EU LawPrivacy & Data Security

General Data Protection Regulation: New EU Law In Context

General Data Protection Regulation

The new EU General Data Protection Regulation (GDPR) that will govern data protection and privacy on a pan-European basis is going to be game changer.

According to some estimates, the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020.” European Commission Memo, 12 March 2014

Current law – EU Data Protection Directive 95/46/EC

The aim of the existing EU Data Protection Directive (Directive 95/46/EC) is to protect the privacy of all personal data collected for or about EU citizens, including in relation to using, processing or transfer of personal data. Under EU law, Directives only require member states to achieve a result and do not dictate how they achieve the result. Accordingly, the Data Protection Directive is implemented differently into the law of each member state (for example, in the UK via the Data Protection Act 1998).

Data protection disharmony

The Data Protection Directive was passed almost 20 years ago back in the fledging days of the internet. This was before super-fast broadband, cloud computing, smartphones and social media changed our lives and how we interact with each other. Moreover, different EU member states have enacted the Directive in different ways and this has caused substantial differences in data protection and privacy law across member states.

Proposed reform – New GDPR (EU Data Protection Regulation)

In 2012 the European Commission started a process to update and reform the data protection laws with a view to enhancing the outdated restrictions regarding the protection of personal information. The Commission’s aim is to “strengthen individual rights and tackle the challenges of globalisation and new technologies.” In March 2014 the European Parliament gave its strong backing and voted overwhelmingly in favour of the draft Regulation. The Commission is aiming to fully ratify the Regulation in 2015 and implement it a year after that.

What’s new?

The new General Data Protection Regulation (GDPR) contains a number of provisions that are more onerous or substantially different that the current Directive. As the Regulation is currently in draft form these provisions are subject to change.

One law, one continent

Importantly, the new regime would be a Regulation, which is self-executing and would be adopted immediately in the same form across all EU member states. The new uniform Regulation would apply to any organisation offering goods or services to, or that monitors the behaviour of, individuals in a European Union member state. Currently under the Directive entities located within the EU must adhere to stricter rules than their non-EU based competitors. The new Regulation, however, means that companies based outside of the EU that are processing the data of EU residents will have to comply with the same rules.

Single supervisory authority – cheaper to do business

The proposed GDPR intends to establish a new supervisory ‘one-stop-shop’ for businesses. This will benefit organisations as they will only have to deal with a single supervisory authority rather than the existing 28. The Commission believes that this will make it simpler and cheaper for companies to do business in the EU.

Consent – Article 7

One of the purported aims of the Regulation is to put the data subject in control. Under EU law processing of personal information must be lawful by, for example, obtaining an individual’s consent to the processing of its data. The existing definition of consent in the Directive means that consent must be “unambiguous”. Conversely, under the new Regulation an individual’s consent must be “explicit”. In other words, when the Regulation is implemented consent can no longer be assumed and will have to be based on a statement or clear affirmative action. This could be achieved by an ‘opt in’ check box on online sign up forms.

Privacy by design and by default – Article 23

The GDPR seeks to make data protection a prime motivator for businesses and “not an afterthought”. The Regulation requires data protection safeguards to be automatically built into services and goods and for high privacy settings on social media sites like Facebook to be the default position.

“Right to be forgotten” – Article 17

The ‘right to be forgotten’ has probably received the most press coverage. The intent of this part of the Regulation is supposedly to empower individuals in relation to what is stored about them online. The initial draft of the Regulation stated that when a data subject no longer wishes for their data to be processed and there are no legitimate grounds for retaining it the data must be deleted. The Commission has issued statements strongly denying that this restricts freedom of the press or assists unscrupulous individuals to erase their past.

On 13 May 2014, the Court of Justice of the European Union issued a landmark ruling on the ‘right to be forgotten’, in relation to online search engines.  The draft Regulation has also been updated so that the compromise version of Article 17 now states that the data subject has the right to request “erasure of personal data” related to them for a number of reasons. These reasons include the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, the data subject has withdrawn consent, or the data has been unlawfully processed.

Data portability – Article 15

The General Data Protection Regulation (GDPR) requires that a data subject is able to request a copy of its personal data from a service provider. The data must be provided in a format that is able to be transferred to another processing system. This right will make it easier for individuals to transfer their personal data between service providers.

Data protection officers – Articles 35-37

Under the proposed GDPR organisations that employ more than 250 people and do not systematically monitor individuals as their core business activity will have to appoint a data protection officer. He or she will be monitor and implement the organisation’s data protection policies and frameworks and will also be responsible for running organisation-wide data protection training.

Notice of data breach – Articles 32 & 33

Another important change is that there will be more accountability in respect of data breaches. Organisations will, without undue delay, have to notify the relevant data protection authority of any breaches as well as notifying the data subject where the data breach if likely to adversely impact the protection of their privacy or personal information. Today, this obligation only applies to companies in the telecoms sector. The guidance on ‘undue delay’ is unfortunately a little unclear. Initially, Justice Commissioner Vivian Reding wanted the time period to be 24 hours or less.  However, the current draft of the Regulation indicates that companies will have 72 hours to inform the regulator. The notice obligation will require companies to create and then implement new processes to satisfy the breach notification requirement.

Penalties

Warnings will be issued for first unintentional breaches. Notably, the General Data Protection Regulation (GDPR) will also introduce substantial fines for non-compliance or violations of up 2% – 5% of the global turnover of the company in breach.

The General Data Protection Regulation Is Coming

As at the time of writing the General Data Protection Regulation (GDPR) is still in draft form it remains to be seen how many further changes will be made to it before it is finalised. It is a case of waiting to see and keeping an eye on developements. Nevertheless it is not too early for both EU organisations and non-EU organisations operating in Europe to start thinking about the internal processes and policy changes that they will need to implement as a result of the Regulation.

 

Photo credit: Pixabay

4 thoughts on “General Data Protection Regulation: New EU Law In Context

  1. Do you think corporations will have to have some source of revenue being collected in the EU in order for the penalties to actually be enforceable?

    Thanks!

    1. Gemma, thank you for taking the time to read my article and post your query. Today, EU companies complain that tougher data laws apply to them and they are therefore losing competitive advantage. The proposed EU Data Protection Regulation is trying to ‘level the playing field’ so that it applies to both EU based entities and entities based outside of the EU that are processing the data of EU residents. Legally, the penalties for breach will be enforceable based on the fact that the non-EU entity is processing the data of EU residents not whether it is collecting revenue in the EU.

      Practically speaking, however, the enforcement of any penalty against an organisation with its head office in a different jurisdiction is always more difficult. The quantum of the penalties in the draft Regulation are also enormous so we may see non-EU entities trying to do everything they can to avoid them. My view is that most of the major technology and internet companies already have a presence here in the EU and if the non-EU entity has an office in the EU enforcement will be easier.

  2. Congrats on a very readable Blog article on elements making up the draft-form GDPR. Might be useful for you to apply your clearly incisive talent to an update Blog on the finalised GDPR which will be mercilessly mandatory from 25th May 2018

Leave a Reply