Think back to 1995. The world was a much different place. The internet was not the pervasive phenomenon that it is today. Social networking services such as FaceBook didn’t exist, Amazon was less than a year old and Google wasn’t incorporated until 1998. Smartphones (Apple and Android) hadn’t been invented while networks were mostly of the local area network variety where Novell Netware was king and WordPerfect Office had just morphed into GroupWise v4! In fact only 1% of European citizens had internet access at that time and most corporate communications were over costly leased lines.
It was in these circumstances that the European Union (EU) introduced its first data protection directive for member states to base their own legislation. Some countries already had regulations in place but the EU directive extended their role. For example the UK’s Data Protection Registrar was established in the mid 1980’s but the 1998 UK Data Protection Act fully implemented the EU Directive.
The General Data Protection Regulation
Over the last 20 years there have been huge developments and innovations and newspapers and the press have been full of stories of data breaches, losses and the inadvertent disclosure of personal information. Much of the damage has been through people losing usb data sticks – and the usb specification wasn’t released until 1996 – and/or network hacking.
At the same time the EU has gained new member states and the heterogeneous nature of data protection laws and their operation has created issues in what is now a global data environment. It is increasingly difficult for consumers to know where their data is being stored and how and which law (if any) applies.
Consequently the EU published updated data protection proposals in 2012 and with modifications on 14 April 2016 the new General Data Protection Regulation (GDPR) was finally approved by the Council of the European Union and European Parliament. There is now a two year ‘acclimatisation’ period before the new laws contained in the regulation become live. So watch out in 2018!
The new Regulation is a complex and detailed piece of work. The aim of this article is to highlight some of the major changes and implications of the new ways of thinking about data protection. All businesses will be impacted, but one of the changes will make it easier for businesses operating across national boundaries to comply as they will only have to work with one national data protection office rather than many – but I’m getting ahead of myself.
The first point to realise is that the new laws are contained in a Regulation and not a Directive. Directives have to be set in law by each EU member state, which often leads to local differences and emphasis. Regulations come pre-packaged and approved by the EU Commission, EU Parliament and the Council of Ministers so that they go straight on to the law book of each member state and is the same in each member state.
That the EU has only taken 4 years of discussion to reach this point indicates the desire to harmonise highly complex data protection laws and the need for updated checks and controls. One of the aims of the regulation is to create a Digital Single Market within the EU.
The GDPR applies to any organisation offering goods or services (free or paid) and any entity recording citizens residing in the European Union. All companies are now responsible for data compliance wherever they are located if they are processing the personal data of EU citizens. This is a major change and extends the footprint of EU data protection. Today European companies have to adhere to stricter standards than companies established outside the EU but also doing business in the ‘Single Market’.
With the reforms companies based outside of Europe will have to apply the same rules when they offer goods or services on the EU market. This creates a level playing field. [2,3]
Coupled with punitive fines for organisations responsible for data mis-management it means that companies will have to take data protection even more seriously than at present. For serious breaches fines of up to 4% of global annual revenue €20M may be levied. Less important breaches may attract fines of up to 2% of global annual revenue of €10M.
Under the new Regulation all breaches must be notified within 72 hours of the breach being identified unless the data controller can demonstrate that the breach creates no risks for the individuals identified. Furthermore the affected people must be notified without undue delay. The process is now made easier for organisations in that they now only have to deal with one of the EU’s 28 national DP agencies.
For example a UK based company with operations in 10 EU countries would previously have to notify and work with 11 different national DP agencies. Under the new regulation that company would deal with just one, presumably the UK Office of the Information Commissioner - in this example – who will coordinate with the other agencies. This ‘one stop shop’ is considered to be a major step in harmonising the laws.
Data Protection by Design
This will become an essential principle. It will incentivise businesses to innovate and develop new ideas, methods, and technologies for security and protection of personal data. Used in conjunction with data protection impact assessments, businesses will have effective tools to create technological and organisational solutions. 
The Regulation promotes techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption to protect personal data. This will encourage the use of “big data” analytics, which can be done using anonymised or pseudonymised data.
Controllers and Processors
According to the Regulation in future it is the responsibility of Data Controllers to only engage with processors that provide “sufficient guarantees to implement appropriate technical and organisational measures”. They both have to “implement appropriate technical and organisational measures” while taking into account:
- The costs of implementation
- Risks to individuals caused by a breach
- Scope and purpose for holding the data
Both controllers and processors need to consider the use of encryption and the ability to restore access to data in the event of an incident. Audits for regularly testing the effectiveness of internal processes for ensuring data security are also highly recommended. Needless to say the Regulation also expects that Data Processors and Controllers maintain full documentation of all use of personal data.
It’s likely that most organisations will need to appoint Data protection Officers, and with the scale of obligations and fines it is likely that such roles will have a high level of independence and report directly to the main board rather than through, say, the CIO.
