After four years of drafting and negotiations, the long-awaited EU General Data Protection Regulation (GDPR) was adopted at the EU level on Thursday 14 April. Following the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs’ vote and the EU Parliament sitting in plenary session, the GDPR is now officially EU law and will directly apply in all EU countries, replacing all EU and national data protection legislation.
The GDPR replaces the EU Data Protection Directive 95/46/EC (the ‘Directive’), which was enacted in 1995, and significantly changes the EU’s data protection landscape.
For example, there’s now a broader scope. The GDPR will apply to the data processing activities of a data controller or a data processor established in the EU. In addition, it will apply to data controllers and data processors established outside of the EU where their processing activities relate to the offering of goods and services to individuals in the EU or to the monitoring of EU individuals’ behaviour.
The concept of personal data has changed. Under the GDPR, location data, IP addresses and online identifiers would constitute personal data in most cases as this data could be used to identify individuals, in particular when combined with unique identifiers.
‘Pseudonymisation’ of personal data is considered a security measure used to limit the risk of singling out an individual during any processing procedures. In addition, genetic data and biometric data are recognised as sensitive data requiring extra protection.
In terms of data controllers, processors and joint controllers, the GDPR will introduce additional obligations while direct obligations will be imposed on data processors for the security of personal data.
Companies will have to implement appropriate privacy policies and robust security measures, perform data protection impact assessments in certain cases and appoint a data protection officer under specific conditions. In addition, both data controllers and data processors will have to maintain records of data processing activities, replacing the existing registration and authorisation obligations with the supervisory authorities.
Data breach notification
The GDPR introduces a general data breach notification requirement that will apply across all industry sectors and require data controllers to notify the competent supervisory authority within 72 hours after becoming aware of any data breach, unless they can provide a reasoned justification for the delay.
If the breach is likely to result in a high risk for the individuals’ rights and freedoms, data controllers also have the obligation to notify individuals of the breach without undue delay.
For those companies active in multiple EU countries, the GDPR will allow them to have a central point of enforcement through the one-stop shop mechanism. The supervisory authority of the main establishment or of the single establishment of the data controller or data processor in the EU will act as the lead supervisory authority, supervising all of their processing activities throughout the EU. This new mechanism will allow data controllers and data processors alike to interact with a single lead data protection authority (the ‘DPA’).
However, other DPAs may have a say for cross-border operations as the GDPR includes significant consistency and co-operation procedures. In addition, each individual supervisory authority will be competent to handle purely local complaints or deal with purely local infringements of the GDPR.
Consent should be a “freely given, specific, informed and unambiguous indication” of the individual’s wish – either by a statement or a clear affirmative action – to agree to the processing of his or her personal data.
The GDPR also provides specific protection in the context of children’s personal data by strengthening the validity conditions of children’s consent. When offering information society services directly to children under the age of 16 – or a lower age provided by EU Member State law which may not be below 13 years – consent should be given or otherwise authorised by the holder of parental responsibility.
The GDPR will strengthen the protection of individuals against any possible negative effects of profiling by providing them with the right not to be subject to automated decision-making (including profiling) which produces legal effects concerning the individual (or significantly affects the individual).
Privacy notices and data transfers
Under the GDPR, data controllers must take appropriate measures to provide individuals with information regarding the processing of their personal data. Information will have to be provided in a concise, transparent, intelligible and easily accessible form.
The GDPR also introduces the use of standardised icons as a valid way of informing individuals.
Further, the GDPR maintains the general prohibition of data transfers to countries outside the EU that do not provide an adequate level of data protection. Consistent with the Schrems decision of the Court of Justice of the European Union, stricter conditions will apply for obtaining an “adequate” status.
EU Model Clauses will remain a valid mechanism for transferring personal data outside the EU. Further, the GDPR explicitly recognises and promotes the use of Binding Corporate Rules as a valid data transfer mechanism. Approved Codes of Conduct may also be used for data transfers.
The GDPR will expand the rights of individuals. It reinforces the existing right to request the erasure of personal data that’s no longer necessary by including a ‘right to be forgotten’. It also introduces a right to data portability, in turn allowing individuals to transit and move personal data concerning them between providers.
Supervisory authorities will be given significantly more powers to enforce compliance with the GDPR, including investigative, corrective, advisory and authorisation powers. In addition, supervisory authorities will have the power to impose administrative fines of up to a maximum of €20 million (or 4% of the data controller’s or data processor’s total worldwide global turnover of the preceding financial year, whichever is the higher sum).
The GDPR will apply to all businesses operational both in and outside of Europe that deal with the personal data of EU individuals. The GDPR will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all Member States two years after this date in the Spring of 2018.
Speaking about these developments, Steve Wood (head of policy delivery at the Information Commissioner’s Office) said: “This marks another step towards data protection reform. Many of the principles enshrined in the new legislation are much the same as those in the current law, but there are important new elements, and some things will need to be done differently. The GDPR will enhance the data protection rights of individuals and make organisations more accountable. The legislation will have a two-year transition period during which time organisations will be able to make those changes.”
Wood added: “Of course, the Information Commissioner’s Office will be here to support such work. Our work around implementing the reforms has already started in earnest, particularly so on identifying the key areas on which we’ll focus our guidance. There’s still plenty of work to do in order to make sure the UK is ready for the reforms in 2018.”