On December 15, 2015, following four years of close, sometimes contentious, review, the EU institutions agreed upon the text of the General Data Protection Regulation (the “GDPR”). One of the most important EU legislative initiatives in recent years, the GDPR is also a landmark in privacy regulation worldwide. As from the time the GDPR takes effect – most likely in early 2018 – data protection regulation for most of Europe will largely proceed from a single set of rules.
The GDPR will replace the Data Protection Directive (95/46/EC) (the “Directive”), adopted in 1995, which was intended to harmonize the privacy laws of the EU Member States but in practice resulted in compliance requirements that vary substantially by Member State owing to inconsistent national implementation and interpretation.
Broadly stated, the GDPR will apply to the processing of personal data by controllers and processors that are established in the EU, regardless of whether the processing takes place in the EU. In addition, it will apply to the processing of personal data of data subjects “who are in the EU” if the processing relates to the offering of goods or services to, or the monitoring of the behavior in the EU of, such data subjects. The new regime tightens existing privacy rules, establishes new requirements, and creates a harmonized system of fines, with some potentially as high as 4 percent of worldwide turnover, which national authorities will have the power to assess. The GDPR will be directly enforceable, and will not require implementation by the Member States.
Key new elements of the GDPR include the following:
- Notification of security breaches. The GDPR establishes a uniform notification requirement applicable to all EU data controllers. In the event of a security breach leading to the accidental or unlawful loss, access or disclosure of personal data, controllers must notify the supervisory authority “without undue delay,” and, where feasible, within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.Controllers must also “communicate” breaches to affected data subjects “without undue delay” if the breach is likely to result in a “high risk” to the rights and freedoms of individuals. Such communication is not required, however, where:
(i) appropriate pre-breach security measures applied to affected data, in particular measures (e.g., encryption) rendering the data unintelligible to unauthorized persons; or
(ii) subsequent security measures taken ensure that high risks to data subject rights and freedoms will not materialize; or
(iii) it would involve disproportionate effort, in which case controllers must make a “public communication” or similar measure whereby by data subjects are effectively informed.
Supervisory authorities may order a controller to communicate a breach to data subjects if the controller has not already done so, or may decide that any of above three conditions excusing communication are met.
Controllers must also document personal data breaches in a manner enabling the supervisory authorities to verify compliance, including the facts surrounding the breach, its effects, and remedial actions taken.
Providers of electronic communications networks and electronic communication services, which are subject to breach notification requirements under the e-Privacy Directive, will not be subject to additional notification requirements under the GDPR. The GDPR does not, however, address potentially overlapping breach notification requirements that will come into effect for critical infrastructure providers and payment services providers upon implementation of, respectively, the recently-adopted Network and Information Security Directive and the recently-adopted Second Payment Services Directive.
-
-
-
- New Requirements for Processors. Under the Directive, data protection compliance is incumbent upon controllers. The only requirements applicable to processors are: (i) to process in accordance with the instructions of the controller; and (ii) to implement any security measures required under the law of the Member State where the processor is established. The GDPR establishes substantial, specific, new compliance obligations that apply directly to data processors.First and foremost, under the GDPR it will be the responsibility of both the controller and the processor to implement appropriate technical and organizational security measures appropriate to the risk presented by the processing. In addition, processors must ensure that their processing personnel are subject to confidentiality undertakings and assist the controller in responding to data subject rights requests, notifying security breaches, carrying out privacy impact assessments and “prior checking” consultations with the DPA, and provide any information necessary to demonstrate the controller’s compliance, including with respect to audits and inspections. Any sub-processors engaged by the processor must be subject, by contract, to the same obligations, and before engaging a processor, the processor must obtain the controller’s written consent, or provide an opportunity to object.
-
-
-
-
- Liability for Damages. Under the Directive, controllers are liable for damages caused by processing that is in breach of data protection law. The GDPR extends liability to processors and establishes rules on joint and several liability between processors and controllers. Briefly,
– Controllers are liable for damages caused by noncompliant processing.
– Processors are liable only for damages arising from processing that is noncompliant with obligations specifically directed to processors.
– A controller or processor is exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage.
– Where a controller and processor are both responsible for damages, each is liable for the entire damage.
- Liability for Damages. Under the Directive, controllers are liable for damages caused by processing that is in breach of data protection law. The GDPR extends liability to processors and establishes rules on joint and several liability between processors and controllers. Briefly,
-
-
-
-
- Designation of Data Protection Officers. The GDPR requires controllers – and processors – to appoint a data protection officer (DPO) where their “core activities” consist of (i) processing that involves regular and systematic monitoring of data subjects on a large scale; or (ii) processing on a large scale of sensitive personal data (relating to, e.g., health, ethnicity, trade union membership) or data relating to criminal convictions and offenses. Thus, where the processing of personal data is merely incidental to a controller’s core activities (e.g., normal-course processing of HR or customer data), the GDPR does not mandate designation of a DPO. Member States, however, may require that DPOs be appointed in circumstances other than those mentioned above – thus, companies have to continue to consult national law regarding DPOs.