In fact all public organisations must appoint Data Protection Officers, if they have not already done so, and organisations where the core activities of the Controller or the Processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
The data controller must be able to demonstrate that they have received the consent from ‘data subjects’ to store and process their personal information. The consent must be freely given in an unambiguous statement or action. Methods of consent that already exist are still valid provided they meet the new conditions.
Where personal data is used for direct marketing the data subject has the right to object, and this right must be brought explicitly to their attention. “Pre-ticked boxes ...should therefore not constitute consent” the regulation states. Further, separate consents will be required for different processing operations – a blanket consent apparently will not be adequate.
Sensitive personal data includes: racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, data concerning health or sexual orientation, genetic data and biometric data that uniquely identifies a person.
In Article 9(2) the regulation sets out the circumstances in which processing of this sensitive data is prohibited. This builds on the provisions of the previous data protection directive. However it is suggested that the processing of photographic images will not be considered as sensitive processing (as is the case in some EU states currently). Photographs will be covered only to the extent that they allow the unique identification or authentication of an individual as a biometric (e.g. a passport). EU member states can extend the law in circumstances of ‘public interest’, e.g. health initiatives.
Subject Access and Portability
When requested, the regulation states, Data Controllers must confirm if they process an individual’s personal data and provide a copy of the data in a commonly used electronic format. The data-controller cannot charge for providing this information (a change from the current law in the UK) and must comply “without undue delay” and “at the latest within one month”.
It has been noted that this provision should improve the transfer of information/data to different services (e.g. social media) at the request of the subject owner as data controllers may be instructed to transmit the data directly to another controller. This could have major implications for public services.
For the first time the protection of children is specified in DP legislation. The introduction to the GDPR states: ‘Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. This concerns especially the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of child data when using services offered directly to a child.’
Consequently Article 8 requires that when collecting data from an Under 16 year old consent must be obtained from the parent/guardian. Member states are allowed to lower this age threshold where appropriate but not below the age of 13. How this will operate and be enforced in practice we must wait and see.
Erasure or the ‘Right to be Forgotten’ is now incorporated in the Regulation. Following the test cases in the last few years when search engine operators (e.g. Google) have lost court cases in the EU and had to implement algorithms that remove on request specific individuals or references to them from search results this concept is now enshrined in the GDPR. While this can appear to ‘re-write history’ it does remove any prejudice that may arise from incorrect information being reported about specific individuals.
The transfer of data to countries outside of the EU (more accurately EEA (European Economic Area) members) continues to be restricted, which continues to be an issue for any multi-national organisation. The main improvement is that the requirement for transfers to be notified to or approved by data protection authorities is abolished.
Instead the Commission will have the power to determine whether countries, regions or organisations offer an adequate level of data protection for transfers to be allowed. The current list of countries to be approved include: Argentina, Canada, Switzerland, Israel Uruguay and New Zealand. Changes will be published in the EU Official Journal. You will notice that the USA is not on the list. The previous “Safe Harbour scheme” is no longer valid and a resolution is still to be reached.
The GDPR defines the criteria that the Commission should consider, stressing the need that the third country offers levels of protection that are “essentially equivalent to that guaranteed in the Union” and providing data subjects with the same rights.
The Commission will also consult with the new European Data Protection Board (EDPB). The new Board brings together all relevant EU parties into a new organisation that has the status of a EU body and extensive powers to determine disputes between national supervisory authorities, to give advice and approve EU wide codes and certification schemes. Each member state will be represented on the Board.
Binding Corporate Rules (BCRs) are internal rules adopted by multi-national companies that define policy on the transfer of personal data within their organisation. The GDPR recognises BCRs for controllers and processors as the method of legitimising intra-group international data transfers. The BCRs must be legally binding and apply to every member of the group of enterprises, including their staff.
BCRs have to be drafted, and submitted to the chosen lead DPA which reviews it for compliance. Then the lead DPA distributes the EU cooperation procedure by circulating the BCR to the DPAs in the relevant countries which have one month to consider and recognise the BCR. Finally when the BCR is considered final by all DPAs the company concerned may request authorisation of data transfer.
Effective in 2018
The new GDPR is one of the largest and detailed regulations ever agreed in the EU. As you can see from this short review it seeks to resolve the current issues around the use and mis-use of personal data in the world today. It introduces many new checks and balances while stream-lining the processes across the EU. It will require all businesses to review and enhance their DP policies and working practices.
However the Regulation will not come into operation until mid-2018 which gives them time to implement the changes and rethink their approach to their requirement for and use of personal data.
- The EU General Data Protection Regulation is finally agreed. Allen & Overy LLB, 2016.
- Guide to the General Data Protection Regulation, Bird & Bird, February 2016.
This article was first published in OHM, Issue 33, 2016/2, p24-27