EU Parliament and Council’s Agreement on the GDPR and What It Means for Businesses

12/18/2015
Client Alert

After four years of discussions, the European Parliament and Council this week informally agreed on the text of the General Data Protection Regulation (GDPR), which will replace the now 20-year-old Data Protection Directive Data 95/46 (“Directive”). Although the agreed version of the GDPR reflects a political consensus, this version is not yet official. Council and Parliament still need to vote on it, which they plan to do in early 2016. The GDPR would then enter into force two years after adoption, in early 2018.

1. Key takeaways

When the GDPR goes into effect, it will have wide ranging implications for companies operating in Europe as well as companies who have no operations at all in Europe.

While some of the goals originally articulated have been achieved, many have not. For example:

  • The Commission had announced the GDPR would lower administrative burden. However, the GDPR in many ways creates additional administrative requirements for controllers and processors, such as keeping detailed records of their processing activities and in specific cases appointing data privacy officers and performing extensive impact assessments (see next point).
  • The GDPR aimed to move from an ex ante to an ex post approach, reducing prior formalities to DPAs, and introducing accountability and self-assessments, on pain of very high penalties. This starting point is seriously undermined by the new obligation of controllers to perform an extensive data protection impact assessment (PIA) if an intended processing is likely to result in a high impact on privacy, and to perform a prior consultation of the Data Protection Authorities (DPA) if the PIA indeed shows a high impact (absent mitigating measures). This therefore also applies where consent will be requested for the processing. Our assessment is that many new processing activities will fall within these consultation requirements, which will prove much more burdensome than the prior registration requirements ever were.  
  • The main goal of the GDPR was to facilitate the digital market and achieve one uniform law for all EU Member States. This has not been achieved. For example the GDPR defines children as younger than 16, but each member state can lower this age limit (but not below 13 years). Other examples where member states are authorized to provide for additional safeguards or derogations are processing in the employment context and for scientific or historical research purposes. Companies working cross-border will therefore still have to check national laws in many areas.
  • The GDPR promised that multinationals would be supervised by one lead DPA (the “One-Stop-Shop”), being the DPA of its main establishments. This One-Stop-Shop has not materialized. The lead DPA has now turned out more like a first among equals, coordinating the input of the “concerned authorities” and being required to submit a draft decision to the concerned authorities “for their opinion and take due account of their views and they shall exchange all relevant information”.
  • The GDPR promised to be future proof. Re-use of data still needs to be “not-incompatible” with the original purposes for which the data were collected. This will seriously hamper the re-use of data by companies for big data analytics and the development of new services based thereon. 

Overall the GDPR will require significant reworking of privacy programs for companies, including for many currently not subject to EU data protection law.

  • The scope of the GDPR has been broadened and now also covers service providers established outside the European Economic Area that process personal data of EU individuals when this relates to the offering of goods/services to such individuals or monitors the behavior of individuals in the EU. U.S. websites that offer services to EU individuals will therefore now be subject to the GDPR.
  • Processors will become directly subject to requirements relating to data transfers, security, appointing a data protection officer, and recording their processing activities. This makes processors prime targets for enforcement, given that enforcement against processors (serving many customers) will be more efficient than the current situation where DPAs have to investigate the customer of the processor, being the data controller.

Companies should not wait until the end of the two-year implementation period to focus on these changes, given the additional powers of the DPAs and the potential significant fines. We note that the grandfathering clause of recital 134 does not grant much extra time and will be rarely be available.

2. Comments on some noteworthy changes

We elaborate below on some of the noteworthy changes brought about by the GDPR and their practical impact for companies.

