In April 2016, the European Union adopted new legislation on data protection. The part relevant to private enterprises (EU Regulation 2016/679) is known as the General Data Protection Regulation or “GDPR.” The GDPR is subject to a two year grace period and will apply from 25 May 2018.
Why does it matter?
There were good reasons to allow a two year grace period before the GDPR comes into effect. The new legislation introduces significant changes to the regulatory environment. National and EU-level regulators as well as legislatures are now required to implement the new legislation and over the next two years private enterprises (as well as governments) will need to set themselves up for compliance with the new rules. For many companies, compliance with the GDPR will be a much more involved process than it has been under previous rules.
Non-EU companies are more likely to become subject to the EU regulatory framework.
For non-EU companies, the most significant reform concerns the territorial reach of the EU legislation. Under previous EU law, companies without a physical presence or employees in the EU territory had one main compliance issue to deal with – how to get data out of the EU without breaking local rules. The “Safe Harbor” scheme (which has been replaced in July 2016 with the EU-U.S. Privacy Shield) provided a convenient route for compliance for many U.S. companies. For companies that did not wish to participate in the Safe Harbor, other mechanisms were available to ensure compliance with the EU’s data export rules. In practice, these mechanisms were all rather technical and the burden of compliance was pretty light.
The GDPR takes a different and more substantive approach to the issue of jurisdiction. Even if the data is collected by a controller or processor operating entirely outside the EU, if the data relates to the offering of goods or services to EU residents or to the monitoring of their behavior, the controller and processor of the data will be subject to the full jurisdiction of the EU regulation. Effectively, almost all companies that collect or process data relating to individuals in the EU will be required to comply fully with the requirements of the GDPR.
The regulatory burden intensifies.
Part of the philosophy behind the new legislation is to introduce ‘data protection by design’ - various measures that seek to achieve a culture change – from box-ticking compliance to a more substantive approach requiring controllers and processors to be active in minimizing risks. In practice, this means that companies will need to think more carefully about how they comply and will indeed be expected to put more resources into compliance.
What will compliance entail?
The GDPR introduces various new requirements. There will be a general obligation on data controllers to consider in each case (and to state in documentation) the legal basis for the collection and processing of personal data, how much data can lawfully be collected and for what purposes, for how long it is going to be kept, how the controller will ensure that the data will be used only for legitimate purposes and how it will ensure data security. A particular emphasis is placed on anonymisation, pseudonymisation and data security.
Many data controllers (although not all) will need to prepare a formal data processing impact assessment. Some will need to appoint a data protection compliance officer. Some (in cases deemed to be “high risk”) will need to seek the approval and guidance of a regulator for the manner in which they propose to process personal data.
Other obligations include providing specific information to data subjects (typically when the data is initially collected). Data subjects will have broader rights than before, including the right to object to various forms of processing of their data (such as processing for profiling, direct marketing or automatic decision making purposes), the right to require data to be erased (known as ‘the right to be forgotten’) and the right to have their data transferred in a convenient format to another service provider (‘data portability’). Data controllers will have the burden to comply with such requests at their own expense. They will also need to ensure compliance by the parties who receive the data from the data controller.
The requirements regarding data breaches have been ratcheted up. EU legislation had previously been at best vague on the issue. The GDPR introduces new specific obligations on data controllers including the duty to alert regulators and (in many cases) notify affected data subjects of security breaches. Many U.S. companies may already be familiar with such requirements and procedures which have been required under various U.S. state laws. The new EU legislation raises the bar, although it will have the relative advantage of a uniform code applicable across all EU member states (contrasted by the state-by-state approach in the U.S.).
The new EU legislation envisages that over time regulators and other parties will introduce codes of practice, guidance and compliance schemes to help data controllers comply. As these additional tools develop, compliance requirements will become more specific and (hopefully) less open to subjective interpretation. For example, regulators are required to produce guidance as to which processing activities should require data controllers to conduct a data processing impact assessment and which should be deemed ‘high risk’ activities that require consultation with the regulator. Regulators will also introduce guidance on how impact assessments should be carried out and on other documentation requirements such as standard contractual clauses.
Exporting data and the EU-U.S. Privacy Shield
The GDPR rules regarding to the export of personal data for processing outside the EU are similar to those under current law.
Under the previous regime, the Safe Harbor scheme was widely used to enable U.S. companies (as well as non-U.S. ones) to import data from the EU into the U.S. in compliance with the law. That scheme was invalidated in 2015 by the Court of Justice of the EU, because it gave broad allowances to interference with personal data by U.S. national security and law enforcement authorities which the EU court judged to be inconsistent with EU legislation.
In July 2016, the U.S. and the EU reached agreement on a new scheme to replace the Safe Harbor, known as the EU-U.S. Privacy Shield. That scheme was put together in response to the decision of the EU court but also with a view to operate under the new GDPR. Its function is similar to that of the Safe Harbor. By participating in the Privacy Shield scheme (which is voluntary) and complying with its rules, companies can ensure compliance with the EU rules relating to the export of personal data from the EU, when transferring data from the EU for storage/processing in the U.S.
However, as mentioned above, participating in the Privacy Shield for the purpose of legitimizing the transfer of data from the EU to the U.S. will no longer be the singular compliance concern for U.S. companies. Many companies should consider signing up to the Privacy Shield, particularly if they wish to transfer data regularly from the EU for processing in the U.S. However, most companies that control or process EU data will also be subject to the full gamut of the EU regulatory framework insofar as it concerns the processing of that data, which means they will have to meet broader compliance obligations.
With data privacy becoming increasingly a matter of concern for the general public, the new GDPR also heralds a new level of enforcement across the EU with significant powers being given to national regulators including investigatory powers, powers to issue various compliance orders and powers to impose administrative penalties in cases on non-compliance. The maximum levels of penalties permitted under the GDPR is meant to attract attention and encourage compliance – regulators will be authorized to impose penalties on non-complying enterprises up to 4% of the company’s annual turnover or EUR 20 million, whichever is the higher.
The maximum level of penalties will undoubtedly be reserved for the most egregious cases. However, even a mere investigation can be hugely disruptive to business, can involve substantial costs and can cause a significant reputational damage to a business. Compliance will require some management time and attention and allocation of some resources, but for many companies ignoring the new EU regulation should not be an option.