-
-
-
-
- International Data Transfers. As expected, the GDPR expressly recognizes Binding Corporate Rules (“BCRs”) as a legal basis for the transfer of personal data within a group of companies, as well as within “groups of enterprises that are engaged in a joint economic activity.” The classic example of such joint activity is the exchange of personal data among airlines for purposes of frequent flyer and other customer management programs. Although data processors are not expressly referenced, the text does not exclude the possibility of BCRs for data processors.The use of model clauses is also confirmed. Data exporters will no longer need to apply for data transfer permits from national supervisory authorities, as is the case for certain jurisdictions under the Directive. Interestingly, the text officially recognizes the possibility for controllers or processors to include the standard data protection clauses in a wider contract, including a contract between the processor and another processor, and to add other clauses or safeguards as long as they do not contradict standard clauses adopted by the European Commission or by a supervisory authority. Data transfer permits previously granted will remain valid until amended, replaced or repealed by the relevant supervisory authority.Furthermore, data transfers will also be permissible when based on (i) model clauses issued by a supervisory authority and approved by the Commission; (ii) a code of conduct approved by the relevant supervisory authority and/or the Commission; or (iii) a certification mechanism, such as a privacy seal or mark, issued by an approved certification body.The classic data transfer exemptions, such as individual consent or the need to transfer personal data to comply with contractual obligations, have been retained. It is worth noting that consent should be explicit, and information should be given to individuals “of the possible risks of such transfers […] due to the absence of an adequacy decision and appropriate safeguards.” The text retains the option to transfer personal data based on “compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.” This exemption is only available in the event that other data transfer grounds, including the other derogations, are not available, and the data transfers are not repetitive and involve only a limited number of data subjects. In such cases, a requirement to notify the relevant supervisory authority and data subjects will apply.
-
-
-
- Accountability Obligations. The Directive generally requires controllers to notify or register data processing operations to national supervisory authorities. This requirement – widely viewed as requiring substantial effort but offering little regulatory value–will no longer exist once the GDPR comes into force. In its place, the GDPR substitutes a series of “accountability” obligations intended to make controllers and processors take responsibility for their processing operations. Controllers and processors, for example, will be obliged to document their information systems and processing operations and make their records available to the relevant supervisory authority. This obligation will not apply to companies with fewer than 250 employees, unless the data processing presents particular risks or involves sensitive or criminal data.
-
-
-
- One-Stop Shop/Cross-Border Processing. The GDPR provides for a new cooperation mechanism in case of cross-border processing by companies. Under the initial Commission’s proposal, companies that operate in several EU countries are able to deal with one supervisory authority in the Member State in which they have their main establishment. Since data subjects lacked effective remedies in their jurisdiction, the Parliament’s text provided that the local supervisory authorities should be associated with cross-border investigations and enforcement actions under the supervision of a Lead Authority. The GDPR confirms this approach. The supervisory authority located on the territory of a company’s main establishment (where the company has its central administration) shall act as the Lead Authority. The Lead Authority may adopt binding decisions and shall associate local supervisory authorities to such proceedings in the following circumstances: (i) the company has an establishment on the territory of their Member State, (ii) the processing substantially affects data subjects residing on their territory, or (iii) data subjects have lodged a complaint with them.
-
-
-
- Sanctions. The initial Commission’s proposal included fines of up to 2% of annual worldwide turnover of an organization, without any discretion given to the supervisory authorities, and the Parliament increased the fines for companies to up to EUR100 million or 5% of their annual worldwide turnover. The new Regulation provides for various limits, depending on the type of infringement at hand assessed by the supervisory authorities. For most privacy infringements, fines can be up to EUR10 Million or 2% of annual worldwide turnover. This concerns, for instance, a violation of requirements applying to the collection of children’s data, insufficient contractual safeguards in relationships with data processors, security failures, failure to notify supervisory authorities and data subjects in case of a data breach, failure to prepare privacy impact assessments where required, and failure to designate a DPO where required. Where the violation affects a core principle in the new Regulation, fines may be the greater of EUR20 Million or 4% of annual worldwide turnover. Collecting personal data without a valid legal basis falls within this category. Other categories include the processing of sensitive data where it is prohibited, breach of notification obligations towards data subjects, failure to comply with data subjects’ rights of access, deletion and correction, insufficient transfer mechanisms, and failure to comply with administrative orders by a supervisory authority.
-
Alston & Bird will continue to monitor developments with respect to the GDPR and will provide additional guidance as the situation continues to develop.