With the last Directive on Data Protection (Directive 95/46/EC; the "Directive") adopted in 1995 and in light of the rapid and vast technological developments since then, the EU has been aware for quite some time now that a new data protection legal framework is needed. With the ongoing debates on this topic in the EU bodies that started back in January 2012, the new General Data Protection Regulation (Regulation (EU) 2016/679; the "Regulation") was finally adopted in April 2016, and will come into effect on the 25th of May, 2018.
The Regulation will repeal the Directive, which provided guidelines for the regulation of data protection across the EU and urged Member States to adopt national legislative acts. In the end it showed that the determination of general principles and objectives, which was pursued with the Directive, was not sufficient as it did not prevent Member States to implement the Directive in different ways, eventually leading to disunity of data protection rules across the EU and generating legal uncertainty. A diversity of regulatory frameworks in EU Member States presented a considerable disadvantage to all companies wishing to enter into the markets of various Member States, which led to distortion of competition and had a negative impact on competitiveness of the EU economy as a whole.
The scope of the Regulation is much broader than referring only to the protection of natural persons with regard to the processing of personal data. Its main objective is to ensure the free movement of personal data, not only within the EU, but also to third countries and international organisations, and to allow both private companies and public authorities to make use of such personal data, all while ensuring a high level of protection.
Presented below are the main novelties introduced by the Regulation that are expected to bring these aspirations to life:
1. Expanded territorial scope
The Regulation redefines the territorial scope of the data protection framework, as the main focus is now switched from the controllers and the location of their establishments or equipment used for data processing to subjects who are in the EU.
Pursuant to the Directive, the national law applies in cases where processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. Consequently, the controllers with establishments on the territory of several Member States had to ensure compliance of each establishment with the national law of the respective Member State. National law also applied to the controllers using data processing equipment, which was located within EU.
On the contrary, the Regulation is not only applicable for the processing of data carried out in the context of the activities of the controller or processor having its seat within EU, but also for the processing of data of all subjects who are in the EU, even if the seat of the controller or processor is outside the EU. This is under the condition that processing relates either to (i) the offering of goods or services to such subjects in the EU, or (ii) the monitoring of their behaviour (as far as their behaviour takes place within the EU).
2. Reinforced consent requirements
The Regulation states, in more detail than the Directive, that an informed, voluntary, explicit and unambiguous consent of the data subject for processing of data has to be given, either in the form of a statement or other "clear affirmative act". Consequently, silence or any other inactivity cannot be interpreted as consent, which has to be given by a written or oral statement or other conduct clearly indicating subject's consent (such as ticking a box when visiting a website or choosing technical settings). Ultimately, the controller has to be able to prove that consent has been given. In order to be able to give an informed statement, the subject has to know, at the very least, the identity of the controller and the purpose of data processing.
The Regulation is also stricter when it comes to the question of voluntariness of consent. Consent will be deemed involuntary if the subject had no choice or if he or she could not refuse or revoke the consent without any detriment. In cases where the performance of the contract is conditional upon given consent, even though the consent is not necessary for the performance, such consent will also be deemed involuntary. What is more, the consent will not be valid when there is an obvious inequality between the data subject and the controller.
With regard to subjects' consent in particular, Member States will be free to adopt specific regulations on the processing of employees' personal data in the employment context.
3. New data subjects' rights
The Regulation expands the right to erasure, which is now also known as "the right to be forgotten", and introduces a new right to data portability. The right to be forgotten bounds the controller to erase data without undue delay upon the subject's request, if personal data is no longer necessary for the purpose of processing, if there is no legal basis for processing (including cases where data subject withdraws his or her consent for processing), if the processing was illegal or if the erasure is required by EU or national law. The right to data portability gives the data subject a right to a direct transmission of data from one controller to another.
4. Data protection officers and other controllers' and processors' obligations
For the first time the Regulation imposes direct obligations to data processors. From now on, provided that (i) the processing is carried out by a public authority, (ii) the processing requires regular and systematic monitoring of data subjects, or (iii) the processing refers to large scale of special categories of personal data, every data processor and data controller will have to appoint a data protection officer ("DPO"). Each company within the group of associated companies will have to appoint its own DPO, unless one DPO will be accessible from every company within the group.
