Over the past six months you have probably been bombarded with data privacy articles, questions, and concerns regarding the European Union (“EU”). Given the sheer volume of material on the topic, it is difficult to figure out what you really need to know about the current state of data privacy and data protection in Europe. We saw the European Court of Justice strike-down the US-EU “Safe Harbor” agreement last October (which will likely be replaced with the new “Privacy Shield” agreement). We know that the EU recently approved a new EU-wide data privacy law. The hard part, however, is figuring out what it all means. This edition of “Ten Things” will try to sum things up in a useful way so when those questions and concerns come across your desk, you have some ready answers and a road map for the next steps you and your company need to take to ensure compliance with all of the changes in EU data privacy law:
On December 15, 2015 the “powers that be” within the various parts of the government of the EU agreed on the terms of a new data privacy law. The new “General Data Protection Regulation” will replace the existing EU Data Privacy Directive, adopted back in 1995. Below I will discuss some of the key new provisions but one of the biggest differences between the two pieces of legislation is that the 1995 “Directive” was a “floor”, i.e., each EU Member State was required to implement their own data privacy law with “at least” as strong of protections as set out in the Directive. The Member States were free to (and many did) implement stronger protections, leading to a lot of inconsistency across borders. The “Regulation”, however, is designed to provide a uniform data privacy law that will go into effect across the entire European Union. It will not require action on the part of the Member States and it will supersede the Directive (and any Member State “versions” thereof).
May 25, 2018
On May 5, 2016 the Regulation was published in its final form. Under EU law it will go into effect two years and 20 days later, i.e., May 25, 2018. In the meanwhile, the 1995 Directive (as implemented by each Member State) will still control data privacy in the EU. This means you must continue to comply with the law as set out under the Directive while planning out how to comply with the changes coming under the Regulation, effective in May 2018. Not an easy task.
Time to Get Moving
While two years may seem like an eternity, there are enough substantial changes and new obligations in the Regulation (vs. the Directive) that there is really no time to lose in terms of preparing. If your company processes personal data of EU citizens (or processes personal data in the EU), you need to get moving now. This is a great opportunity for Legal to take the lead and help guide the company forward, in particular in terms of analysis of and preparation for the new requirements.
10 Key Provisions
The Regulation is over 250 pages long, so I am only able to summarize some of the key provisions I think you need to be most concerned with at this point. There will be further guidance provided by the EU (in particular from the Article 29 Working Party) as to what is required under specific provisions. It will be important to stay tuned-in to that guidance moving forward:
1. Who’s Covered? – any company processing personal data within the EU and any company that processes the personal data of EU citizens is covered by the Regulation – regardless of where the company or its equipment is located. For example, a company in Canada offering goods and services to EU citizens, e.g., via a French language site with euros currency, is captured by the new law. This applies to both data controllers and data processors. This broad sweep of coverage is a huge change from the Directive.
2. Enforcement – on its face, there are substantial fines that the EU or relevant Data Protection Authority (DPA) can levy against any company that breaches the provisions of the Regulation. The fines can be up to the greater of €20M or 4% of global gross revenue. Likewise, companies will need to cooperate with DPA investigations, including on-site visits. Individuals can bring legal actions against companies in the Member State where the individual resides (even if the company is not based in the EU). There is now the possibility of joint and several liability of the controller and the processor, i.e., you can be responsible for the actions of other companies you work with regarding the processing of personal data. At a minimum, this means you will need to be keenly aware of your third-party vendors’ privacy and data security programs and you will need to review your contracts with them and ensure that there is complete alignment on obligations and responsibilities. On the positive side, a welcomed change under the Regulation is that it will provide companies with the ability to deal primarily with one DPA in the EU country where the data controller has its main business establishment. Under the Directive, a controller had to deal with multiple DPAs if it processed personal data in more than one EU country.
3. Data Privacy Officer – all companies where data processing is a “core” activity and all companies processing “sensitive data” on a large scale will need to formally appoint a Data Privacy Officer (DPO). This applies to both a controller and a processor. A family of companies can have one DPO to act on behalf of the group. The DPO does not have to be an employee of the organization, i.e., can be a third party such as an outside lawyer. DPO’s will be responsible for ensuring that their companies properly train their employees on data privacy issues and for ensuring that their company regularly tests, assesses, and evaluates the effectiveness of its data security processes. The quality of such training and testing/evaluation will bear directly on the amount of any fine in the event of a data breach. Employee training is probably the single most effective thing you can do to prevent data breaches or the improper use of personal data.
