European data protection reform: where are we now?
If it feels like we’ve been talking about reform of the EU’s data protection regime for years, it’s because we have. And the reforms are still not complete. This article looks at where we are now, what we know about the likely shape of the new Regulation and what clients can do now to prepare.
The current state of play
The European Commission first published its proposals for a new General Data Protection Regulation (GDPR) in January 2012, as part of a package that also included a draft Directive on the processing of personal data by public bodies for various justice and crime prevention purposes. Since then the pace of progress has been slow. It took until May 2014 before the European Parliament approved its version of the text for the GDPR, which contained a substantial number of changes to the Commission’s draft. The European Council finalised its text in June 2015, with still more amendments.
So now we have three draft texts in play. The current stage, known as the ‘trilogue’, involves negotiations between the three European institutions to reach agreement on the final text. Although there have been optimistic voices predicting agreement by the end of 2015, this may be ambitious given the wide disparities between the three texts. There are many specific disagreements, but overall the Parliament’s approach has been focussed more on the rights of data subjects, whereas the Council has sought to take a more ‘light touch’ approach which would lessen the regulatory burden on controllers and (in particular) processors, and leave many of the details up to national law. This may reflect the preference of some member states, including the UK, for a new Directive rather than a Regulation, but it does risk the GDPR failing in its stated goal of harmonising data protection rules across the EU.
Once these discussions are complete and a final text is agreed, there will be a transition period of two years before the new rules set out in the GDPR will apply (although as this period is specified in the draft text itself, at Article 91(2), it may be subject to change during the negotiations). This means that the GDPR is unlikely to take effect until the end of 2017 or early 2018. As a Regulation, it will be directly effective without the need for any action on the part of the UK Parliament – always assuming, of course, that the UK votes to remain within the EU at the referendum expected to take place during the transition period.
Some 'familiar' themes
For those familiar with the UK’s Data Protection Act 1998 (the DPA), there is a lot in the GDPR that will look reassuringly familiar. The new Regulation follows the same broad structure as the existing 1995 Directive (and the DPA) and uses the same data protection language (‘personal data’, ‘data controller’, ‘data subject’, ‘processing’) that we know and love. Data controllers will still need to comply with a set of data protection principles (Article 5), and ensure that one or more of the conditions for processing can be met (Article 6). There are additional conditions for sensitive personal data (Article 9). The restrictions on exporting personal data outside the EEA remain, with model clauses and binding corporate rules still being options to legitimise the export of data (Articles 40-45). And national data protection authorities, such as our very own ICO, will remain responsible for enforcing compliance with the rules.
But delve a little deeper and practitioners should not be fooled by all this superficial familiarity. Many of the definitions of those familiar terms have been expanded. For those in the UK, the definition of ‘personal data’ as set out in the DPA and applied by the courts in cases such as Durant, has always been problematic (and potentially at odds with the 1995 Directive). The GDPR contains a revised definition (in fact we have three subtly different definitions in the three draft texts). However, each of these definitions is potentially broader than has traditionally been used in the UK and includes, for example, specific references to location data and online identifiers (Article 4(1)). There will also be changes to the scope of the data protection principles and the conditions for processing.
Whilst ‘consent’ will remain a key part of data protection law, the GDPR is likely to make it more difficult for controllers to rely on the implied consent of the data subject. Consent is defined in Article 4(8), and again we have different versions of the text. The Commission’s definition is “any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”, whereas the Council omits the crucial word “explicit”. Whichever version prevails, the definition appears to tighten the circumstances where controllers may rely on implied consent. Article 7 goes on to state that the controller will bear the burden of proof for the consent, any consent wording must be “in an intelligible and easily accessible form, using clear and plain language”, and that the data subject may withdraw consent at any time. Where controllers are currently processing personal data relying on consent, they should be reviewing the mechanisms for obtaining consent in the light of these expected changes.
As with current data protection law, the GDPR will be regulated and enforced by national data protection authorities. For controllers working only in the UK, this will continue to be the ICO. However, there are changes that will impact on international organisations. Articles 51 and 51a provide that the data protection authority in the country where the controller or processor has its main establishment will be the lead authority. This is an attempt to set up a ‘one-stop-shop’, which means international organisations will only need to work with one authority rather than 27 across each member state. These provisions have proved very controversial and will be subject to further discussions. What is clear is that national data protection authorities will be expected to work much closer together, with a single authority taking the lead in respect of particular controllers or processors.
