Who: The European Parliament and the Council of the European Union
Where: Brussels
When: 15 December 2015
Law stated as at: 18 January 2016
What happened:
Nearly four years on from the first proposals for a new European data protection framework, informal agreement was announced on a draft General Data Protection Regulation (“GDPR”) to supersede Directive 95/46/EC.
Backed by the Committee on Civil Liberties and hopefully to be passed in plenary session of the European Parliament in Spring 2016 with limited further revisions, the “compromise draft” was hailed by the Luxembourg Presidency of the Council as a historic agreement and came a little out of the blue as an early Christmas present for Europe’s data protection community.
The two year lead-in period means the measure will come into force in 2018.
Here are some of the key changes in twenty bite-sized bullets (the Article numbers may of course change in the final signed-off measure, as may some of the changes themselves, but one suspects –and hopes-not too much at this stage):
- expanded definition of “personal data” includes “location data” and “online identifiers” if it is possible to directly or indirectly identify a natural person from these (Article 4);
- higher level of consent required-now it must be “unambiguous” in all cases in contrast with the current position, which is that consent only needs to be unambiguous where the data controller relies on consent as the basis for processing instead of, for example, the “legitimate interests” basis (Article 4);
- 72 hours to notify the authorities of cyber breaches and also notify data subjects if they are at serious risk (Article 31);
- fines for breaches to increase to, in some cases, a maximum of the greater of 4% of annual worldwide turnover or €20m (Article 79);
- these penalties will for the first time apply to data processors as well as to data controllers, but not in all cases. Processors need to check each obligation in the Regulation to see whether it applies to them;
- applies to non-EU businesses “monitoring” or “offering goods or services” to EU residents (Article 3);
- new obligation to appoint a Data Protection Officer imposed on controllers and processors whose “core activities”, whatever their size, involve regular and systematic monitoring of data subjects on a large scale (Article 35);
- new one-stop shop regime whereby data controllers or processors with establishments in more than one Member State will be able to deal primarily with their “lead authority.” This will be the national data protection authority of the EU state where their “main establishment” is located (Article 51);
- in place of the current Directive’s reticence on the point, parental consent will be needed for all processing of personal data of children under 16 unless an individual member state reduces this to their under 13s (Article 8);
- where personal data processing, such as for direct marketing, including profiling, is based not on the individual’s consent but for instance on the “legitimate interests” ground, data subjects have the right to object to this at any time. This right must be explicitly brought to the individual’s attention by the data controller when their personal data is first collected and be clearly and separately stated (Article 19);
- when assessing whether consent is freely given, “utmost account” shall be taken of whether the performance of a contract, including the provision of a service (such as, one imagines, the right to enter a prize draw) is made conditional on consent to processing of personal data that is not necessary for the performance of the contract-the clear implication here is that if this is the case, the consent will be held invalid (Article 7);
- all data controllers and data processors must, unless (1) they have less than 250 employees (2) their personal data processing is not of “special categories” of data (similar to “sensitive personal data” as defined by the UK Data Protection Act 1998) (“Special Categories”) (3) the processing is only “occasional” and (4) the processing is not likely to result in a risk to the rights and freedoms of the data subject, keep records of prescribed aspects of their data processing and provide these on demand to their relevant data protection authority (Article 27);
- a new right of data portability will allow individuals to move their personal data from one service provider to another in a prescribed, user friendly format (Article 18);
- on profiling, Article 20 gives data subjects the right not to be subject to decisions made solely on the basis of automated processing, including profiling, where these either produce “legal effects” concerning the data subject or “similarly significantly affect” the data subject. This right can only be disapplied by (1) the data subject’s explicit consent (2) if the processing is necessary for the entry into or performance of a contract between the data subject and data controller or (3) individual member states make specific rules allowing it but safeguarding individuals’ rights and freedoms. Data controllers must bring the existence of automated decision making, including profiling, to the attention of the data subject when their data is first captured plus, “meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for that data subject”-data subjects also have a new, specific right to object to such profiling;
- a new potential form of class action right is prefigured by Article 76, which deals with “Representation of data subjects” and gives data subjects the right to authorise non-profit bodies, organisations or associations to lodge complaints on their behalf with national supervisory authorities about third parties’ breaches of the GDPR and seek judicial remedies on their behalf, including compensation if the relevant member state’s laws allow this;
- a new basis for compliant transfers of personal data out of the EEA to third countries whose data protection laws are not recognised by the EC as being adequate is created by the Codes of Conduct and Certification” Article 38. It lays down that associations representing categories of controllers or processors (such as for example marketers and marketing agencies) may prepare, for approval by their national supervisory authority, codes of conduct which specify the application of listed GDPR provisions including the transfer of personal data to third countries. If data controllers or processors in third countries give binding commitments to comply with these, this could, if specified authorisation procedures are followed, provide a new basis for compliant ex EEA transfers;
- Article 25 provides that all data controllers and data processors who are not established in the EU but either monitor the behaviour of data subjects who are in the European Union or offer them goods or services must, if they are processing the personal data of those individuals, both comply with the GDPR and designate in writing a representative in the EU. The representative must be authorised by the controller or processor to be contacted in addition to or instead of the controller or processor by data subjects or national data protection authorities on all issues relating to relevant personal data processing. There are exceptions; these are virtually the same as those for record keeping summarised at #12 above;
- new compulsory “privacy by design,” “privacy by default” and “data protection impact assessment ” (“DPIA”) procedures are introduced in a range of specified circumstances. These include at Article 33 obligations on data controllers to conduct DPIAs when new technologies are to be used and are likely to result in high risk to the rights and freedoms of data subjects, in particular where they involve (1) “systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing including profiling on which decisions are made significantly affecting individuals” (2) processing on a large scale of Special Categories of personal data or (3) systematic monitoring of a publicly accessible area on a large scale (for instance, one imagines, social media platforms);
- more extensive obligations regarding the provisions to be included and the areas to be covered in data controller/data processor agreements (Article 26);
- a formalisation of the “right to be forgotten” (now apparently the “Right to erasure“) established by the Google Spain/Gonzalez judgment in ECJ Case C-131/12 (Article 17).
Why this matters
This is by no means all of the material changes, but for marketers using big data, adtech and programmatic techniques for example, particular heed needs to be taken, and now, of the provisions around consent and profiling since once the new law comes into force it is very unlikely that there will be any saving for databases constructed under the existing Directive’s rules.