Consent not valid if services are made conditional on consent (Articles 4(8), 6(1)(a), 7(4), 9(2)(a) and recital 25) – The requirements as to consent seem to have remained the same, but this is deceptive. As in the Directive, consent must be unambiguous for regular personal data, and explicit for sensitive data. The GDPR, however, now explicitly provides that if the provision of services is made conditional upon consent for processing which is not necessary to render the services (e.g., processing for purposes of advertising, behavioral monitoring, and targeting), the consent is considered not to be “freely given”. As many of the current business models are based on providing free services and income is generated by the use of personal data for advertising purposes, this will have a severe impact on such business models. Also, written declarations for obtaining consent which cover several matters must distinguish the matter for which consent is requested, requiring separate consents. This will be quite a significant burden for companies and consumers alike.

Big data analytics – re-use of data for other purposes remains restricted – Despite proposals of the Commission and Council to broaden the possibilities for the re-use of data also for other purposes than those for which the data were originally collected, the GDPR has again codified the current “purpose limitation” and “data minimization” principles. This means that data may only be processed for explicit, specific and legitimate purposes and not be further processed for any purpose that is not compatible with the original purpose of collection. Furthermore, no more data than are necessary for the original purpose may be collected.

Also, the GDPR only explicitly recognizes as a legitimate secondary use processing for scientific or historical research purposes or for statistical purposes. This will hamper big data analytics as this in most cases will not qualify as research.

More extensive notice requirements (Articles 14 and 14(a)) – Individuals must receive much more extensive information when their personal information is both collected directly from them and obtained through other means (e.g., data brokers). Noteworthy new items compared to the Directive include the duty to notify individuals about the legal basis for which data will be processed, to specify the legitimate interest pursued (when relying on this as a legal basis), retention periods, to provide extensive information on transfers, to specify whether the processing will involve profiling, to offer the right to lodge complaints with DPAs, and, to specify the source from which the data originates when not collected directly from individuals (which would mean, e.g., disclosing the identity of data brokers). This will again be a substantial burden on companies to craft notices that include all of the required information and a burden on individuals to understand and digest all of this information.  It will be particularly complicated in the context of mobile devices and the Internet of Things.

More extensive individual rights (Chapter III) – There are more numerous and stronger individual rights, including regarding the right of access, data portability, the right to be forgotten, and restrictions on profiling. Procedures are laid down for addressing requests regarding such rights, with strict deadlines (in principle, within a month). Companies should starting working now on these procedures (e.g., review current processes and policies, assess how these new procedures would fit their internal structures, etc.).

Individuals can exercise these rights for free, although the company may impose a reasonable fee, but only based on administrative costs for providing further copies of data after an initial access request.

The GDPR codifies the right to be forgotten relating to search engines such as Google, but goes much further, as it applies to all controllers (i.e., beyond delisting of search results in relation to individuals’ names). There are a number of derogations to this right, including where data are processed for scientific/historical research purposes or statistical purposes, or in relation to a legal claim (e.g., for a litigation hold).

Profiling – The GDPR does not regulate profiling as a separate topic, but again codifies the current provision on ”automated decision making”: the individual has the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects on such individual or significantly affects him/her. Limited exceptions are foreseen, i.e., where a decision based on profiling is necessary to enter or perform a contract with the individual, is authorized by EU/member state law under certain conditions (e.g., fraud or tax evasion), or is based on explicit consent. For sensitive data, profiling is only likely possible for companies based on explicit consent. This provision has a potentially broad scope. Obvious examples are automatic refusal of credit applications or e-recruiting practices without human intervention. However, often behavioral targeting is based on automatic profiling and may also have a significant effect on individuals. This means that in most cases consent will be required (as is the case now).

