The new EU General Data Protection Regulation goes into effect May 25th, 2018. It attempts to create uniform rules for how personal data is managed in EU countries. The European continent’s first piece of legislation pertaining to the protection of personal data was the “Convention 108”, adopted in 1981 by the Council of Europe (a different international institution that the EU which brings together 47 countries). Later, in 1995, the European Union passed its directive “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. Unlike the 1995 personal data directive, which must be implemented by EU countries in their nationals laws, the new GDPR is EU law that applies without reliance on national implementing laws. The GDPR is also broader than the personal data directive. The key changes are discussed below. You can see the text of the GDRP here: PDF and HTML.
Overview of Key Changes by GDPR
1. Extensive territorial scope: controllers of data with no establishment in the EU can still be subject to the Regulation for processing related to the offering of goods and services in the EU, or to the monitoring of the behavior of data subjects located in the EU.
- No longer matters whether controllers actually process data within the EU.
- If an EU citizen's data is processed, the controller is subject to the GDPR.
2. Enhanced rights of data subjects:
- New right to ‘data portability’: in certain situations, controllers will be bound to transmit personal data to new controllers, on the request of data subjects who may wish to switch from on service to another;
- Upgraded rights to erasure (‘right to be forgotten’) and to restriction of processing;
- Substantial increase of the number of information items which must be provided to data subjects, including in particular the retention period of the collected data;
- More stringent conditions for a valid consent (where required): it will have to be freely given, specific, informed and unambiguous, by statement or by affirmative action.
3. Redesigned obligations for controllers and processors:
- Auto-compliance and accountability: controllers and processors must ensure and be able to demonstrate that they have implemented any technical and organizational measures in order to ensure that the processing carried out comply with the Regulation. Such demonstration may be helped through adhesion to codes of conducts, or through certifications;
- The end of prior notifications: the obligation to notify the competent supervising authority prior to each processing is replaced by an obligation to keep detailed records of processing activities;
- Data by design and by default: controllers and processors will be expressly bound to respect these principles which is viewed as an effective means for compliance;
- Specific measures to be implemented in certain situations: (i) appointment of a data protection officer; (ii) privacy impact assessments; and (iii) notification of data breaches to supervising authorities and to concerned data subjects;
- Other new obligations related in particular to the (i) joint controller regime (the breakdown of the different responsibilities will have to be determined); and to (ii) the choice of data processors and to the contracts between controllers and processors.
4. Reinforcement and clarification of the supervising authorities’ roles and powers:
- Administrative fines up to 20 million Euros or 4% of the worldwide annual turnover of the preceding financial year;
- For cross-border processing, a lead authority will handle issues in accordance to a new co-operation procedure between it and other concerned supervising authorities (which will remain competent alone in certain situations);
- Supervisory authorities will have to offer each other mutual assistance, and may conduct joint operations when necessary;
- A new entity, the “European Data Protection Board”, will replace the Article 29 Working Party and will be in charge of providing opinions to supervising authorities on certain matters, of ensuring consistent application of the Regulation (by supervising authorities) in particular through a dispute resolution mechanisms, of issuing guidelines, of encouraging the drawing-up of codes of conducts etc.
Analysis of Key Changes
1. Extensive territorial scope
Article 3 of the Regulation provides for a broad and, hopefully, clarified territorial scope of the EU’s data protection legislation. Similarly to the Directive, the Regulation is applicable to all processing carried out within the context of an establishment of the data controller in the EU. According to the ECJ’s recent case law, the concept of establishment must be understood broadly and is quite flexible (a company is established where it exercises any real and effective activity, even minimal). In addition, the Regulation will be applicable even to data controllers with no establishment in the EU, where they process data in relation to (i) the offering of goods and services to data subjects in the EU; and to (ii) the monitoring of data subject behavior in the EU. These controllers will have an obligation to designate a representative in the Union, subject to a few exceptions (occasional processing which does not concern on a large scale the processing of sensitive data; or required processing related to criminal convictions and offences. Where it is unlikely to result in a risk to the rights and freedoms of natural persons).