4. “Right to Be Forgotten”/Access – you have probably heard of the decision against Google in Spain requiring Google to honor an individual’s request that certain data and information about him or her be deleted. This “right to be forgotten” concept is now enshrined in the Regulation and will become an obligation of all companies subject to the law. Surprisingly, the law will require that the company immediately take down the questioned information while it is deciding if the request for permanent deletion is warranted under the law. Similarly, individuals will be able to obtain a copy of their data from you, including the ability to transfer that data to another controller.
5. Notification of Breach – in the event of a data breach involving personal, unencrypted data, the breach must be reported to the applicable Data Protection Authority within 72 hours (if “feasible”) and the company must notify the affected individuals without “undue delay” when the breach is likely to result in a “high risk” to the rights and freedoms of those individuals. Processors must notify controllers of data breaches. Bottom-line is, if you don’t already, you will need to have a plan in place to report data breaches in the EU.
6. Obligations on Data Processors – data processors (i.e., a party processing data on behalf of a data controller) are now directly regulated under the Regulation. Further, a data processor may not subcontract any of the processing work without the prior specific or general written consent of the data controller. These are big changes from the Directive. Unlike the Directive, the Regulation will place direct liability for violations (with limits) on all data processors and not just the data controller. The Regulation also contains numerous specific contractual obligations that data controllers must impose on their data processors and any sub-processors (and which must be included in any contracts between the parties), as well as new obligations owed by data processors to data controllers (e.g., confidentiality, assistance with responding to data subject rights requests, notice of breach, detailed descriptions of the processing, privacy impact assessments, demonstrating accountability via record keeping, audits, return of data post-contract, etc.).
7. Consent – where the basis for processing personal data is “consent” of the individual, such consent must be “freely given, specific, informed and unambiguous” and “expressed affirmatively.” This likely means no burying the “I consent” language deep within the user agreement or relying on pre-ticked boxes. You will need to set up a process to obtain specific consent for any and each use of the personal data. Meaning, aside from collecting and using personal data for the initial stated purpose, any “repurposing” of the personal data collected will be difficult unless affirmative consent was or is obtained for that repurpose. Furthermore, consent can be withdrawn at any time. Children under the age of 16 require parental permission in order to give consent (though Member States may set different ages for this provision, e.g., 13 years old in the U.K.). All of this will require a new level of detail and transparency with respect to privacy notices on company websites (yes, privacy notices will become even longer and more complicated). Given the issues with consent, it will probably be far easier to rely on other provisions of the Regulation for the legal basis of processing personal data. For example, under Article 6(b), processing is permitted if it is necessary to fulfill the purpose of a contract to which the data subject is a party. If so, then processing the personal data of a data subject using an online travel site to book an airline ticket is permitted without more, so long as the information collected is necessary to complete the transaction. If the online travel company wishes to use the personal information for other purposes, then the data subject would need to affirmatively consent to that other purpose.
8. Transfers of Data Outside EU – there will still be a prohibition against the transfer of personal data outside of the EU unless (1) there is explicit consent, (2) the transfer is necessary to complete the contract, (3) the destination country provides an “adequate level of data security” (which must be essentially equivalent to the EU framework), (4) the EU model contract clauses are in effect (the use of which no longer need be notified under the Regulation), (5) Binding Corporate Rules are in place (the Regulation explicitly recognizes BCRs), or (6) one of several other new exceptions apply such as approved industry codes of conduct (e.g., a trade association program) or a certification issued by an approved certification body (private or governmental). Note that legal requirements of third countries will not be a valid reason/basis for transfer of data.
The new Privacy Shield agreement will provide another legal basis to transfer personal data from the EU to the USA. However, the Article 29 Working Party recently identified several places where it believes the agreement needs to be clarified or modified. While their opinion is not binding it is heavily influential and there will likely be some changes to the Privacy Shield before it becomes final. While the agreement will likely go into effect this year, there will be a legal challenge filed against it similar to that made against Safe Harbor leading to the Schrems decision last October. Until the Privacy Shield is officially approved, US companies that previously relied on Safe Harbor to transfer personal data out of the EU must have another mechanism in place to comply with the Directive. The best interim alternative for now is probably the “model contract clauses.” Moreover, even if the Privacy Shield is approved, you should consider having a back-up plan in place in the event a legal challenge is successful. And you may decide that living with the model clauses is easier than the enhanced requirements under the Privacy Shield. Finally, while all of the focus is on US/EU, it is difficult to see how personal data transfers from the EU to Russia, China, India, and other countries will be (are) permitted without massive changes in the laws of those countries to achieve some “essential equivalence” to the Regulation. Stay tuned on that fascinating issue.