Accountability – The GDPR claims to reduce formalities vis-à-vis the DPAs and reduce the administrative burden. Instead controllers have a general accountability obligation to implement appropriate measures to ensure and be able to demonstrate that its processing activities are in compliance with the GDPR, with potential high fines in case of failure (see below for the maximum fines). However, at the same time the GDPR introduces a great deal of red tape which does not lead to simplification. New obligations include:

  • Maintaining extensive records of processing activities (Art. 28) for controllers and processors, which must be available to DPAs. This appears as the main trade-off for removing prior registration duties. For controllers, these records must provide information as to, among others, purposes of processing, categories of data, individual, and recipients, transfers (including the list of third countries to which data will be sent), erasure periods, and security measures. Requirements for processors are lighter. They require specifying the categories of processing, but not, for example, the underlying data categories or individuals, which was a major concern of hosting providers. Companies should start looking at their current documentation, archives, and databases to assess how they can meet these new requirements (e.g., what documents do they already have in place, what is missing, which business function should be in charge of maintaining the records, etc.)
  • Privacy by design and default. The controller must implement appropriate measures for ensuring that each and every data processing complies with principles of privacy by design and default. This entails that if a controller has obtained consent for a certain data processing activity, the controller must take all mitigating measures to ensure that the impact on privacy is mitigated (e.g., application of pseudonimization techniques, limiting access, data minimization, limiting data retention, etc.).
  • Data Protection Impact Assessments (DPIA) (Art. 33) are required if an intended processing is likely to result in a ”high impact” on privacy, and perform a prior consultation of the DPA if the PIA indeed shows a high impact (absent mitigating measures). Many companies already have such or similar assessments, which we believe they can build on.
  • Mandatory appointment of a data protection officer (DPO) (Art. 35) for controllers and processors in case of processing on a large scale sensitive data or in case of regular and systematic monitoring of individuals (e.g., an employer monitoring its employees). This will effect most multinationals. Many have already anticipated this and have appointed DPO. This is a good time to review DPO’s current function and job description against the requirements of the GDRP and prepare to align this function accordingly.
  • Personal data breaches (Art. 31 and 32) will need to be notified by controllers to DPA within 72 hours of becoming aware of these, unless the breach is unlikely to result in a “risk” for the rights and freedoms of individuals. Controllers will have to notify individuals “without undue delay” when a breach is likely to result in a “high risk” for their rights and freedoms. Processors do not need to notify DPAs or individuals directly, but must assist the controller in complying with its obligations in that respect. Companies should set up centralized processes to ensure breaches are rapidly escalated and can be reported within the required timing. This can include drafting incident response plans and performing data breach drills.

Transfers (Chapter V) -- The principles of data transfers have not changed; personal data remains may be transferred within the EU without restriction, and transfers outside the EU are prohibited unless an exemption applies. The GDPR provides for the following data transfer exemptions:

  • Adequacy decisions. Similar to the Directive, the Commission may decide that a third country, or territory or sector within that country, has an adequate level of data protection, further to which personal data can be sent from the EU to such location. New criteria have been added for the Commission to make this assessment, including evaluating the possibility of access of foreign public authorities to personal data. Previous adequacy decisions made under the Directive, i.e., “whitelisted” countries or a safe harbor program, remain valid. The Commission, however, will be required to monitor developments in locations which are recognized (under the Directive or GDPR) as adequate, and if found to no longer be adequate, repeal, amend, or suspend its adequacy decision. This creates a certain level of uncertainty on the long-term validity of these decisions. Companies may be well advised to put in place back-up transfer mechanisms (e.g., Binding Corporate Rules or Standard Contractual Clauses; see next point) in case an adequacy decision is repealed.
  • Safeguards. The GDPR sets out various safeguards which controller and processors may rely on to transfer data. These include Binding Corporate Rules, which are now codified and available for controllers and processors, and are subject to a streamlined approval process. We anticipate that reliance on this solution will continue to increase, and that this may be a robust solution for organizations.
  • Standard Contractual Clauses adopted or approved by the Commission are also an option. Previous DPA authorizations and the Commission’s current Standard Contractual Clauses remain valid. The GDPR also mentions codes of conduct and certification schemes by an accredited certification body as possible transfer solutions. Controllers and processors can also draw up their own customized contractual clauses for transfers, but must then seek DPA approval (Art. 2(a)(a)), which makes this far less attractive.
  • Derogations (such as those based on the individual’s consent or as needed for the performance of a contract) resemble those of the Directive, but are more restrictive. They apply to specific situations and are only available absent an adequacy decision or appropriate safeguard. A notable addition compared to the Directive is the possible reliance on “legitimate interest”. However, this ground is only valid where a transfer is not repetitive, concerns a limited number of individuals, and is necessary for a compelling legitimate interest of the controller (which should not be outweighed by the privacy interests of the individual). The controller must inform its DPA of the transfer, and individuals of the compelling legitimate interests for such transfer. It will therefore be quite difficult in practice to rely on derogations, and companies may need to turn to other solutions for their day-to-day transfers.