A DPO should be a person with expert knowledge of data protection. A DPO should also be independent, meaning that no instructions may be given to the DPO and that the DPO reports directly to the management body of the controller/processor. The main tasks of the DPOs will include advising and informing the controller/processor, regulatory compliance verification, acting as a contact point for the supervisory authority, etc. Data subjects will be entitled to approach the DPO directly.
Furthermore, a new obligation has been imposed on organisations acting as controllers or processors, who will have to maintain a record of personal data processing activities. These will include information such as the purpose of processing, the controller's or processor's contact details, the categories of data subjects, personal data and recipients, to whom this data will be disclosed, etc.
In case of a personal data breach the processor is obliged to notify the controller and the controller is obliged to notify the competent supervisory authority. Data subjects also have to be notified about the breach if it is likely that the breach will result in high risk for their rights and freedoms.
5. Privacy by design and by default
Another general obligation was adopted with a view to ensure compliance with the requirements of the Regulation. The controller will have to adopt adequate internal policies and implement measures which will meet the principles of data protection by design and by default. Privacy by design demands from the controller to adopt appropriate measures which will integrate the necessary safeguards for processing in order to meet the requirements of this Regulation and protect the rights of data subjects (such as pseudonymisation, data minimisation, etc.). These measures will have to be adopted not only at the time of processing but also at the time of planning the data processing. Privacy by default, on the other hand, means that the controller has to adopt measures so that only the processing of such data which is necessary for the purpose of processing will be possible.
6. Transfer of personal data outside EU
No special permission is required for data transfer to non-EU countries or to international organisations, if the European Commission assesses that the respective country or international organisation provides an adequate level of data protection. When assessing the adequacy, the European Commission takes into consideration first and foremost the standard of human rights protection, the adequacy of the local legislation, and the existence of supervisory bodies and international commitments. Nevertheless, transfer to non-EU countries and international organisations for which the above assessment has not been made is possible, if appropriate safeguards are provided by the controller or the processor and effective legal remedies are available for the data subjects.
The Directive already provided that every Member State has to establish a supervisory authority to monitor data protection regulations. Every supervisory authority is competent for data protection matters on the territory of its own Member State. With a view to the unification of regulation as well as in practice, the Regulation now stipulates that in cases where the controller or processor has establishments in several Member States, the supervisory authority of the main establishment is competent as the lead supervisory authority for the cross-border processing carried out by said controller or processor.
8. New European data protection board
The European Data Protection Board (the "Board") will be a new EU body, composed of the head of a supervisory body of each Member State and the European Data Protection Supervisor. Its main task will be to ensure consistent application of the Regulation, which will also be pursued by issuing and publishing opinions, guidelines, recommendations and best practices. Once a year the Board will have to issue an annual report regarding data protection in and outside EU.
In addition to the consulting function of the Board, it will also have the power of a decision-maker with regard to the activities carried out under the consistency mechanism. When the supervisory authority will wish to adopt certain measures, the Board will have to issue an opinion which will have to be complied by the supervisory authority to the greatest extent possible. In certain disputes, it will be competent to adopt the binding decision.
9. Sanctions and penalties
Pursuant to the Directive up until now the Member States determined the nature and level of penalties by themselves. The new Regulation provides administrative fines for certain infringements as well as the level of such fines. The highest level of an administrative fine pursuant to the Regulation is EUR 20 million or, for an undertaking, 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher. Notwithstanding, additional penalties for other infringements may be prescribed by the Member States.
A glance to the future
Now it is the controllers' and processors' turn. By spring 2018 they have to ensure compliance of data processing under the new Regulation. Unified rules within the EU market and, consequently, unified practices regarding data processing, will make it easier for the companies as they will know what to expect when entering the markets of other Member States. Eliminating yet another administrative impediment will certainly facilitate free movement within the EU. On the other hand, data subjects will also benefit as they will now know what level of security can be anticipated in each and every one of the Member States.
The information in this document is not intended to provide and does not constitute legal or any other advice on any particular matter and is provided for general information purposes only.