18 Dec 2015
Final text agreed for the EU General Data Protection Regulation
On 15 December 2015, nearly 4 years after the publication of the first draft, the text of the EU General Data Protection Regulation (the "Regulation") has been agreed by the main institutions of the European Union. The Regulation constitutes a radical overhaul of Europe's data protection laws and will replace the existing Directive and all national implementing laws, including the UK Data Protection Act 1998. The text – approved by the EU Parliament's LIBE Committee in a vote on Thursday - will now be put to the full European Parliament for formal approval sometime in the first half of 2016. The law will then come into force with direct effect 2 years thereafter.
We have outlined below in general terms some of the key aspects of the Regulation.
Administrative fines – Article 79
Fines are greatly increased from the current regime with two main levels of maximum administrative fine. These are (i) the higher of EUR10,000,000 or 2% of an undertaking's total worldwide annual turnover, or (ii) the higher of EUR 20,000,000 or 4% of an undertaking's total worldwide annual turnover.
The higher of the two levels is applicable in various circumstances. These include breaches of basic principles for processing, including conditions for consent, lawfulness, and the treatment of sensitive data and breaches of the provisions relating to international transfers.
Lawfulness and consent – Article 6, 7 and 8
Although many of the existing grounds for lawful processing remain – including where the processing is necessary for "legitimate interests" (something missing from some earlier texts) – there is a tightening of where these can be relied upon. In particular, consent must be given in relation to a specified purpose and the Regulation makes it explicit that consent may be withdrawn at any time and such withdrawal must be as easy as giving consent. Where consent is given in writing that also includes other matters, the request for consent must be clearly distinguishable from other matters in an intelligible and easily accessible form using clear and plain language.
There is now a specific provision relating to consent to processing of a child's personal data when offering information society services (which includes some mobile applications and services on the internet). When seeking consent from a child below the age of 16 in respect of information society services, such consent must be given by the holder of parental responsibility over the child. This provision has attracted much comment with concerns about how workable it is in practice.
Transparency – Articles 12 and 14
There is an extension to the level of detail that must be given to the data subject on collection of data, which will have an effect on the content of privacy policies and terms and conditions. The types of information that the data controller must provide include the identity of the data controller, the purposes and legal basis for processing, the recipients of data, information about international transfers, the right to request access to and rectification or erasure of personal data, data portability and the right to make a complaint to a supervisory authority. All this information needs to be given in a transparent and intelligible way.
Data Subject rights – Article 15, 17 and Article 18
Subject Access Requests
Existing principles permitting access to personal data are largely retained but the time period for dealing with subject access requests has (from a UK perspective) been reduced to 1 month from 40 days and there is no longer the ability to charge a fee.
There is a new right of "portability". Where processing is based on certain grounds, the data subject has the right to receive their personal data in a structured and machine readable format. The data subject then has the right to transmit those data to another data controller. Where technically feasible, the data subject has the right to require the data controller to transmit the data directly to the new data controller, albeit it should be noted there is no requirement for there to be interoperability of data.
Right to be forgotten
The much discussed right to erasure or "right to be forgotten" is contained albeit this largely reflects the existing law – as espoused by the CJEU in Google v AEPD – in allowing data subjects to require the erasure of their personal data when there is no longer a valid basis for processing.
Profiling – Article 20
A data subject will have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. There are various exceptions, including where profiling is necessary for entering into or the performance of a contract, is authorised by EU or Member State law to which the data controller is subject, or is based on the data subject's explicit consent. These exceptions do not apply to various circumstances involving "special categories" of personal data (i.e. what is known as sensitive data).
Security of Processing – Article 30
Existing principles regarding implementing appropriate technical and organisational measures are fleshed out with certain specific obligations to implement, where appropriate, pseudonymisation and encryption, measures to ensure confidentiality, integrity, availability and resilience of systems processing personal data, the ability to restore availability and access to data in a timely manner and a process for testing the effectiveness of such measures. Note that these provisions, along with certain others, apply to processors as well as controllers of personal data, which may have an effect on the contracting provisions in outsourcing and other services agreements.
Breach notifications – Articles 31 and 32
Notification to supervisory authority
Data controllers are required to notify the supervisory authority, within 72 hours, of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. There is an obligation on processors to notify data controllers of any breach.
Notification to data subject
Data controllers are required to notify the data subject, without undue delay, where there is a personal data breach where the breach is likely to result in a high risk to the rights and freedoms of individuals.
Impact Assessments and Prior Consultation – Articles 33 and 34
Existing good practice privacy enhancing techniques such as privacy impact assessments are now explicitly baked into the legislation. In particular, a data protection impact assessment must be made by a data controller where conducting high risk processing. It is anticipated that the supervisory authorities will produce a list of the types of processing operations which will require an impact assessment.
Where an impact assessment indicates a high risk in the absence of measures taken by the data controller to mitigate those risks, the data controller must consult with the supervisory authority. The supervisory authority may use any of its powers under Article 53 following consultation, which may include a ban on processing. There is a time limit of 8 weeks for consultation, subject to an extension of another 6 weeks.
Data protection officers – Article 35
There is a requirement on both a controller and processor to designate a data protection officer where (a) processing is carried out by a public authority/body, (b) the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or (c) the core activities of the controller or processor consist of processing on a large scale of "special categories" of data under Article 9 and data relating to criminal convictions. It is likely that most medium to large scale organisations will be required to appoint a data protection officer.
Transfers – Articles 41-44
Provision is made for transfers based on a Commission finding of adequacy, as is currently provided for under the Directive. Decisions of adequacy under the Directive continue to have effect but will be subject to review which may result in the reversal of previous decisions of adequacy in respect of certain countries. Existing mechanisms for transfer such as binding corporate rules, model clauses adopted by the Commission or supervisory authority (and approved by the Commission) continue to be valid. Alternatively, approved codes of conduct or other approved certification mechanisms can be used. Most notably, Article 43a – which was much lobbied against by international companies in previous drafts - prohibits the transfer of personal data required by a third country court decision or administrative authority if this is not compliant with a mutual legal assistance treaty or an international agreement. This could lead to significant conflict of law issues in multi-jurisdictional proceedings or enforcement actions.
Although the text is in agreed form, the text needs to be formally approved in a vote of the EU Parliament early in 2016. Implementation will be two years after publication in the European journal – ie the Regulation will come into force in 2018. Although the law will have direct effect – meaning it need not be implemented as a whole by national legislation – certain provisions will require some subsidiary and implementing legislation to have effect. Nonetheless, the Regulation will represent a broadly harmonised set of laws covering data protection in Europe for the first time and organisations should start thinking now about what steps they need to take to prepare for its implementation.