After four years of discussions, the European Parliament and Council this week informally agreed on the text of the General Data Protection Regulation (GDPR), which will replace the now 20-year-old Data Protection Directive Data 95/46 (“Directive”). Although the agreed version of the GDPR reflects a political consensus, this version is not yet official. Council and Parliament still need to vote on it, which they plan to do in early 2016. The GDPR would then enter into force two years after adoption, in early 2018.
1. Key takeaways
When the GDPR goes into effect, it will have wide ranging implications for companies operating in Europe as well as companies who have no operations at all in Europe.
While some of the goals originally articulated have been achieved, many have not. For example:
Overall the GDPR will require significant reworking of privacy programs for companies, including for many currently not subject to EU data protection law.
Companies should not wait until the end of the two-year implementation period to focus on these changes, given the additional powers of the DPAs and the potential significant fines. We note that the grandfathering clause of recital 134 does not grant much extra time and will be rarely be available.
2. Comments on some noteworthy changes
We elaborate below on some of the noteworthy changes brought about by the GDPR and their practical impact for companies.
Consent not valid if services are made conditional on consent (Articles 4(8), 6(1)(a), 7(4), 9(2)(a) and recital 25) – The requirements as to consent seem to have remained the same, but this is deceptive. As in the Directive, consent must be unambiguous for regular personal data, and explicit for sensitive data. The GDPR, however, now explicitly provides that if the provision of services is made conditional upon consent for processing which is not necessary to render the services (e.g., processing for purposes of advertising, behavioral monitoring, and targeting), the consent is considered not to be “freely given”. As many of the current business models are based on providing free services and income is generated by the use of personal data for advertising purposes, this will have a severe impact on such business models. Also, written declarations for obtaining consent which cover several matters must distinguish the matter for which consent is requested, requiring separate consents. This will be quite a significant burden for companies and consumers alike.
Big data analytics – re-use of data for other purposes remains restricted – Despite proposals of the Commission and Council to broaden the possibilities for the re-use of data also for other purposes than those for which the data were originally collected, the GDPR has again codified the current “purpose limitation” and “data minimization” principles. This means that data may only be processed for explicit, specific and legitimate purposes and not be further processed for any purpose that is not compatible with the original purpose of collection. Furthermore, no more data than are necessary for the original purpose may be collected.
Also, the GDPR only explicitly recognizes as a legitimate secondary use processing for scientific or historical research purposes or for statistical purposes. This will hamper big data analytics as this in most cases will not qualify as research.
More extensive notice requirements (Articles 14 and 14(a)) – Individuals must receive much more extensive information when their personal information is both collected directly from them and obtained through other means (e.g., data brokers). Noteworthy new items compared to the Directive include the duty to notify individuals about the legal basis for which data will be processed, to specify the legitimate interest pursued (when relying on this as a legal basis), retention periods, to provide extensive information on transfers, to specify whether the processing will involve profiling, to offer the right to lodge complaints with DPAs, and, to specify the source from which the data originates when not collected directly from individuals (which would mean, e.g., disclosing the identity of data brokers). This will again be a substantial burden on companies to craft notices that include all of the required information and a burden on individuals to understand and digest all of this information. It will be particularly complicated in the context of mobile devices and the Internet of Things.
More extensive individual rights (Chapter III) – There are more numerous and stronger individual rights, including regarding the right of access, data portability, the right to be forgotten, and restrictions on profiling. Procedures are laid down for addressing requests regarding such rights, with strict deadlines (in principle, within a month). Companies should starting working now on these procedures (e.g., review current processes and policies, assess how these new procedures would fit their internal structures, etc.).
Individuals can exercise these rights for free, although the company may impose a reasonable fee, but only based on administrative costs for providing further copies of data after an initial access request.
The GDPR codifies the right to be forgotten relating to search engines such as Google, but goes much further, as it applies to all controllers (i.e., beyond delisting of search results in relation to individuals’ names). There are a number of derogations to this right, including where data are processed for scientific/historical research purposes or statistical purposes, or in relation to a legal claim (e.g., for a litigation hold).
Profiling – The GDPR does not regulate profiling as a separate topic, but again codifies the current provision on ”automated decision making”: the individual has the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects on such individual or significantly affects him/her. Limited exceptions are foreseen, i.e., where a decision based on profiling is necessary to enter or perform a contract with the individual, is authorized by EU/member state law under certain conditions (e.g., fraud or tax evasion), or is based on explicit consent. For sensitive data, profiling is only likely possible for companies based on explicit consent. This provision has a potentially broad scope. Obvious examples are automatic refusal of credit applications or e-recruiting practices without human intervention. However, often behavioral targeting is based on automatic profiling and may also have a significant effect on individuals. This means that in most cases consent will be required (as is the case now).
Accountability – The GDPR claims to reduce formalities vis-à-vis the DPAs and reduce the administrative burden. Instead controllers have a general accountability obligation to implement appropriate measures to ensure and be able to demonstrate that its processing activities are in compliance with the GDPR, with potential high fines in case of failure (see below for the maximum fines). However, at the same time the GDPR introduces a great deal of red tape which does not lead to simplification. New obligations include:
Transfers (Chapter V) -- The principles of data transfers have not changed; personal data remains may be transferred within the EU without restriction, and transfers outside the EU are prohibited unless an exemption applies. The GDPR provides for the following data transfer exemptions:
Disclosure to foreign authorities and courts (art. 43a) -- The GDPR does not provide for a solution where companies are required to transfer data based on a judgement of a foreign court or a decision of an administrative authority of a third country. The GDPR sets out that companies may not comply with such judgement or decision directly, but that these may only be enforced based on mutual legal assistance treaties. Companies faced with these types of conflicting requests risk remaining stuck between a rock and a hard place.
Increase of obligations and exposure of processors (Art. 26). Processors will now have direct responsibility for compliance with requirements relating to data transfers, security, appointing a data protection officer, and recording their processing activities. As in the Directive, controllers and processors must enter into a written agreement. However, the requirements of such agreement have been considerably extended. These now include, for example, the promise by the processor only to process data via documented instructions from the controller, including for transfers, confidentially commitments, consent from the controller for enlisting sub-processors, a duty of care in selecting sub-processors, and deleting or returning data upon the end of the provision of data processing service. This will be particularly challenging in the context of cloud agreements. Processors are also much more exposed to enforcement as the DPAs will be able to directly audit processors (which facilitates audits of many controllers in one go, as well), rather than the current situation where the DPA had to investigate a controller, which in its turn would audit the processor based on the processor agreement.
Increase in enforcement powers DPAs and fines (Art. 53 and 78). The GDPR directly grants broad powers to Data Protection Authorities (DPA). This includes powers to launch investigations, suspend data flows, terminate processing activities, render advice, and impose fines of increasing levels of severity, of up to EUR 20 million or 4% of a company’s global annual turnover for certain infringements (such as to consent requirements, individual rights, transfer restrictions, and compliance with certain DPA orders). The global turnover includes revenues of affiliates. The GDPR also grants broad rights for individuals to lodge complaints with DPAs and obtain judicial remedies and compensation from companies.
3. Tips for actions
The GDPR version agreed by the Parliament and Council has lived up to expectations in some ways, but has been a disappointment in others. However, this version will most likely be the version which will end up being implanted and in force as of 2018. Companies should therefore actively start preparing to be ready on time. Key actions can include: