Preview of the New EU General Data Protection Regulation

Written by: Richard Sheinis, Esq.

Last week I posted a short blog to let everyone know that a consolidated text of the new EU General Data Protection Regulation (“GDPR”) was released by the European Parliament, and the Council of the European Union.  Now it is time to give you a more in depth look at the GDPR.

Although the GDPR is not a done deal, it is pretty close.  All that is left is to translate it into the various EU languages, and finalize the official publication.  It is expected that this should occur in the first quarter of 2016.  The GDPR would then become effective in 2018.  This would give everyone a two (2) year grace period to get ready, and get in compliance.

It should be noted that the GDPR is a Regulation, not a Directive like the current Data Protection Directive.  The Regulation seeks to harmonize the treatment of data in EU member states, and removes a large amount of the discretion for member states to decide how the privacy and security of personal information is treated.  That being said, the Regulation still provides for member state discretion in specific areas, such as the minimum age of a data subject to give valid consent.

A theme in the GDPR seems to be putting data subjects more in charge of their data.  There are specific provisions regarding data subjects’ right to access their personal information, right to rectify, and the right to erasure, a/k/a the right to be forgotten.  The bar for showing valid consent is high, and data subjects must be able to withdraw consent without penalty.

Let’s get to some of the specifics:

The Regulation focuses on the personal data of data subjects in the EU, regardless of the location of the data controller, or processor.  The Regulation will apply if the controller or processor is not located in the EU, but the data processing is related to the offering of goods or services in the EU.  This does not mean that simply because a person  in the EU buys a product through the website of a U.S. company, that the U.S. company is subject to the Regulation.  Mere accessibility of a website is not enough.  The focus is on whether the website is directed toward persons in the EU based on the monetary unit used on the website, or translating the website into an EU language different than the language where the website originates.

The use of “information society services”, a/k/a social media websites and applications, by a child under 16 must be accompanied by the consent of a person with parental authority over the child.  The controller must make reasonable efforts to verify the parental consent.  This is an area in which the Regulation provides discretion to member states, as each member can lower the age of required parental consent to 13, 14, or 15 years of age.

The Regulation prohibits the processing of personal data revealing social or ethnic origin, political opinions, religions or philosophical beliefs, trade union membership, and the processing of genetic data, or biometric data in order to uniquely identify a person, or data concerning health, sex life and sexual orientation, unless one of the specific, enumerated exceptions applies.

In accordance with the theme of providing data subjects with more control over their data, at the time of collection the controller must provide the data subject with the following information:

• ID and contact details of the controller
• Purpose and legal basis for processing
• Recipients of the data
• Any transfer of data to a 3rd country
• Period for which data will be stored
• Existence of right to request access to the data
• Right to rectification
• Right to erasure (“Right to be forgotten”)
• Right to restrict processing
• Right of data portability
• Right to withdraw consent
• Right to lodge a complaint with a supervising authority

Of particular note of the rights listed above is the “right to be forgotten.”  The Regulation states, in part, that the controller shall erase personal data without undue delay in certain circumstances including when:

• The data is no longer necessary for the purpose for which it was collected
• The data subject withdraws consent on which the processing is based
• The data has ben unlawfully processed

Companies outside the EU should be aware of the requirement that if they are a data controller or processor, they must designate a representative in the EU.  A data protection officer must be appointed if the processing requires regular and systematic monitoring of data subjects on a large scale.  A single data protection officer can serve more than one processing operation.

The Regulation contains an “anti-profiling” provision.  It states that a data subject has the right not to be subject to a decision based solely on “automated processing, including profiling, which causes a legal effect concerning him or her.”

There is also a security element to the Regulation.  Controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk.

The Regulation contains breach notification requirements.  When a controller becomes aware of a data breach, within 72 hours, where feasible, the controller must notify the supervising authority unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.  If the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data subject must also be notified without “unreasonable delay.”

If the type of data processing is likely to result in a high risk to the rights and freedoms of individuals, prior to the processing the controller must perform an assessment of the impact of the processing operations on the protection of persona information.  Supervising authorities must create a list of the kind of processing operations that require an impact assessment.

What would a new Regulation be without addressing transfer of personal data to third countries?  The transfer to a third country may take place if the Commission has decided that the third country or specified sectors within that country, ensures an adequate level of data protection.  The Regulation sets out factors for the Commission to consider when deciding if a country is “safe.”  The Regulation also allows for the transfer if other safeguards are in place, such as binding corporate rules, or other data protection clauses adopted by the Commission.

Aggrieved data subjects have the right to receive compensation from the controller or processor for damages suffered as a result of a violation of the Regulation.  A controller or processor is not liable “if it proves that it is not in any way responsible for the event giving rise to the damage.”    The tables apparently are flipped in that it is up to the allegedly liable party to prove non-liability, rather than the person seeking compensation having to prove they are entitled to compensation.  On a related note, what in the heck kind of standard of proof is “not in any way responsible”?  That is a new standard of proof I have not seen before.

Lastly, supervisory authorities are to impose fines for violations of the Regulation.  Fines can be up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.  Maybe not right off the bat, but at some point, a supervising authority will flex its enforcement muscles and impose a fine with a “B” in front of it, as in Billions!

Please feel free to contact me if you have any questions, you want a copy of the 204 page Regulation, or you want to discuss how the Regulation might affect your company.