9. Data Privacy Impact Assessments – where data controllers or data processors utilize new technologies and there is “high risk” of data privacy issues, they must conduct a Data Privacy Impact Assessment of the new/planned technology, and document their processing operations and information systems. Such documentation must then be available for inspection by a relevant DPA. On a side note, it may simply be a good idea to develop a DPIA process regardless.
10. Obligations Around the Collection of Personal Data – a number of other new principles/obligations will apply to the collection of personal data under the Regulation vs. the Directive. In particular, personal data my only be collected for a “specified, explicit and legitimate” purpose and companies will need to enact plans to ensure “data minimization,” “privacy by design,” “accuracy,” “storage limitation,” “accountability,” “integrity,” “pseudonymization/encryption” (where appropriate), and “confidentiality” of personal data. Moreover, there are new restrictions/obligations around using personal data to “profile” individuals, e.g., such as interests or personal preferences. Finally, the Regulation contains a number of new obligations around the information a controller must provide to an individual before collecting personal data, including the purpose of the processing, the period of time the data will be stored, the identity of any recipients of the data, the right to a copy and of redress/correction, etc. All of these will add significant operational burdens on companies.
There is a lot more to the Regulation than the provisions summarized above. As you can already see, there will be many places where different officials may interpret the meaning of certain words differently. For example, “high risk” and “if feasible” in the breach notification section. While it will be a uniform law, there will undoubtedly be “nuance” in how the Regulation is enforced by different DPAs over time, just like under the Directive. Overall the key will be to act in good faith and diligently in terms of trying to comply. It will not be a perfect defense if there are problems, but in my experience regulators recognize when companies try to do the right thing and fail vs. those that simply do not try or care at all. It’s far better to be in the former category than the latter.
Regardless of whether you agree with it or not, think is it great or think it is the worst kind of government overreaching, the Regulation is here, the Europeans are serious about data privacy and data rights, and the penalties for failing to comply can be substantial. My suggestions on next steps:
- Read It: There is no substitute for reading the Regulation cover-to-cover. If you deal with data privacy issues you should have a well-worn, dog-eared, and heavily highlighted copy of the Regulation near your desk.
- Brief It: If you haven’t already done so, it’s time to begin preparing the business (including senior management) for what’s coming. Take your time here and be sure you understand what is being proposed and how it will impact your company. Going in to a meeting half-cocked and not understanding the impacts is not a good idea.
- Follow it: There will be a lot written about the Regulation over the next two years. Work hard to stay up to date on the latest developments. The International Association of Privacy Professionals has an excellent web site and resources that can help you understand the Regulation and the intent behind certain provisions. See iapp.org. The European Commission and the new European Data Protection Board (along with the existing Article 29 Working Party) will provide guidance, FAQs, etc. as the process moves forward. Finally, many law firms and privacy professionals will be writing and blogging about the Regulation as well.
- Plan It: Lastly, you should create a project plan based on your review of the final Regulation and the different requirements as they map to your company’s data privacy practices. You (and a cross company team) will need to focus your efforts first on the “gaps.” Nothing fancy or complicated is required, a simple matrix (see example below) can keep you — and the business –focused on what needs to be done over the next 18-24 months, and give your C-Suite and Board of Directors comfort that there is plan in place and you are executing against the plan.
Here are some additional resources that can provide important information and guidance about the Regulation over the next two years:
- International Association of Privacy Professionals
- European Union – Data Protection
- Article 29 Working Party (EU)
- Federal Trade Commission – Privacy and Security
- Chronicle of Data Protection
- Privacy Matters
- Privacy and Data Security
- Data Privacy Monitor
- Privacy Law Blog
May 13, 2016
(If you find this blog useful, please click “follow” in the top right so you get all new posts automatically, pass it along to colleagues or friends, and “Tweet” it. “Ten Things” is not legal advice or legal opinion. It is intended to provide practical tips and references to the busy in-house practitioner and other readers. You can find this blog and all past posts at www.TenThings.net. If you have questions or comments, please contact me at either email@example.com or firstname.lastname@example.org).
My first book, “The Evolution of Professional Football,” is available for sale on Amazon and at www.SterlingMillerBooks.com.