Agreement on New EU Data Protection Laws Means Bigger Fines and Greater Reach
By Stuart Buglass, VP Consulting
Back in 2012 the European Commission put forward its Data Protection Reform, a vision for a new data privacy regime which would better deal with the digital age and ensure that the same rules are applied across all EU member states.
Anyone who has been tracking the developments of this reform will appreciate that its progress has been delayed by constant negotiations between member states and, most recently, between the executive bodies of the EU — the European Commission (EC), the Council of the European Union (Council), and the European Parliament (EP).
The long-heralded final round of wrangling between the EC, the Council and the EP was concluded yesterday in Strasbourg. It included an agreement on the hard-fought issue of data controller penalties. The final draft of the Reform will go to vote on Thursday at the EU’s Committee on Civil Liberties, Justice and Home Affairs (LIBE). Assuming the Reform passes, it will then be put to a vote by the EP in January.
Europe’s existing data privacy laws are enshrined in the EU Directive 95/46/EC. An EU Directive is not directly applicable; that is, a Directive requires each member state to achieve a result but gives them freedom as to how to get to that result. Consequently, a hotchpotch of data protection laws is in effect across EU member states. In order to create a unified data protection code across the region, the Reform agreed upon yesterday will take the form of an EU Regulation, called in this case the General Data Protection Regulation (GDPR). In contrast to the soon-to-be superseded Directive 95/46/EC, the GDPR will be directly applicable across all EU member states, each of which must apply the same rules.
Let’s take a look at what this all means for businesses operating in the EU.
One Set of Rules
I’ll start with the positive. The implementation of one set of data privacy rules across all member states will represent a big improvement for most multinationals. Operating under one consistent EU-wide Regulation will eliminate the current need to detangle the legal nuances of each jurisdiction of operation. That said, because enforcement and interpretation of the GDPR will remain a matter for local courts, we’ll have to wait and see if consistency can be maintained between member states. In addition, the EU will not appoint a single data protection authority — each member state will continue to have its own regulatory authority.
Potentially Large Fines
The provision on data protection fines has caused the greatest amount of debate in the run-up to the final GDPR draft. Fines for noncompliance of the GDPR are to be levied based on a company’s global gross revenue. The EP wanted a 5% fine for noncompliance, whereas the Council wanted 2%. As a compromise, they agreed yesterday that a breach could result in a fine of up to 4% of the company’s global gross revenue.
Needless to say, this potentially very stiff penalty will raise major concerns in the boardrooms of large multinationals, including US social media giants such as Facebook and Google that have long histories of run-ins with the European courts on data privacy infringements.
Privacy by Design
Data controllers will have a new requirement to categorise data by type. In addition, they will have to ensure that there is an audit trail that records the recipients of data, ensure that time limits are applied to data retention, and provide better data access to data subjects.
Data Processors Have Liabilities Too
Under the current EU Directive 95/46/EC, only data controllers are liable for privacy breaches. Third-party data processors operating on behalf of the data controller do not currently have statutory liability for breaches. Under the GDPR, individuals will be able to sue data processors for damages.
Higher Levels of Consent
The GDPR requires that consent from individuals must be explicit and must be given each time the processing or use of personal data is expanded or changed. This new requirement could have ramifications for businesses that apply ever-changing analytics to their data, which is a common trend in the global march for “big data.” In many cases, the current practice of obtaining a single consent through a checkbox at the point of initial collection will not be enough to comply with the new Regulation.
Individuals will have the right to data portability between providers, so that machine-readable content can be switched between providers. This will provide comfort to data subjects that their data has been extracted in full, with no residual records remaining with the redundant controller.
Storage Is Processing
The GDPR specifically includes the storage of data as an act of data processing. As a result there can be no argument that the act of simply storing personal data in the cloud is outside the law.
Where there is a data breach, the GDPR requires that the supervisory authorities are informed of the following: the nature of the breach; the categories of data involved; the number of data subjects affected; and what measures have been put in place to mitigate the breach. The individuals involved should only be informed after the supervisory authority has been informed.
The Right to be Forgotten
Under the existing Directive, data subjects already have the right to demand that data be deleted when it is no longer required or relevant. Under the GDPR, however, these rights are extended. The GDPR requires that the data controller takes reasonable steps to ensure not just that the initial data collected is deleted from that organisation’s databases, but also that — where data has been shared with third parties — third parties also take steps to ensure the data is deleted. This has potentially huge implications for social media and internet service providers, and those businesses will no doubt require additional guidance on what will constitute “reasonable steps.”
While almost all eyes are laser-focused on the 4%-penalty provision of the GDPR, another factor that may escape comment could have a far greater impact. That is, the GDPR’s extraterritorial reach. The Regulation will apply to all companies that collect data on EU data subjects, and will not require the data controller to be “established in the EU.”
Despite the fact that the primary motivation for replacing the Directive with a Regulation was to create one standard across all EU member states, there are provisions in the GDPR which still provide some freedom to member states. For example, because the member states failed to agree on the age of consent for data processing, the GDPR allows each member state discretion to set the limit between the ages of 13 and 16. This leeway could seriously impact social media businesses, depending on the number of member states which set the limit at the upper end of the range.
It is critical to note that most of the GDPR’s provisions simply reinforce what is already included in the existing Directive. As a result, data controllers that are already compliant with the EU Directive 95/46/EC shouldn’t need to implement too many changes to their policies and practices in order to comply with the GDPR. Having said that, it remains to be seen what benchmark will be required to comply with the GDPR’s provisions related to privacy by design, the right to be forgotten, consent and data breach notification. All of these obligations will have even greater significance under the GDPR, given the potentially huge penalties that could follow a breach.
In closing, it should be said that the biggest impact of the GDPR will surely fall to those organisations that are currently free from EU data protection laws — namely, data processors and those data controllers that are not deemed to be established in the EU. Organisations in those situations will soon find themselves liable for breaches of any EU data they have in their control.
If the final GDPR draft is approved by the EP in January, it will be two years before the Regulation will become law. This should leave affected businesses plenty of time to have further discussions and to put action plans in place. Savvier organizations, however, will not wait long to react to these developments.
For more information about the GDPR and your company's global data protection requirements, watch our webinar.