After over four years of debates at the European level, the General data protection regulation (GDPR) was finally passed on 27 April 2016. The new regulation will apply in all the European member states in two years, as from 25 May 2018. (1) The compliance countdown is now running for all organisations processing personal data.
The GDPR is part on a more global reform of European data protection law - the “data protection package”, which also includes a directive on data transfers for policing and judicial purposes, i.e. personal data processed by the European police and judiciary authorities.
The GDPR will repeal Directive 95/46/EC of 24 October 1995 on the protection of personal data. The new text will be the base of our regulation of personal data protection in Europe, with a single set of rules (with a few exceptions).
The regulation is based on existing data protection law. The main principles regarding the processing of personal data, such as the principles of lawfulness, fairness and transparency of the data process, the principles of specified and legitimate purpose, of adequacy of the process, of data conservation for a limited duration and of data security are preserved. (art. 5) But because of the technical and behavioural evolutions that have occurred in our society since the 1995 Directive, it was important to adapt and complement the existing principles and implement more homogenous rules within the European Union. This is however a complex text comprised of 173 recitals and 99 articles, when the directive included only 34 articles.
We summarise below the main provisions of the GDPR regarding the rights of natural persons, followed by the rights of corporations (as data controllers or processors).
1. The rights of natural persons under the GDPR
Several provisions of the GDPR reinforce the existing rights on the data of natural persons (“data subjects”). We identified the major evolutions as follows:
- The conditions to obtain consent from the data subjects are reinforced (Art. 7): the terms regarding consent must be drafted in clear and explicit language. The data subject must be able to withdraw his consent at any time. The burden of proof of obtaining the data subject’s consent rests on the data controller who must be able to show that the data subject did give his consent to the process.
- The right to be informed is modified toward more transparency and simplification (art. 12, 13 and 14): the information must be concise, clear, intelligible and easily accessible. It must be drafted in clear and legible terms, especially when targeting children.
- The GDPR confirms the “digital right to be forgotten” (or right to erasure) as defined by the European court of justice (ECJ) in the Google Spain decision of 13 May 2014. (art. 17) The data subject can request the controller to erase his personal data without undue delay. Data erasure is however subject to certain conditions -including regarding the right to information, and is not automatic. These conditions and limitations to the right to be forgotten have been further defined since 2014 by subsequent case law.
- Data portability is a new right for the data subjects. (art. 20) Except in certain situations, data subjects can request the controller to recover or to transfer their collected data to a new data controller (e.g. transfer to a similar service proposed by a competitor). To prevent blocking or circumventing this obligation, the controller must transfer the data in a structured, commonly used, machine-readable format.
- Finally, the GDPR includes the principle of specific data protection rules for children below 16 years of age. (art 8) Children are intensive users of internet services (social networks, chat, SMS, MMS) but are not necessarily aware of the concept of personal data and of how their data can be used by third parties. The GDPR identifies children as a distinct category of data subjects and recognises the need to provide specific protection to their data. The 38th recital provides that children must receive specific protection from organisations using their personal data for marketing purposes or user profile set ups. For online services targeting children (i.e. children below 16, or 13 in certain member states), the processing of children data will be subject to the consent or authorisation of the person having parental authority. The controller must implement “reasonable” means, taking into account available technology, to ensure the effectiveness of such parental consent.
2. The rights of data controllers and processors under the GDPR
Regarding the rights of the controllers and processors (corporations and any organisation processing personal data), we note a tendency toward simplification of formalities, but also toward more stringent obligations. Also, the level of the financial penalties was raised substantially. The major evolutions are as follows:
- Automated process and profiling techniques - which are used increasingly with big data projects for example, will be regulated. (art. 22) Such process will be authorised under certain conditions and provided the data subject has given his consent.