Disclosure to foreign authorities and courts (art. 43a) --  The GDPR does not provide for a solution where companies are required to transfer data based on a judgement of a foreign court or a decision of an administrative authority of a third country. The GDPR sets out that companies may not comply with such judgement or decision directly, but that these may only be enforced based on mutual legal assistance treaties. Companies faced with these types of conflicting requests risk remaining stuck between a rock and a hard place.

Increase of obligations and exposure of processors (Art. 26). Processors will now have direct responsibility for compliance with requirements relating to data transfers, security, appointing a data protection officer, and recording their processing activities. As in the Directive, controllers and processors must enter into a written agreement. However, the requirements of such agreement have been considerably extended. These now include, for example, the promise by the processor only to process data via documented instructions from the controller, including for transfers, confidentially commitments, consent from the controller for enlisting sub-processors, a duty of care in selecting sub-processors, and deleting or returning data upon the end of the provision of data processing service. This will be particularly challenging in the context of cloud agreements. Processors are also much more exposed to enforcement as the DPAs will be able to directly audit processors (which facilitates audits of many controllers in one go, as well), rather than the current situation where the DPA had to investigate a controller, which in its turn would audit the processor based on the processor agreement.

Increase in enforcement powers DPAs and fines (Art. 53 and 78). The GDPR directly grants broad powers to Data Protection Authorities (DPA). This includes powers to launch investigations, suspend data flows, terminate processing activities, render advice, and impose fines of increasing levels of severity, of up to EUR 20 million or 4% of a company’s global annual turnover for certain infringements (such as to consent requirements, individual rights, transfer restrictions, and compliance with certain DPA orders). The global turnover includes revenues of affiliates. The GDPR also grants broad rights for individuals to lodge complaints with DPAs and obtain judicial remedies and compensation from companies.

3. Tips for actions

The GDPR version agreed by the Parliament and Council has lived up to expectations in some ways, but has been a disappointment in others. However, this version will most likely be the version which will end up being implanted and in force as of 2018. Companies should therefore actively start preparing to be ready on time. Key actions can include:

  • Assess whether your company now falls within scope of the GDPR, especially if you have no physical presence in the EU;
  • Review internal processes to meet requirements on individuals’ rights (e.g., how to grant access to data, what processes are in place to trace and remove individuals from databases, how long would this take, who’s in charge of this, whether data are in a standard format that can be exported to another company) and data breach notification requirements (set up incident response plans and test these through exercises and drills);
  • Review current databases, records, and archives to see what is in place and what is missing to meet recordkeeping requirements;
  • Set up or revise privacy impact assessment checklists and procedures to ensure they fit with the GDPR’s requirements;
  • Ensure a DPO is appointed to meet the GDPR’s requirements;
  • Review customer-facing materials to comply with new consent and transparency requirements; pay particular attention to data analytics, profiling, free services, and digital offerings to children given strengthened conditions on consent;
  • Review and amend agreements and templates with data processors;
  • Factor in new enforcement and fines in risk analysis and audit reports, and escalate the potential for such risk to relevant departments (e.g., Governance, Risk) and committees; and
  • Raise awareness and train employees to understand the upcoming requirements and risks.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2018 Morrison & Foerster LLP. All rights reserved.