The European personal data protection directive of 24 October 1995 applied to data processing carried out by companies, i.e. data controllers, located within the European Union. Data processing activities carried out by data controllers located outside of the EU were generally not subject to the provisions of the European directive as transposed into the national laws of the Member States. (1) With the development of technology and of online services around data, many companies located outside of the European Union, such as Google, Amazon, Facebook or Apple (the “GAFA”) for example, collect and process data from Europeans and “escape” the European regulations, even though data transfers to these American companies can be subject to the Privacy Shield principles.
Now, data and more specifically personal data is at the core of the digital economy. It then became necessary to update the European personal data laws to take into account the technology developments that have occurred since the 1995 directive, and assure a high and homogenous level of protection to personal data. This was done with the General Data Protection Regulation (GDPR). This European text was adopted on 27 April 2016 after over four years of intensive debates. It will become applicable on 25 May 2018. (2)
One of the purposes of the GDPR is to take into account, cases where several data controllers and/or processors located in different regions in the world are involved in data processing; but also cloud computing and big data services (with servers installed and data collected in several regions); and the activities carried out by the GAFA, so that the personal data of the people living in Europe remain protected regardless of where the data controller is located in the world.
The scope of the regulation covers not only businesses in the European Union but also non-EU companies targeting the European market. These non-EU companies are therefore concerned by the GDPR and must get compliant with these new rules.
1. The GDPR is applicable in Europe and beyond
The 1995 directive had to be transposed into national law of the Member States. These national data protection laws did however include differences between the Member States, certain countries having opted for a strict transposition of the European directive, whereas other countries chose a more liberal approach.
The GDPR will become enforceable directly in all the European Union. Its provisions will apply almost identically in all the Member States, except for a few provisions which may differ slightly among the Member States. (3)
But where the directive had moderate impact outside of the EU, the regulation will apply not only within the EU but will also produce extra-territorial effects, beyond the EU borders. (4)
1.1 Application within the European Union
The regulation shall apply to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing itself takes place within the EU.
The establishment located in the EU implies the effective and real exercise of activity through “stable arrangements”. However the establishment is not subject to any particular legal form. It may be the headquarters, or a subsidiary or even a branch of a company itself located outside of the Union.
The processing may be carried out in or outside the EU. With this provision databases hosted via a cloud computing service can be governed by the GDPR, regardless of where the servers are actually installed in the world.
1.2 Extra-territorial application
The regulation shall also apply to processing regarding individuals located in the EU, carried out by a data controller or a processor not established in the Union where the processing activities are related to offering goods (e.g. e-commerce activity) or services (e.g. mobile applications, cloud hosting services) to such data subjects, whether connected to a payment or free of charge.
To establish whether the data controller or the processor is actually targeting the European market by proposing goods or services to persons located in the EU, one must gather a number of elements such as the use of a European language or of a currency such as the euro and the fact that the products or services can be delivered in Europe. The mere accessibility of the web site of the company in Europe, or an email address are not sufficient to establish that that company targets the European market.
The data processing of persons located in the Union by a company, controller or processor, which is not established in the Union is also subject to the GDPR when the purpose of such processing is to monitor the behaviour of these persons, if such behaviour takes place in the EU. This provision is mainly about online profiling, “particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” (5)
One should also note that these provisions shall apply to data controllers and to processors. The latter should also take all necessary measures to comply with the GDPR.
The GDPR is not limited to controllers and processors located in the European Union. Its geographical scope reaches beyond the EU borders whenever personal data of European data subjects are processed.
2. What are the consequences for non-European businesses?
Companies that have no establishments in the European territory but that target the EU for their commercial activities (see criteria above), and that in doing so collect and process personal data of European subjects will therefore have to comply with the GDPR, the deadline being 25 May 2018.
2.1 The designation of a representative in the Union
Beyond the GDPR compliance work to be carried out, controllers and processors that have no establishment in the EU must designate a representative in the EU, “in writing”. (6)
This representative must be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are located. The representative, as the agent of the controller or processor shall be the point of contact for the supervisory authority and for the data subjects having questions about the processing. The controller and processor shall however remain primarily legally liable with regards to GDPR compliance and its due application.
It must be noted that no representative must be designated in the following cases:
processing which is occasional,
which does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in article 10, and
and is unlikely to require a privacy impact assessment (PIA) subject to article 35 of the GDPR.
Also, non-European public authorities or bodies are not concerned by the designation of a representative.
2.2 The United Kingdom after Brexit
Once the United Kingdom is no longer a Member State, the European regulation will no longer apply to it. However, the UK government has declared that they wanted to pass a new law, repealing the Data Protection Act 1998 currently in effect, so as to include the GDPR into English law.
The purpose of this Bill is to reassure businesses after Brexit, on the ability to keep transferring personal data between the UK and the EU. In doing so, the UK wants to ensure that its Data protection law will be considered as offering an adequate level of protection by the Brussels Commission, allowing businesses to keep transferring personal data between the UK and the EU without restrictions. (7)
2.3 GDPR compliance
The European regulation includes several new principles and existing rights that were reinforced. These principles and rights must be integrated in the internal procedures of businesses processing personal data of Europeans. This can be a costly, burdensome and time consuming process. These principles can be divided up between the rights of data subjects and the obligations of the controllers and processors.
a) The rights of data subjects
- The conditions to obtain consent from the data subjects are reinforced (art. 7): the terms regarding consent must be drafted in clear and explicit language;
- The right to be informed is modified toward more transparency and simplification (art. 12, 13 and 14)
- Data portability (art. 20) permits data subjects to request the controller to recover or to transfer their collected data to a new data controller;
- For online services targeting children (i.e. children below 16, or 13 in certain Member States), processing children data will be subject to the consent or authorisation of the person having parental authority. (art. 8)
b) The obligations of the controllers and processors
- Automated process and profiling techniques will be regulated. (art. 22) Such process will be authorised under certain conditions and provided the data subject has given his consent;
- According to the accountability principle, the controller must implement clear and accessible internal rules to guarantee and demonstrate compliance with the regulation (art. 5 and 24);
- During the development of new products or services, the controller must include personal data protection by default in the definition of the processing system and within the data process (“privacy by design” principle) (art. 5 and 25);
- The GDRP imposes stronger data protection security rules. Security breaches must be notified by all controllers, regardless of their main activity (art. 5 and 32 to 34);
- A data protection officer (DPO) must be appointed in all companies where the core activities of the controller or processor consist of processing data which require monitoring of data subjects on a “large scale” or processing of specific categories of data on a “large scale” (art. 37, 38 and 39).
Finally, the GDPR includes the possibility for the supervisory authorities to impose more stringent sanctions. (art. 83) Depending on the type of infringement, the supervisory authorities can impose administrative fines up to 10 million euros or 2% of the total worldwide turnover of the company during the preceding financial year, whichever is higher, or up to 20 million euros or 4% of the total worldwide turnover of the company during the preceding financial year.
* * * * * * * * * * * *
(1) See article 4 “National law applicable” of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
(2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(3) For example, each Member State can choose the minimum age for a child to give his/her consent, between 13 and 16 years (art.8).
(4) See GDPR, recitals 22 to 24 and article 3 “Territorial scope”
(5) Recital 24
(6) GDPR, article 27
(7) “UK Government announces proposals for a new Data Protection Bill”, in Technology Law Dispatch, 16 August 2017
(8) For a more detailed analysis of the GDPR, see our previous articles on this matter: New European General Data Protection Regulation (GDPR): the compliance clock is ticking, How to prepare for GDPR compliance and be ready by May 2018
Deleporte Wentz Avocat