As it is being made by regulation the GDPR, unlike the existing Data Protection Directive (implemented into the UK by the Data Protection Act 1998), will have direct effect throughout the EU. National governments will have some limited scope to tailor certain of its provisions to their jurisdiction. However, the GDPR will significantly harmonise the current national data protection laws across the EU.
Notwithstanding Brexit, the UK government has indicated its intention to implement the GDPR in full. The UK regulator’s (the Information Commissioner’s Office) powers and ability to work seamlessly with other national EU regulators will form a negotiation point in the coming Brexit deal.
The GDPR will apply to any use of personal data arising in connection with either the offering of any goods or services to individuals located in the EU (whether for payment or not), or the monitoring of the behaviour of EU-based individuals. This is a significant change to the scope of previous legislation and has the effect of:
focusing the legislation on the individuals whose data is being utilised, as opposed to the organisations utilising the data (i.e., any worldwide business with customers located in the EU will be subject to the GDPR in respect of those customers); and
clearly encompassing the tracking of individuals’ EU-based internet activity, whether via a website or app (i.e., any worldwide business which uses tracking cookies or retrieves app usage information in respect of EU-based activity will be caught).
The location of data processing equipment is no longer a determining factor – i.e., worldwide businesses cannot avoid the application of the GDPR by locating processing equipment outside the EU.
Some of the key points to note in respect of the GDPR include:
Consent – Obtaining consent from individuals for the processing of their data under the GDPR will be significantly harder. Individuals will be required to clearly give their affirmative consent – e.g., it is expected that website tick-boxes must be ‘opt-in’ and must not be pre-ticked. The business (a data controller) wishing to collect and utilise the data must clearly explain the uses to which the data is to be put and will be required to provide evidence that their processes are compliant and followed in each case. Individuals must be able to withdraw their consent at any time, and businesses must have mechanisms in place to easily enable (e.g., via a website) and effect any such withdrawal. Individuals will have a right to be forgotten (i.e., the deletion of their data) and a right to object to profiling (particularly relevant to website advertisers).
Children – The age of consent to data processing will be raised. Each EU jurisdiction will have the ability to set the age between 13 and 16. Below this the clear affirmative consent of a legal guardian will be required. This will particularly impact websites and apps targeted at children.
Inception – Businesses will be required to consider data protection issues at the creation of any new technology, product or business, and to ensure that suitable protection mechanisms are in-built. Businesses must also ensure that they only collect and process the minimum required data for the express uses to which consent has been given.
Processors – Data processors will be directly subject to the provisions of the GDPR. As a result it is expected that the cost of data processing services provided by outsourced data processors to data controllers is likely to increase. Data processors will also want to review and potentially renegotiate their processing agreements. Data processors employing 250 or more people (and, in some circumstances, any data processors irrespective of their size) will be required to keep detailed records of their processing activities.
Data Protection Officer – Processors processing a significant volume of data, or processing ‘sensitive’ data, may be required to appoint a data protection officer (DPO). The DPO will be responsible for monitoring the data processing activities of the business and ensuring their compliance with the GDPR. It is expected that certain businesses may voluntarily appoint a DPO to help demonstrate an adoption of best practice procedures and strengthen any defence to regulatory investigation.
Data Breaches – data breaches must be notified to the relevant supervisory regulator as soon as possible, and in any event within 72 hours of the breach being identified. The GDPR states that breaches that are unlikely to result in risks to individuals do not require reporting. However, as most breaches could arguably result in a risk to an individual, further guidance is currently being sought on this point.
Transfers of data of any EU-based individuals outside of the EU continues to be regulated by the GDPR. However, the increased sanctions for breaches of the new rules (see below) are likely to mean that non-EU businesses will have to carefully review their existing arrangements to ensure they are compliant.
The EU Commission may identify specific jurisdictions which are deemed to have adequate data protection laws in place and to permit data transfers to those jurisdictions. As a result of recent decisions of the European Court of Justice, the United States is not currently included in this list. The EU and U.S. have negotiated a new data transfer agreement (the Privacy Shield) to replace their previous transfer arrangements. The Privacy Shield enables data transfers to be made to the United States recipients that are subject to regulation by the Federal Trade Commission or Department of Transport and that have self-certified their compliance with the Privacy Shield’s requirements.
Compliance requires, amongst other matters, certifying organisations to adopt privacy policies which address data protection matters in a manner sufficiently compliant with European principles (e.g., as regards information provided to data subjects, data security, dispute resolution and data access). The Privacy Shield is currently subject to various legal challenges from EU-based privacy campaigners, largely stemming from the ability of the U.S. intelligence services to access and utilize transferred data.
Failing this, transfers of personal data may only be made:
on the basis of a data transfer agreement between the transferor and recipient of the data which incorporates certain prescribed contractual clauses; or
by a UK company to other members of its group, on the basis of a set of legally-enforceable corporate rules (called binding corporate rules). Binding corporate rules must be approved by the Information Commissioner’s Office.
Enforcement and Sanctions
A business subject to the GDPR with operations, but not separate subsidiaries, in a number of EU jurisdictions will need to identify a main establishment in the EU. The regulatory authority of this jurisdiction will be the ‘lead supervisory authority’ for the business and will be responsible for coordinating with the regulatory authorities in any other EU jurisdiction with data subjects affected by the activities of that business. It is hoped that this will cut the administrative burden by enabling businesses to deal with a single regulator covering all of their European activities. Individual subsidiaries will each be subject to the regulatory authority of their jurisdiction of incorporation.
The sanctions for breaches of the GDPR are significantly stronger than is currently the case. Certain breaches will attract fines of up to 2% of the annual worldwide turnover of the relevant business (with a minimum fine set at €10 million). More serious breaches will attract fines of up to 4% of the annual worldwide turnover of the relevant business (with a minimum fine set at €20 million). The regulatory authorities will be able to conduct data protection audits and to require the provision of any relevant information. The maximum fine for breach of the UK’s current data protection legislation is set at £500,000.
The significant penalties for non-compliance are expected to quickly move data protection issues to the forefront of the minds of in-house counsel. Worldwide businesses gathering and utilizing data on any EU-based individuals should consider the following steps:
Understand the new regulatory framework and, where relevant, identity the jurisdiction that will act as the ‘lead supervisory authority’ of the business.
Review the processes by which consent to data processing is obtained, and the uses to which such data will be put is explained.
Review any data processing agreements to ensure compliance with the new obligations on data controllers and data processors under the GDPR.
Review the mechanisms by which information relating to EU data subjects is transferred outside the EU (whether to another group company or an external provider), and ensure that they are appropriate to permit such data transfers.
Consider the data gathering and processing activities of the business and whether these give rise to the need to appoint a data protection officer.
Review data breach policies to ensure compliance with the requirements of the GDPR.