What’s New Under The EU General Data Protection Regulation? Post UK Brexit Vote

The Latest Situation – Updated Post UK Brexit Vote

The EU’s long-awaited General Data Protection regulation (“GDPR”) will be making some fairly significant changes to the EU legal framework for processing of personal data. The changes will start to apply from May 2018. There is still some time but we would be well advised to consider now what preparations need to be made – even (despite what some may claim) for businesses in the UK (see section 1 below). 

Note that it’s a Regulation, not a Directive. Directives (essentially) need each EU Member State to pass implementing legislation, which gives them some leeway over the ways of achieving the stated goals. Regulations become law and don’t need implementing legislation. So the result should be a more uniform legal framework across the entire EU.

Here we examine some of the principal novelties under the Regulation as follows:

1. Why after Brexit, the Regulation isn’t academic for UK businesses
2. “European rules on European soil” – effects on non-EU data controllers and processors
3. International transfers – a slightly expanded menu
4. Fines and damages – significant new powers
5. The new “right to be forgotten”
6. Security breaches – new notification obligations
7. Data protection impact assessments
8. Data protection by design and by default
9.  Who counts as a child and when can they consent to data processing?

 1. Why after Brexit, the Regulation isn’t academic for UK businesses

In theory (and some even have claimed this as a potential “benefit” of the UK leaving the EU), the UK would not be subject to the Regulation and could be free to enact any (presumably less restrictive) data protection legislation it wished. In practice, however, there are two compelling reasons why we expect that this will almost certainly not happen:

a) Data processing is a core digital business activity and any post-Brexit framework will need to ensure that data can be easily transferred from EU data controllers to UK data processors or controllers. The principal method of guaranteeing this is legislation that provides an “adequate” or equivalent level of protection as compared with the Regulation (and a European Commission decision acknowledging this) (see section 3 below); and

b) In any event, the Regulation will apply to non-EU data controllers or data processors that process data of people that are in the EU or that do so through one of their establishments in the EU, irrespective of what their home laws require (see section 2 below).

The Regulation starts to apply from May 2018 which, assuming that the UK’s exit process (not yet commenced at the time of writing in July 2016) took the full two year period foreseen by Article 50 of the Treaty on European Union, would mean that the UK would have at least some experience of working under the Regulation. And it seems hard to conceive that a regime similar to the Regulation would not remain in place thereafter so that UK controllers and data businesses can benefit from an adequacy decision.

 2. “European rules on European soil” – effects on non-EU data controllers and processors 

The Regulation will apply:

a) where the data processor or data controller is in the EU (so far so good); OR

b) the data processing takes place in the context of an establishment of the data processor or data controller in the EU, whether or not the processing takes place in the EU. (Vague? Maybe, but processing “in the context of an establishment” has been retained from the current law and, as interpreted by the European Court, this condition was critical in bringing Google Inc.’s data processing within the scope of EU laws in the ‘Right to be Forgotten’ case); OR

c) if the processor or controller is not in the EU BUT the data subjects (individuals whose data are processed) are in the EU AND the data processing relates to: (i) offering them goods or services; OR (ii) monitoring their behaviour that takes place in the EU. Note that the rules apply when the data subjects are “in” the EU – so not necessarily just citizens or residents.

The Regulation is designed to permit data controllers with multiple EU presences to deal with only one EU national supervisory authority (the “one-stop-shop” principle), where currently enforcement may often be carried out in an uncoordinated way by two or more DPAs. The body in the Member State of the “main establishment” will now be the “lead authority” for supervisory activities. On the other hand, a complaint relating only or “substantially” to another Member State may be investigated by a different authority, subject to a process giving the lead authority the option to take over the proceedings and requiring the other authority to be consulted on the decision taken.

Controllers or processors without any EU presence may find themselves within the scope of EU laws for the first time. And in future this may of course include UK businesses. However, the current law where EU jurisdiction depended in part on the use (except for the purposes of “transit”) of equipment situated in the EU has led to more or less convincing debates around what systems or even user devices located in the EU would trigger this and in which Member State(s). On balance, the additional certainty and simplicity seems welcome.

3. International transfers – a slightly expanded menu 

The starting point is that international transfers of personal data outside of the EU/EEA that don’t guarantee “adequate” legal protections are still prohibited.

The European Commission may continue to issue “adequacy decisions” for transfers on the basis that the laws or protections applicable provide a level of protection “essentially equivalent” to that in the EU (a reference to the Court of Justice’s test for adequacy in the Safe Harbor decision). Under the Regulation this mechanism can now be applied not only to a third country but also to a “territory or one or more specified sectors” within a third country, or an international organisation. From prior drafts of the Regulation, we understand that “sectors” could mean e.g. “the private sector” or “specific economic sectors” – presumably based on particular binding rules applicable to such sectors. 

Reliance on the EU-US “Privacy Shield”, which from 1 August 2016 enables US organisations to self-certify compliance with similar data protection standards to those in the EU (as a replacement for the invalidated Safe Harbor system), is based on a European Commission adequacy decision. After a “Brexit”, the UK might conceivably join the EEA – but would more likely be expected to seek an adequacy decision.

