The new General Data Protection Regulation is (almost) here
So, we finally have an agreed text for the new General Data Protection Regulation!
The compromise text was agreed in December, shortly before the fourth anniversary of the European Commission's original proposals, so it's been a very long time coming. Once it is formally signed off, which is likely to be later in January, there will be a two-year period before the Regulation becomes law. This means the new rules will be with us from early 2018.
If you've been following this closely (and well done if you have), you'll know that the path towards the new law has not always been smooth. The final text seeks to harmonise data protection laws across Europe and balance the concerns for individual privacy with the potential burdens on organisations in the age of big data, where it is increasingly easy to collect and store vast quantities of information about individuals.
The Regulation runs to more than 200 pages, including over 70 pages of recitals, so it's a weighty document. It retains the basic tenets of existing data protection law – ensuring that personal data are only processed in accordance with specific conditions and in line with a set of principles. However, the Regulation represents a significant strengthening of, and upgrade to, the current law.
This article sets out five key themes of the new Regulation, and how it differs from the existing law. We will be publishing further articles on how to prepare for the new Regulation in the coming weeks.
Greater transparency with individuals
At the heart of the new Regulation is the concept of being transparent with individuals about how their data is used. This isn't completely new. We are used to seeing notices (sometimes in very small print) explaining who is collecting our information and why. These privacy notices are required under current data protection rules.
The new Regulation builds on these requirements and takes a more prescriptive approach. For instance, Article 14 requires data controllers to inform individuals at the time their information is collected of the legal basis of the processing and the period for which it will be stored. There are additional transparency obligations whenever an organisation is seeking the consent of an individual. These changes are likely to require most organisations to review and re-write their privacy policies and fair processing notices.
A further aspect of transparency is the requirement for data controllers to notify regulators of personal data breaches within 72 hours and, where the breach is likely to result in a high risk to individuals, to notify individual data subjects without undue delay.
Holding organisations to account
Another overarching theme of the Regulation is the principle of accountability. There are new requirements on data controllers (and processors) to demonstrate their compliance by fully documenting their data processing activities.
This accountability principle runs right through the Regulation. Public bodies and organisations that process large volumes of data will be required to appoint a Data Protection Officer, new processing activities may require organisations to carry out data protection impact assessments, and data protection audits will become more commonplace to ensure organisations implement privacy by design and by default.
If things go wrong, organisations may be required to report breaches and will face stiffer penalties. The ICO will retain its duty to investigate complaints and its current armoury of weapons (such as obtaining information and issuing enforcement notices), with the additional power to levy administrative fines. These may be as large as the higher of €20 million or 4% of worldwide turnover, which is a very significant increase on the current ICO powers to issue monetary penalties of up to £500,000.
Enhanced rights for individuals
The Regulation includes a suite of rights for individual data subjects. In addition to rights to subject access and to object to processing (including automated decision-making), which are retained from the current law, individuals will have the right to receive their data in a commonly used and machine-readable format and the right to have their data erased.
The Regulation also makes clear that individuals have the right to compensation for immaterial as well as material damage suffered as a result of a breach. This codifies the UK position in relation to compensation for distress since the Court of Appeal's 2015 decision in the Vidal-Hall case.
New rules on data transfers
There has been much discussion of the transfer of personal data outside of Europe since the Schrems decision led to the demise of the Safe Harbor framework. Anyone hoping that the Regulation will simplify the current confusion is likely to be disappointed.
The Regulation repeats much of the existing law in this area and in some circumstances narrows the scope for organisations to legitimise transfers of personal information outside of Europe. For instance, transfers can only be based upon explicit consent where individuals have been informed of the possible risks of the transfer, and organisations can only rely on their own finding of adequacy in very limited circumstances.
Organisations may still rely on model clauses approved by the Commission. For larger organisations, the concept of binding corporate rules is written into the Regulation. As with the current position, these will require prior approval from a regulator.
The Regulation also introduces the concepts of pre-approved data protection codes of conduct and certification mechanisms which can legitimise data transfers. At this stage it is unclear how these will be developed in practice, but they could provide additional means of enabling data to be exported outside Europe.
Direct obligations on processors
Under existing data protection law, the data controller is solely responsible to data subjects and the regulator for compliance. If the controller engages a data processor, the processor is only responsible contractually to the controller.
By contrast, the Regulation imposes direct obligations on data processors. For instance, Article 30 requires a processor to take appropriate security measures to protect personal data, and Article 28 imposes an obligation on processors to maintain certain records of all processing activities.
As a consequence of these direct obligations, where there is a breach, individuals may be able to seek compensation directly from processors. Article 77 sets out how liability will be determined in the event of such a claim. A processor will only be responsible if it has not complied with a direct obligation imposed by the Regulation, and may escape liability where it can prove it is not in any way responsible for the breach. However, where a controller and a processor are involved in the same processing, each may be held liable for the entire damage.
Regulators will also be able to impose administrative fines on a processor in the event of a breach of any of the processor's obligations under the Regulation.