2. Enhanced rights of data subjects
a. New right to portability (art. 20)
The right to portability may be seen as an extension of the right to access. Under the Directive, data subjects could require that controllers communicate all of the personal data they had on them, “in an intelligible form”. Now, controllers may be asked to directly transmit this data to another controller (i.e.: for example where data subjects switch from one online service to another). Two cumulative conditions must be fulfilled: (i) the processing is based either on consent, or on a contrat; and (ii) the processing is carried out by automated means. The right is subject to some exceptions. For example, it will not apply to processing carried out in the public interest.
b. Upgraded rights to erasure and to restriction of processing (art. 17 & 18)
The Directive states that data subjects have the right to ask for “as appropriate the […] erasure or blocking of data the processing of which does not comply with the provisions of this Directive” (art. 12 (b)). These two rights will now constitute two specific distinct provisions:
- The right to erasure (‘right to be forgotten’) (art. 17): this right essentially concerns situations where the processing is, or become, not compliant with the Regulation (e.g.: the processing is no longer necessary as regards its initial purpose; consent is withdrawn – where applicable; the data subject has objected to further processing and nothing justifies to keep the data; the processing was unlawful, etc.). Moreover, it is subject to several exceptions (e.g.: freedom of expression and information; legal obligation; public interest in the area of public health etc.);
- The right to restriction of processing (art. 18): this right replaces the ‘right to blocking’. This right may be viewed as an alternative to the right to erasure, where (i) necessary verifications are pending (e.g.: verification of the contested accuracy of the personal data); or (ii) the data subject wishes that the data remained stored by controller, in particular for purpose of the establishment, exercise of defense of legal claims.
c. Information notices (art. 13 & 14)
The Regulation significantly increases the number of information items to be provided to data subjects when their data is collected. For example, under the Directive, where the data was obtained directly from a data subject, the latter had at least to be informed on: (i) the identity of the data controller (ii) the purposes of the processing; (iii) the recipients or categories of recipients of the data; (iv) whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply; (v) their rights of access (including the right to erasure) and rectification.
From May 25th, 2018, controllers will have to add the following to this list:
- If applicable: contact detail of the data protection officer of the data controller ;
- If applicable: the “legitimate interest” on which the data processing is based;
- If applicable: details about international transfer of personal data;
- The retention period of the data which is collected, or if not possible, the criteria used to set it;
- The right to object to further processing, as well as the rights to data portability and to restriction of processing ;
- The right to lodge a complaint with a supervisory authority;
- If applicable: the right to withdraw consent;
- Whether there is a statutory or contractual requirement to provide the data, whether the data subject is obliged to provide it and the consequences of not providing it.
- If applicable: information about any automated decision-making mechanisms (e.g.: profiling), in particular on the logic involved and on the consequences for the data subject;
The practical implementation should give controllers some of their strongest headaches, especially regarding retention periods which, in many cases, will first have to be clarified internally. This might also conflict with the requirement that the information notices be concise and clear. However, in order to help fulfilling this requirement, the Commission will be able to introduce standardized icons.
d. Consent (art. 4 & 7)
Consent is one of the ground on which a processing may rely to be lawful. Where it is the case, the Regulation imposes more stringent requirements for consent to be valid. Consent will have to be “freely given, specific, informed, and unambiguous”, and may be expressed through a statement or an affirmative action (art. 4(11)). It means that pre-ticked boxes, and even more silence, should not constitute valid consent. In addition, consent will have to be “distinguishable from other matter” and be revocable at any time as easily as it was given (art. 7).
3. Redesigned obligations for controllers and processors
a. Auto-compliance and accountability (art. 24)
Compliance to the Directive was notably ensured through preliminary formalities (e.g.: prior notification of new processing to the supervising authority). The Regulation changes this logic. Controllers will be bound to implement any “appropriate technical and organizational measures to ensure […] that processing is performed in accordance with this Regulation”, and will have to be able to demonstrate at any time that their processing complies with the Regulation. In order to facilitate such demonstration, controllers will be able to adhere to codes of conducts (see art. 40) or obtain specific certifications (see art. 42).
b. New obligations
Obligations as regards any processing: Records of processing activities (art. 30): controllers – or their representatives – and processors employing more than 250 persons will have to keep detailed records of all data processing activities. This obligation will replace the obligation to notify supervisory authorities of each new processing. However, domestic laws may still require prior authorization for specific categories of processing (e.g.: sensitive data). In addition, controllers will have to respect the principles of data protection by design and by default (art. 25), at all steps of the processing, in order to comply with the data protection principles and in particular the concept of data minimization (i.e.: that only the data strictly necessary should be collected, that such data should only be used for limited purposes and retained for only the strictly necessary amount of time).