For transfers not covered by an adequacy decision, we have a range of possible tools that can make the transfer compliant with the Regulation without requiring further authorisation:

• legally binding and enforceable agreements between public authorities;
• binding corporate rules: Although not the quickest or easiest to put in place, and still requiring approval from the relevant supervisory body, these will now be valid in all Member States (under the Directive there are still a few that don’t recognise them). Also they may be implemented between enterprises “engaged in joint economic activity” and not just within a company group;

• Model Clauses adopted by the European Commission;
• Model Clauses adopted by a national supervisory body: The existing EU model clauses will remain valid until expressly revoked. Using the EU model clauses “as is” will not require prior authorisation anywhere in the EU (in certain member States under the current law they still do);
• an approved code of conduct binding on the data importer;
• an approved certification mechanism binding on the data importer:  

These last two are new and potentially attractive options: we’ll see whether trade associations for example decide to take advantage of the opportunity for self-regulation.

Finally, as today, non-standard (“ad hoc”) contractual clauses will still be usable but will now expressly require approval by a national supervisory body (which not all Member States had insisted upon currently).

On the other hand, decisions or orders from courts or authorities in third countries will not generally be an acceptable basis for transfers, unless based on an international agreement.

The menu is certainly extensive and should develop over time if new codes of conduct and certifications become available. The only “short order” option remains the model clauses – we’d like to hope that further sets of these could be added e.g. for processor to sub-processor transfers, which at the moment often need to be covered by ad hoc clauses.

4. Fines & Damages – significant new powers 

If we’re only aware of one thing under the Regulation, then given the media excitement around it, it’s probably the potential fines for breaches of its provisions of up to 4% of our annual worldwide turnover (or if higher Euro 20 million). 

The main applicable sanctions (more or less from low to high) will be as follows:

a)  warnings or reprimands: for minor violations;

b)  temporary or permanent limitations or bans on processing;

c) “effective, proportionate and dissuasive” penalties (outside the areas where the Regulation harmonises the fines) which may include criminal liability depending on Member States’ legal systems;

d) lower level fines (of up to Euro 10 million or up to 2 % of total worldwide annual turnover): for breaches by a controller or processor of obligations e.g. in relation to:

• obtaining children’s consent for provision of information society services;
• notifying a data breach to the supervisory authority;
• notifying a data breach to data subjects; or
• designating a data protection officer;

 e) higher level fines (of up to Euro 20 million or up to 4 % of total worldwide annual turnover): e.g. for:

• non-compliance with the basic principles for processing, including obtaining consent;
• breaches of data subjects’ rights;
• transfers of personal data to a third country or an international organisation without ensuring an adequate level of protection; or
• non-compliance with orders of the supervisory authority e.g. for temporary or definitive limitations on processing, suspension of data flows, or to provide access.

The “administrative fines” will be imposed by the Member States’ supervisory authorities (or in Denmark and Estonia by the applicable courts). The Regulation sets out a number of aggravating and mitigating factors – including notably whether the breach has been voluntarily notified or not – which should guide the decision on the level of the fine up to the maximum.

Data Protection authorities have already had varying powers to issue fines (Spain notably imposed three €300,000 fines on Google for data sharing across services; the UK’s ICO highest fine to date was GBP 350,000 for massive automated cold calling). For the most part they have been applied sparingly, though often this has been for reasons of lack of resources and so only very blatant or exemplary cases were pursued. The resources will remain limited. However, public data awareness and activism may make complaints more common and data breaches will also now need to be made public. So these powers seem unlikely to remain dormant for long. Given the scale of the fines and also the degree of discretion regarding the level on the scale, as well as a potential open door for data controllers to point the finger at data processors and vice versa, it seems inevitable that some of those DPA resources will be spent on legal challenges.

Independently of the actions that supervisory bodies may take, data subjects are expressly given rights to:

• complain to the relevant supervisory authority;
• claim in court against a decision or failure to follow up a complaint by a supervisory authority;
• bring a claim against a controller or processor for breaches of the Regulation; and
• “receive compensation” for any “material or non-material damage” suffered due to breaches of the Regulation. The data controller will be liable, except where the damage is caused by a processor who has breached the processor’s obligations under the Regulation or has exceeded or breached the controller’s instructions. The relevant actions will be brought in the courts of the establishment of the data controller. It will be for the controller or processor to prove that they weren’t in any way liable for the damage.

 5. The new “right to be forgotten” 

The “right to be forgotten” under the current law is a misnomer really, but important for search engines in particular that have to remove certain outdated links.

Will we now have a real right to be forgotten? Under the GDPR, when a data subject asks then generally the relevant data controller will need to erase the data in question. This seems in reality more of an extension of the “right of cancellation” which exists today and which allows data subjects to stop us from continuing to process their data. The GDPR goes further in that if data has been made public then we need to take reasonable steps to inform other controllers of the request. So this gives the data subject a single point of contract and we would then need to inform Google and others that they should stop linking to or duplicating the data. There are some exceptions to this e.g. for freedom of expression (so public figures can’t force us to delete unpalatable news or views) and other legal, public interest, scientific, historical or statistical purposes, but also “for the establishment, exercise or defence of legal claims”, which potentially seems like something of an open door for continuing to retain data for a number of years if we so wished.

