The new EU General Data Protection Regulation goes into effect May 25th, 2018. You may have recently received notices of changes to privacy policies by Google, Twitter, and other tech companies. The reason: the GDPR. It attempts to create uniform rules for how personal data is managed in EU countries. The European continent’s first piece of legislation pertaining to the protection of personal data was the “Convention 108”, adopted in 1981 by the Council of Europe (a different international institution that the EU which brings together 47 countries). Later, in 1995, the European Union passed its directive “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. Unlike the 1995 personal data directive, which must be implemented by EU countries in their nationals laws, the new GDPR is EU law that applies without reliance on national implementing laws. The GDPR is also broader than the personal data directive. The key changes are discussed below.
OVERVIEW OF KEY CHANGES BY GDPR
1. Extensive territorial scope: controllers of data with no establishment in the EU can still be subject to the Regulation for processing related to the offering of goods and services in the EU, or to the monitoring of the behavior of data subjects located in the EU.
- No longer matters whether controllers actually process data within the EU.
- If an EU citizen's data is processed, the controller is subject to the GDPR.
2. Enhanced rights of data subjects:
- New right to ‘data portability’: in certain situations, controllers will be bound to transmit personal data to new controllers, on the request of data subjects who may wish to switch from on service to another;
- Upgraded rights to erasure (‘right to be forgotten’) and to restriction of processing;
- Substantial increase of the number of information items which must be provided to data subjects, including in particular the retention period of the collected data;
- More stringent conditions for a valid consent (where required): it will have to be freely given, specific, informed and unambiguous, by statement or by affirmative action.
3. Redesigned obligations for controllers and processors:
- Auto-compliance and accountability: controllers and processors must ensure and be able to demonstrate that they have implemented any technical and organizational measures in order to ensure that the processing carried out comply with the Regulation. Such demonstration may be helped through adhesion to codes of conducts, or through certifications;
- The end of prior notifications: the obligation to notify the competent supervising authority prior to each processing is replaced by an obligation to keep detailed records of processing activities;
- Data by design and by default: controllers and processors will be expressly bound to respect these principles which is viewed as an effective means for compliance;
- Specific measures to be implemented in certain situations: (i) appointment of a data protection officer; (ii) privacy impact assessments; and (iii) notification of data breaches to supervising authorities and to concerned data subjects;
- Other new obligations related in particular to the (i) joint controller regime (the breakdown of the different responsibilities will have to be determined); and to (ii) the choice of data processors and to the contracts between controllers and processors.
4. Reinforcement and clarification of the supervising authorities’ roles and powers:
- Administrative fines up to 20 million Euros or 4% of the worldwide annual turnover of the preceding financial year;
- For cross-border processing, a lead authority will handle issues in accordance to a new co-operation procedure between it and other concerned supervising authorities (which will remain competent alone in certain situations);
- Supervisory authorities will have to offer each other mutual assistance, and may conduct joint operations when necessary;
- A new entity, the “European Data Protection Board”, will replace the Article 29 Working Party and will be in charge of providing opinions to supervising authorities on certain matters, of ensuring consistent application of the Regulation (by supervising authorities) in particular through a dispute resolution mechanisms, of issuing guidelines, of encouraging the drawing-up of codes of conducts etc.