Specific obligations as regards the situation: Appointment of a data protection officer (art. 37): where the controller (i) is a public authority; or where (ii) its core activities (or these of the processor) consist of regular and systematic monitoring of data subjects on a large scale ; or where (iii) its core activities (or these of the processor) consist of processing sensitive data on a large scale. Privacy impact assessments and prior consultation (art. 35 & 36): where there is a high risk that a particular processing infringes upon the rights and freedoms of natural persons, PIAs will be mandatory. The Regulation gives examples of processing for which PIAs should be mandatory (e.g.: processing related to profiling, sensitive data etc.). This list will be complemented by lists established by supervisory authorities.
If the results of the PIA indicate that such a high risk exists, the competent supervisory authority will have to be consulted.
In case of a breach of personal data (art. 33): the Regulation will impose that (i) processors notify controllers without delay any personal data breach; and that (ii) controllers, in turn, notify such breach to the competent supervisory authority no later than 72 hours after having become aware of it.
Affected data subjects must also be notified, except where there is no high risk for their rights and freedoms, or where appropriate measures have been taken in time, or if it would trigger disproportionate efforts for the controller.
c. Joint controllers
The concept of joint controllers, which is more and more relied on in consideration of the multiplication of operators in online digital processing, was already embedded in the Directive. The Regulation adds that joint controllers will be obligated to determine their respective responsibilities for compliance by means of an arrangement between them.
d. Using data processors
Controllers will be bound by a real duty of care with regards to selecting reliable data processing service providers. Contracts between controllers and processors will have to include mandatory information and provisions, and may use standard contractual clauses published by the Commission and supervisory authorities.
4. Reinforcement and clarification of the supervising authorities’ roles and powers
Administrative fines: the maximum fine that a supervisory authority will be able to impose will now be set a 20 million Euros, or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For most countries, this will represent a high increase (e.g.: until the recent adoption of the “Digital Republic” Act, the fine that the French supervisory authority was able to decide was limited to 300 000 Euros, only for repeated violations).
Competence & lead authority: where a controller or a processor carries out cross-border processing through a single or multiple establishments, the supervisory authority in the country where the single or the main establishment is located will be designated as the “lead authority” (art. 56);
Local authorities may still be competent for issues which relates only to its territory and does not substantially affect data subjects located in other territories. However, even in this case, the lead authority must still be informed of the matter and will be given three weeks to decide whether or not it will handle the case anyway.
Relations between supervisory authorities:
The lead authority will handle cases in compliance with a co-operation (with other concerned authorities) procedure provided for by the Regulation (art. 60). For example, the other concerned authorities will be able to object to all or part of the draft decisions of the lead authority. In the case where the lead authority does not intend to follow such objections, it must submit the matter to the “consistency mechanism” (see hereunder).
In order that the Regulation be enforced in a consistent manner, supervisory authorities will have to share information with each other and request mutual assistance, when necessary;
Where appropriate, joint operations may be conducted. Supervisory authorities competent on a territory on which the concerned controller or processer is established, or where a significant number of data subjects are likely to be substantially affected by the joint operations;
The Regulation also contains a specific “consistency mechanism” which includes a dispute resolution procedure in order to help resolve issues between authorities, and an urgency procedure (art. 63 and following). The European Data Protection Board (see hereunder) will be in charge of overseeing this mechanism. The European Data Protection Board (art. 68): this new entity will be composed of the different national supervisory authorities (previously called together the Article 29 Working Party), the European Data Protection Supervisor, and a (non-voting) representative of the EU Commission. The Board will be responsible for handling the consistency and dispute resolution mechanisms; issue guidelines and advices etc.
-Analysis by Sylvain Naillat