6. Security breaches – new notification obligations 

Up to now, providers of a public communications service (essentially providers of electronic messaging services) were under a specific legal obligation to notify their local data protection authority within 24 hours of detecting a security breach, and then also data subjects if the breach could adversely affect their privacy or data. The GDPR will oblige any data controller to notify the supervisory authority of serious data breaches within 72 hours. Processors must also notify controllers of breaches they become aware of. Controllers must also communicate high risk breaches to data subjects.

Rather than prescriptive regulations regarding security, a duty to disclose security breaches publicly may actually constitute a greater incentive to take better care of data. At least there will be little room for doubt regarding what to do when a breach occurs. On the other hand, a two tier system may have been created – the GDPR doesn’t repeal or change the Privacy and Electronic Communications Directive or associated regulations so messaging providers may continue to be subject to the more onerous notification provisions.

7. Data protection impact assessments 

The GDPR notes that having to notify various data protection authorities that we were processing data “did not in all cases contribute to improving the protection of personal data”. No kidding. Apart from having to report the blatantly obvious (or to work through exemptions of varying complexity and coherence) this may in fact have caused businesses either to believe that with a notification all their data protection work was done, or simply to ignore the entire system due to the perceived costs and burdens of doing even that.

So it’s good to see notifications go. However, there being no such thing as a free lunch, some of us will need to carry out data protection impact assessments and submit them to the local supervisory body for consideration. This will be when processing, particularly if using “new technologies” is “likely to result in a high risk for the rights and freedoms of individuals”. We infer that this should really apply only in exceptional cases but the language here seems to introduce an unfortunate degree of uncertainty. A few examples are given where an impact assessment is needed every time: systematic and extensive evaluation of personal aspects on which decisions with legal effects will be based (credit reference scoring comes to mind), bulk processing of sensitive or criminal records data, or surveillance of a large public area. The GDPR obliges national supervisory bodies to list what must be subject to an impact assessment and permits them to list what won’t be. Although these will be considered under a consistency mechanism, designed to avoid wide discrepancies between Member States, already the “one continent, one law” principle seems undermined. Given the uncertainly, more than usual care may be required until we have the national black (and white) lists, any guidance from supervisory bodies, and case law on where the borderline(s) may lie.

8. Data protection by design and by default  

A small – but for the EU quite new-fashioned – section of the Regulation institutes a cardinal principle of data protection by design and by default.

This requires us to consider the protection of data subjects’ rights not only at the time of processing but also at the time of deciding the means of processing. Examples given are data minimization and pseudonymization which should be at least considered at the product development stage (and data controllers would be well advised to document the fact that they were at least so considered).

The seven ‘foundational principles of privacy by design’ developed by the Information & Privacy Commissioner of Ontario seem likely to be influential in the application of this principle.

Data protection by default is perhaps even clearer – where our service can be provided using less rather than more data processing (e.g. fewer data, less processing, shorter storage, more restricted accessibility) then we should ensure that by default it is provided only using what is strictly necessary. Any data processing beyond that will be strictly “opt in”, with particular care needed in relation to user data that is to be made accessible publicly.

On the other hand, these principles are not without limits – the Regulation expressly relates the measures expected to the costs of implementation and the actual risks to privacy, so there may be some flexibility here. Again, if we decide not to adopt a particular measure e.g. we reject an encryption method that is highly effective but disproportionately expensive, then we would do well to document the reasons for this, and also show that periodically we have reconsidered the matter.

While this may have a significant impact on some business models, again we can welcome the increased certainty: for example, debates around whether or not consent boxes should be pre-ticked should be a thing of the past. We should be aware that the principles are likely to be applied in particular in any data protection impact assessments we may be required to undertake. To sum up, not just marketing, management and UX but our product, design, development, QA, customer service (and probably most other) teams could now all benefit from training on the main features of privacy law.

9. Who counts as a child and when can they consent to data processing? 

Particularly where personal data processing is based on consent and where fairness depends on the prior notification of various information to the data subject, the position in relation to children’s data has presented a difficult balance. Different EU Member States currently regard children as being able to consent from as young as 12 (UK), 14 (Spain) or require parent/guardian consent for anyone under 16 (The Netherlands) or 18 (France, at least when it comes to photographs, sensitive personal data, or transfers to third parties for marketing purposes).

The Regulation was therefore never likely to set one age for all the EU above which the minor’s consent can be given personally and below which a parent’s/guardian’s consent will be required. For online services (but not preventive or counselling services), what we have is 16 as the default age, while permitting Member States to set a lower age (but not less than 13) if wished.

However, we need to remember that the Regulation doesn’t define what a “child” is or limit the definition to the above – so if we are targeting or have any users that are under 18 then we still need to pay extra attention to the provisions on plain and intelligible language in privacy policies and notices informing users of their rights (surely good practice anyway); and the right to erasure (“right to be forgotten”), where the child is always entitled to require erasure without any other grounds being required.