And some new ones
There are also some innovations in the GDPR. An example is the wider territorial application of the GDPR compared to current data protection law. Article 3 states that the GDPR will apply to processing by controllers or processors established in the EU, and processing by controllers (and, in the Parliament’s text, processors) of personal data relating to data subjects based in the EU, where the processing relates to goods or services being offered to those data subjects (whether or not for payment) or the monitoring of their behaviour. This is likely to capture more US companies offering services via the internet than is currently the case.
In a major change from the 1995 Directive, processors and well as controllers will be subject to data protection law under the GDPR. There remains some disagreement about the scope and extent of the obligations that will be placed on data processors, but each of the draft texts includes direct obligations on processors for the first time. For example, Article 30 requires both controllers and processors to implement “technical and organisational measures” to ensure the security of personal data. Article 77 of the Commission’s text states that controllers and processors will be jointly and severally liable for compensation, although the Council’s position is to only hold processors liable where they have breached the GDPR. For processors, these are potentially troubling provisions, and processors and controllers should be reviewing their existing contracts to ensure that they meet the needs of the GDPR, and that liabilities and responsibilities are allocated appropriately.
For UK practitioners outside certain regulated sectors, the breach notification provisions are also a novel change. Article 31 requires notification by a controller to the competent authority of a ‘personal data breach’ within 72 hours, where the breach is likely to cause a high risk to individuals, and processors must notify controllers of any personal data breach immediately (or without undue delay, in the case of the Council’s text). Perhaps even more importantly, controllers must notify data subjects where the data breach is likely to adversely affect their interests (Article 32). There is a clear divergence between the texts here, and the Council’s draft provides a number of exceptions to this requirement, including where notification to individual data subjects would require ‘disproportionate effort’.
For those outside the data protection community, the provision in the GDPR that’s made the biggest splash has been the so-called ‘right to be forgotten’. This is one of a series of expanded rights for data subjects, which also includes a new right to data portability. In some ways the GDPR has been beaten to it by the CJEU in the Google Spain case, which has developed a nascent right to be forgotten under existing data protection law. However, Article 17 of the GDPR codifies this right. Again, there are differences in the draft texts, but each obliges the data controller to erase information where it is no longer necessary for the purpose for which it was collected, where the data subject withdraws consent or where they object to processing. If the personal data has been made public (such as on the internet), the controller must take reasonable steps to inform third parties that the data subject has requested erasure. The right of data portability (Article 18) builds on the existing subject access right, which is retained in the GDPR in Article 15, and obliges controllers to provide copies of data in a machine-readable format capable of being transferred to another controller. Together, these new rights are designed to give greater control over their data to data subjects. Data controllers should consider what impact such changes will have on their business models.
Last, but by no means least, is the issue of sanctions for non-compliance with the provisions of the GDPR. Currently, the ICO may impose monetary penalties of up to £500,000 on data controllers for serious breaches of the DPA. Under the GDPR, we are likely to see tiered administrative fines which can be imposed on controllers and/or processors based on the type of breach (Articles 78 and 79). Fines will be calculated up to a maximum of a percentage of the transgressor’s worldwide turnover, which means potentially higher fines under the GDPR than we have seen to date in the UK under the DPA.
Staying ahead of the game
So what should clients be doing now to get ready for the reforms? Although we still have three different texts and some difficult negotiations to come on the final shape of the GDPR, as well as a two-year transition period, there are some key actions that organisations can and should be taking now:
- If you rely on consent as a condition for processing, you should be reviewing your mechanisms for obtaining consent. Are they likely to be compliant with the GDPR? Or will you need to consider whether you can rely on another condition for processing?
- If you process data that does not directly identify individuals, you should be considering whether the expanded definition of personal data will bring that processing within the rules set out in the GDPR. This may mean either minimising the data you process in order to avoid being caught by the GDPR, or amending your processing activities to comply with the new regime.
- If you are a processor, you will become directly responsible for data protection compliance for the first time under the GDPR. You should be reviewing your existing contracts (particularly those likely to go on beyond 2017) to see whether the data protection clauses adequately protect your interests. Think about the GDPR and your likely obligations when you are entering into new contracts. How will you deal with liability in relation to the controller, or claims for compensation from data subjects? Who is responsible for each aspect of compliance (such as data security)?
- If you are a controller, you need to consider whether your contracts with processors are adequate and compliant with the GDPR (for the reasons set out above, your processor may well be seeking to renegotiate terms in any case).
- Controllers should consider how the expanded rights of data subjects can be accommodated and whether systems need to be updated to take account of these rights.
- In the context of potentially higher fines, both controllers and processors should be reviewing their data processing contracts. Do the liability caps need to be revisited?