- According to the accountability principle, the controller must implement clear and accessible internal rules to guarantee and demonstrate compliance with the regulation on process inventory, security, and if applicable, compliance with the preliminary formalities and with the appointment of a data protection officer. (art. 5 and 24)
- During the development of new products or services, the controller must include personal data protection by default in the definition of the processing means and within the data process (“privacy by design” principle). (art. 5 and 25)
- The GDPR creates a new “joint controllers” concept (art. 26), to take into account the technical evolutions, especially with cloud computing services under which the entity collecting the data no longer controls the technical data process. Two data controllers may then co-exist, i.e. the entity collecting and using the data, and the entity which determines the technical means of the data process (often the hosting service provider or the cloud service provider, as a subcontractor of the data collector/controller). In case of joint liability, the joint controllers must define the respective scopes of their liability in performing their obligations, especially concerning the data subjects. The liability of the subcontractor is now acknowledged at the same level as its client’s.
- The GDPR withdrew the preliminary filing obligation for new data processing (art. 30) except for data transfers outside of the European Union which are subject to a specific regime. In return, the controller must (i) either keep an internal record of processing activities listing the data process implemented, (ii) or consult the supervisory authority prior to launching a new data process if such process requires an impact assessment and includes specific risks.
- The GDRP imposes stronger data protection security rules. Security breaches must be notified by all controllers, regardless of their main activity. (art. 5 and 32 to 34) For example in France, this notification duty is currently limited to communications operators and to “vitally important operators” (OIV) i.e. operators of critical infrastructures or services.
- A data protection officer (DPO) must be appointed in all companies where the core activities of the controller or processor consist of processing data which require monitoring of data subjects on a “large scale” or processing of specific categories of data on a “large scale”. (art. 37, 38 and 39) The data protection officer (which in France will replace the current “correspondant informatique et libertés” - CIL) must be a competent law and personal data protection professional. This person may be employed by that organisation or be a third party consultant.
- The rules regarding data transfers outside of the European Union won’t change substantially. (art. 44 to 50) As a principle, all data transfers outside of the EU remain prohibited. This prohibition may be waived for transfers to a third country offering an adequate level of protection, as defined by the European Commission and for transfers to companies in third countries, provided one of the available contractual tools has been implemented between the exporting controller and the importing processor (EU model contractual clauses, Binding corporate rules (BCRs) or code of conduct). It is still unclear whether existing adequacy decisions will be upheld for all third countries currently listed. Since the GDPR includes new and more stringent provisions, the Commission may decide to reassess whether these countries are still providing an adequate level of protection under the new Regulation.
- Companies that operate in several member states will designate a supervisory authority as the lead competent authority, for cross-border processing and to handle complaints. (art. 56) This lead supervisory authority shall be the authority of the seat of the main establishment, construed as the place where the main decisions regarding the data process purpose, conditions and means are made.
- The GDPR includes the possibility for the supervisory authorities to impose more stringent sanctions. (art. 83) Depending on the type of infringement, the supervisory authorities can impose administrative fines up to 10 million euros or 2% of the total worldwide turnover of the company during the preceding financial year, whichever is higher, or up to 20 million euros or 4% of the total worldwide turnover of the company during the preceding financial year.
Finally, the GDPR will apply not only within the European Union, but will also produce extra-territorial effects. (art. 3 and 27) The GDPR will apply:
- to controllers located within the European Union, whether or not the data process is performed in the EU, and
- to the data of EU citizens and residents processed by a controller or a processor (subcontractor) located outside the EU, if the products or services target the European market. Certain non-European companies may then have to comply with the GDPR.
Businesses should use this two-year transition period to work on their legal and operational compliance with the GDPR. This compliance exercise should include a legal review of their existing commercial terms and conditions and privacy policies applicable to their products and services, and a review of their internal corporate privacy policies. Certain types of data process will also require technical and/or operational review and upgrade (such as collecting the proof of consent by the data subject, especially for the processing of children’s data).
* * * * * * * * * * * *
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General data protection regulation)
Bénédicte DELEPORTE – Avocat
Deleporte Wentz Avocat
www.dwavocat.com
June 2016