The new EU General Data Protection Regulation (GDPR) that will govern data protection and privacy on a pan-European basis is going to be game changer.
“According to some estimates, the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020.” European Commission Memo, 12 March 2014
Current law – EU Data Protection Directive 95/46/EC
The aim of the existing EU Data Protection Directive (Directive 95/46/EC) is to protect the privacy of all personal data collected for or about EU citizens, including in relation to using, processing or transfer of personal data. Under EU law, Directives only require member states to achieve a result and do not dictate how they achieve the result. Accordingly, the Data Protection Directive is implemented differently into the law of each member state (for example, in the UK via the Data Protection Act 1998).
Data protection disharmony
The Data Protection Directive was passed almost 20 years ago back in the fledging days of the internet. This was before super-fast broadband, cloud computing, smartphones and social media changed our lives and how we interact with each other. Moreover, different EU member states have enacted the Directive in different ways and this has caused substantial differences in data protection and privacy law across member states.
Proposed reform – New GDPR (EU Data Protection Regulation)
In 2012 the European Commission started a process to update and reform the data protection laws with a view to enhancing the outdated restrictions regarding the protection of personal information. The Commission’s aim is to “strengthen individual rights and tackle the challenges of globalisation and new technologies.” In March 2014 the European Parliament gave its strong backing and voted overwhelmingly in favour of the draft Regulation. The Commission is aiming to fully ratify the Regulation in 2015 and implement it a year after that.
The new General Data Protection Regulation (GDPR) contains a number of provisions that are more onerous or substantially different that the current Directive. As the Regulation is currently in draft form these provisions are subject to change.
One law, one continent
Importantly, the new regime would be a Regulation, which is self-executing and would be adopted immediately in the same form across all EU member states. The new uniform Regulation would apply to any organisation offering goods or services to, or that monitors the behaviour of, individuals in a European Union member state. Currently under the Directive entities located within the EU must adhere to stricter rules than their non-EU based competitors. The new Regulation, however, means that companies based outside of the EU that are processing the data of EU residents will have to comply with the same rules.
Single supervisory authority – cheaper to do business
The proposed GDPR intends to establish a new supervisory ‘one-stop-shop’ for businesses. This will benefit organisations as they will only have to deal with a single supervisory authority rather than the existing 28. The Commission believes that this will make it simpler and cheaper for companies to do business in the EU.
Consent – Article 7
One of the purported aims of the Regulation is to put the data subject in control. Under EU law processing of personal information must be lawful by, for example, obtaining an individual’s consent to the processing of its data. The existing definition of consent in the Directive means that consent must be “unambiguous”. Conversely, under the new Regulation an individual’s consent must be “explicit”. In other words, when the Regulation is implemented consent can no longer be assumed and will have to be based on a statement or clear affirmative action. This could be achieved by an ‘opt in’ check box on online sign up forms.
Privacy by design and by default – Article 23
The GDPR seeks to make data protection a prime motivator for businesses and “not an afterthought”. The Regulation requires data protection safeguards to be automatically built into services and goods and for high privacy settings on social media sites like Facebook to be the default position.
“Right to be forgotten” – Article 17
The ‘right to be forgotten’ has probably received the most press coverage. The intent of this part of the Regulation is supposedly to empower individuals in relation to what is stored about them online. The initial draft of the Regulation stated that when a data subject no longer wishes for their data to be processed and there are no legitimate grounds for retaining it the data must be deleted. The Commission has issued statements strongly denying that this restricts freedom of the press or assists unscrupulous individuals to erase their past.
On 13 May 2014, the Court of Justice of the European Union issued a landmark ruling on the ‘right to be forgotten’, in relation to online search engines. The draft Regulation has also been updated so that the compromise version of Article 17 now states that the data subject has the right to request “erasure of personal data” related to them for a number of reasons. These reasons include the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, the data subject has withdrawn consent, or the data has been unlawfully processed.
Data portability – Article 15
The General Data Protection Regulation (GDPR) requires that a data subject is able to request a copy of its personal data from a service provider. The data must be provided in a format that is able to be transferred to another processing system. This right will make it easier for individuals to transfer their personal data between service providers.
Data protection officers – Articles 35-37
Under the proposed GDPR organisations that employ more than 250 people and do not systematically monitor individuals as their core business activity will have to appoint a data protection officer. He or she will be monitor and implement the organisation’s data protection policies and frameworks and will also be responsible for running organisation-wide data protection training.
Notice of data breach – Articles 32 & 33
Another important change is that there will be more accountability in respect of data breaches. Organisations will, without undue delay, have to notify the relevant data protection authority of any breaches as well as notifying the data subject where the data breach if likely to adversely impact the protection of their privacy or personal information. Today, this obligation only applies to companies in the telecoms sector. The guidance on ‘undue delay’ is unfortunately a little unclear. Initially, Justice Commissioner Vivian Reding wanted the time period to be 24 hours or less. However, the current draft of the Regulation indicates that companies will have 72 hours to inform the regulator. The notice obligation will require companies to create and then implement new processes to satisfy the breach notification requirement.
Warnings will be issued for first unintentional breaches. Notably, the General Data Protection Regulation (GDPR) will also introduce substantial fines for non-compliance or violations of up 2% – 5% of the global turnover of the company in breach.
The General Data Protection Regulation Is Coming
As at the time of writing the General Data Protection Regulation (GDPR) is still in draft form it remains to be seen how many further changes will be made to it before it is finalised. It is a case of waiting to see and keeping an eye on developements. Nevertheless it is not too early for both EU organisations and non-EU organisations operating in Europe to start thinking about the internal processes and policy changes that they will need to implement as a result of the Regulation.
Photo credit: Pixabay