When introducing the European Commission’s proposal to reform data protection in Europe in January 2012, the EU Justice Commissioner Viviane Reding stated that a new, uniform legal framework would make people “better informed about their rights and more in control of their information” while also “making life easier and less costly for businesses”. It was also seen as essential to review the 1995 Data Protection Directive in order to reflect the modern-day online market and the cross-border data transfers occurring daily.
The culmination of more than three years of discussions between the EU institutions is the General Data Protection Regulation (Regulation 2016/679)(“GDPR”) which was approved by the European Parliament on 14 April 2016. The GDPR regulates the rights and duties of data subjects (i.e. individuals), controllers (those who determine the purposes and means of processing personal data) and processors (those who process personal data on behalf of the controller).
Brexit or no Brexit the GDPR came into effect on 24 May 2016 and will apply across the EU from 25 May 2018. Based on current Article 50 timetables it will apply in the UK. The territorial scope of the GDPR is broad – affecting not only controllers and processors based within the EU but also those based in non-Member states who process the personal data of data subjects in the EU in relation to a) the offering of goods and services or b) the monitoring of their behaviour within the Union. Companies falling within categories a) or b) will be required to designate a representative established within the EU who will be answerable for the company’s obligations under the GDPR.
Whilst the GDPR does undoubtedly advance the European Commission’s two key aims, it also places a significant burden on companies to monitor their use of personal data – with potentially serious consequences for failures to comply.A “One-Stop Shop” for Compliance
As stated above, the European Commission was eager to reduce the administrative burden on businesses operating in multiple EU Member States when it came to meeting data protection requirements. An example of the complex data reporting requirements prior to the GDPR is given in the European Commission’s publication “How will the EU’s data protection reform simplify the existing rules?”. A business might have its head office in France but also have franchised shops in various other EU countries. If personal data relating to clients was collected in each office and then transferred to the head office for processing, each of the franchises would previously have had to report to their respective national data protection authorities (referred to in the GDPR as “supervisory authorities”).
Under the GDPR, the lead supervisory authority for cross-border data processing will be the supervisory authority of the “main establishment” of the controller or processor. A company’s “main establishment” is defined as its place of central administration or the place where the main processing activities take place. Thus, in the above example, the business would only have to report to the supervisory authority in France in order to meet its data protection requirements.Greater Control for Data subjects
The tone of the GDPR in respect of data subjects is evident from the first recital, which reads:“The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the “Charter”) and Article 16(1) of the [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.”
One example of greater control to the data subject is the requirement of consent in certain situations before personal data can be processed. It is clear that where such consent is required, it must be freely given and unambiguous, taking the form of a statement or clear affirmative action on the data subject’s part. Moreover, the onus is on the data controller to demonstrate that consent was freely given in each situation.
The importance of consent is set out in paragraph 32 of the GDPR’s recital which states:“consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller… Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case…”
In addition, the GDPR provides for the right of data subjects to obtain information about their personal data and the right to restrict the processing of their personal data in certain cases. A data subject’s “right to be forgotten” is also reinforced in the body of the GDPR.The Burden on Data Controllers and Processors
The GDPR’s emphasis on protecting data subjects and their personal data places a significant burden on data controllers and processors. In particular, controllers must now have regard to the principle of transparency in their communications with data subjects, ensuring that information about personal data and rights, risks and safeguards is provided in an easily accessible form. This principle is extremely important when it comes to demonstrating that a data subject’s consent to processing personal data, where required, was freely given.
The controller is also explicitly encouraged to adopt internal policies whose default position is to deal with personal data in a way that is compliant with the GDPR. Examples given in the GDPR itself include minimising the processing of personal data, encryption and pseudonymisation, and transparency with regard to the how personal data is used. In reviewing their own policies, processors and controllers will be expected to take note of the principles of personal data processing set out in Article 5 of the GDPR.Safeguards and Sanctions
The GDPR puts measures in place to protect data subjects where controllers transfer personal data to countries outside of the EU or to other international organisations. Such transfers can only take place if data is being sent to or from a country or organisation which the Commission has deemed to have adequate protection, or where the controller can demonstrate that suitable safeguards are in place. Such safeguards may include adhering to binding corporate rules (which supervising authorities are now obliged to implement to control international data transfer) or making use of data protection clauses.
It is clear that the European Commission takes breaches of personal data very seriously, as infringements of the GDPR carry potentially hefty administrative fines. In particular, breaches of the conditions for obtaining consent, or which affecting data subjects’ rights under the GDPR are subject to a fine of up to €20,000 or 4% of a controller or processor’s total worldwide annual turnover, whichever is higher.
Overall, the GDPR can be seen as a much needed piece of legislation harmonising the rules on personal data protection across Europe while ensuring that personal data is processed in a careful manner. However, controllers and processors will need to seriously review their internal policies before May 2018 to ensure that the data subject is a priority when it comes to handling personal data. In the case of smaller controllers and processors, who don’t necessarily operate across borders, it may well be that the burden of complying with the GDPR’s stringent requirements outweighs the benefits of the much-touted “one-stop shop” approach.Back to Brexit
The UK will exit on a set day in 2019 and we will be surprised if we have got that wrong. A set date does not mean that all EU laws simply fall away. The UK can decide what it wants to keep and what it discards. As regards the laws it keeps, the UK can decide how they should be amended so that the law still functions when it comes down to enforcement. Much of that enforcement will now be UK bodies.
EU or not, the GDPR is good law and is needed. It must be implemented for 2018 by the UK and once implemented it should be retained in 2019 and beyond with the necessary amendments. There is simply no need to throw out the baby with the bathwater.
A copy of this article can be downloaded here.
© Chambers of Lawrence Power