The General Data Protection Regulation
(excerpt from the Association of Corporate Counsel, Docket, March 2016)
Very little occurring in global commerce nowadays seems to be getting more visibility or having more impact than what is occurring in the European Union (EU) with data protection laws and regulations. (If you want to know more about the historical European approach to data protection and why it matters, see my previous ACCDocket.com column.) This article takes a closer look at the General Data Protection Regulation (GDPR),[i] which is proposed to replace the web of regulations currently under the Directive 95/46/EC.
The EU has engaged an effort to modernize and harmonize its data protection regime. After proposing the GDPR in January 2012, there has been much debate and many proposed amendments. However, in December 2015, the negotiating trilogue reached an agreement on the text and expect formal adoption by the European Parliament and Council this year (2016). It will then take two years for the GDPR to take effect.
Jan Albrecht, the German MEP leading up the European Parliament’s negotiations on the GDPR, even tweeted this of the negotiators.
What can we expect to see out of the GDPR?
First, companies need to understand where the GDPR applies. It applies to the processing of personal data, which can be very broad indeed and applies to any entities offering goods or services to or monitoring the behavior of EU individuals (data subjects). It appears to be irrelevant whether the actual data processing occurs within the EU. Thus, not only is the definition of personal data incredibly broad by including unique identifiers (online identifiers, mobile device IDs, IP addresses, and location data), pseudonymous data (although perhaps with less onerous requirements), and genetic and biometric data (face prints, retinal scans, etc.), but now the EU’s reach will be broader and include entities outside the EU who use processors inside the EU. Much like the Health Information Technology for Economic and Clinical Health (HITECH) Act in the United States brought Business Associates under HIPAA (Health Insurance Portability and Accountability Act) under the direct supervision of the Office for Civil Rights, the GDPR will now bring processors under the direct supervision of the EU authorities. This is a vast change from the current expectations in which processors are obligated contractually to controllers.
In particular, monitoring of behavior will impact data analytics. The GDPR currently states that monitoring behavior of data subjects can be ascertained by determining whether individuals are tracked online using certain processing techniques that can create or lead to creating a profile of those individuals, especially if that then leads to actions that analyze or predict personal preferences, attitudes, and/or behaviors. This is likely to incredibly curtail targeted behavioral advertising and other analytics, which is a lucrative market.
Key changes under the GDPR
The GDPR will impose tighter requirements in many areas, yet will also loosen some burdens in other areas. For example, more emphasis will be on consent, but GDPR removes the requirement for data controllers to register with/notify data protection authorities. Consent has long been an interesting concept as consent typically has to be freely given with the understanding that it can be later revoked. This is quite controversial when the data subject is an employee of an entity outside the EU and in theory, must consent to transfer data out of the EU in order to be paid. That is not really freely given consent.
Under the new GDPR, consent should always be “explicit, freely given, specific and informed.” Additionally, validity of consent can be questioned if there is an imbalance of positions between a company and an individual. Companies may be required to show that they obtained explicit consent, which could be quite an administrative and technical burden. There is still the possibility of a more forgiving and commercially-friendly approach in permitting data transfers under the umbrella of “legitimate interests.” If included, this element could reduce some strain in collecting consent, but would need to be justifiable and documented.
One of the most widely discussed provisions, the right to be forgotten has caused quite a stir in the privacy world. Under the current Directive 95/46/EC, individual data subjects have the right to be provided with fair processing information (a notice of how data is used, etc.), the right to access, the right to object, the limited right to rectify/erase/block data if the use violates the Directive, and the right not to be subject to solely automated processing. The GDPR would expand some of these rights as well as create new ones, such as the right to be forgotten and the right of data portability. The latter is to assist data subjects in obtaining their data in a usable format. The former seems to garner the most attention as applied to social media. For example, Google now releases a twice-yearly transparency report, which includes the requests it has received for the removal of search engine results about an EU citizen.
Last, one of the most significant changes is that the GDPR may require all companies who meet certain criteria and who process personal data in certain ways to appoint a data protection officer (DPO), which is required in some countries under the current Directive. Although no specific qualifications are set for DPOs, they are required to be an expert is data protection law and practices. There is still terminology that requires clarification, but the requirement to appoint a DPO may be applied to those companies where data processing is a “core activity” or provisions where certain processing is on a “large scale.” These terms leave a lot to be desired for specific guidance, but where required, DPOs will need to be empowered with the resources to do their jobs.
Europe is the strongest multinational set of data protection laws in the world. With the copious amount of data being collected every second, the EU is taking a strong stand to protect its citizens’ fundamental right to privacy. Even now, we are seeing movement before the GDPR is even signed to implement some of the same provisions sooner. Even though it will take two years for the GDPR to take effect, companies need to take this seriously now. Start preparing.
If you do not have a privacy officer or privacy attorney, get one. You may even be able to share one with other companies as long as each of you has meaningful access to him/her.
- Privacy by design.
- Conduct privacy impact assessments on proposed programs/projects and changes to existing ones.
- Map your data. Know what you collect, from where, how, why, and when you delete it.
- Make sure you have a valid legal reason to collect that data.
- Secure your data in transit and in rest.
- Implement a vendor management program.
The good news is that the GDPR expressly recognizes binding corporate rules as a viable data transfer mechanism for personal data out of Europe. So if you are one of the companies with these, you should be good. But if you are not, start watching the multitude of data protection requirements out of Europe and get serious about your privacy/security compliance program.