Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty Overview of the EU General Data Protection Regulation (GDPR)
WHAT YOU NEED TO KNOW ABOUT THE EU GENERAL DATA PROTECTION REGULATION (GDPR) What is the GDPR? It s the most significant development in data protection law in 20 years. Current EU data protection is based on the 1995 EU Data Directive. In January 2012, the European Commission first announced proposed revisions to the Directive. On December 17, 2015, the European Parliament and Council announced the text of the brand-new General Data Protection Regulation (GDPR). The GDPR has 99 articles and is over 200 pages long. Its adoption follows years of intense lobbying and represents a landmark moment in data protection and privacy both in Europe and around the world. Effective Date. The GDPR becomes effective May 25, 2018. Until then, the 1995 Directive remains in effect. Highlights of the GDPR. Some of the major provisions of the GPDR include: Expansion of Scope. Non-EU businesses will be subject to the GDPR if they 1) offer goods or services to EU residents or 2) monitor the behavior of EU residents. The GDPR may apply to any controller or processor of EU citizen data, regardless of where the controller or processer is located. New obligations are imposed on data processors and controllers. Data Breach Notification. The GDPR requires that a privacy regulator be notified by data controller within 72 hours of discovery of the breach. Notice to individuals, without undue delay, may be required if there is a potential of serious harm. Notice not required if personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Increased Fines for Noncompliance and Right to Sue. Currently, fines under the Directive vary by member states and are relatively low. Under the GDPR, violations of certain provisions, such as consent requirements or cross-border data transfer restrictions, can trigger fines up to the greater of 20,000,000 or 4% of a company s annual revenue. Individuals are also allowed the right to sue and obtain compensation from a noncompliant controller or processor. Two tiers of fines created depending on whether controller or processor committed any previous violations and nature of violation. Data Protection Officers. The GDPR will require controllers or processors to appoint a data protection officer where the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale or where the entity conducts large scale processing of special categories of data. If data processing is a core activity and where sensitive data is processed on a large scale appointment of DPO may be necessary. Those in the healthcare, insurance, pharma, biotech, and technology industries may need to hire additional data protection officers to comply. -2-
Data Protection Impact Assessment (DPIA). Businesses may be required to implement data protection by design (e.g., when creating new products, services or other data processing activities). Controllers required to carry out DPIA when the type of processing is likely to result in a high risk to the rights and freedoms of natural persons. DPIA required if controller engages in a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. DPIA may be required to identify privacy risks in any new products or services. Additional guidance from the European Data protection Board may be necessary to determine when a DPIA is necessary. Consent Requirements. Consent remains a lawful basis for the transfer of personal data under GDPR. Consent, as a legal basis for processing, may be harder to obtain under GDPR. Directive allowed controllers to rely upon implied and opt-out consent in some limited circumstances. GDPR requires a statement or a clear affirmative action by data subject. Consent must be freely given, specific, informed, and unambiguous. Businesses that rely upon consent to process personal data will need to carefully review existing practices. Consent will not be considered valid if a data subject has to give consent to processing for the provision of a service where the processing is not necessary to the actual performance of the contract. New consent requirements for processing children data. One Stop Shop. The GDPR s intent is to harmonize data protection law within the EU. Under the Directive, a Data Processing Authority in a member state could exercise authority over any business operating within its territory. The GDPR creates a Supervisory Authority to act as lead and have jurisdiction over any complaints and violations. Children. Parental consent must be obtained if the concerned individual is under 16 (unless the member state passes a law to lower this age, but in any event the age cannot be lower than 13). Sensitive Data. More stringent requirements apply to sensitive data than under the EU Directive, including genetic, biometric, health, racial, and political data. Enhanced Notice and Information Obligations. Directive required controller to provide data subjects certain minimum information before collecting data including identity of controller, purpose of processing, and any recipients of data. Data subjects were given limited right under Directive to access data. GDPR increases the number of disclosures required before collecting personal data including how long the data will be stored. Data subjects must also be informed of their right to withdraw consent at any time. Controllers must provide data subject any information they hold about a data subject, free of charge, and within one month of request. More details may now need to be disclosed to data subjects, both initially (e.g., in a privacy policy) and in response to access requests. Controllers may be required to allow individuals to obtain a full copy of their data in a standard format and possibly facilitate transfer of data to others. The -3-
information disclosed and rights to access are more robust under the GDPR. New Rights- Right to be Forgotten and Data Portability. The GDPR codifies the right to be forgotten following the European Court of Justice 2014 Google Spain decision so that it now applies to all controllers. Individuals will now have right to request that businesses delete their personal data in certain circumstances (e.g., where the data is no longer necessary for the purposes for which it was collected). The GDPR adds a new right to data portability so that data subjects can request personal data collected about them or have it transferred to another provider of online services. Data portability only applies when processing was originally based on user s consent or on a contract and does not apply to processing based upon controller s legitimate interests. Businesses may need to prepare for how they will comply with these requests for rectification and erasure of personal data or data portability and to the means for handling and documenting requests from data subjects. Cross Border Transfers GDPR allows personal data transfer outside EU subject to compliance with set conditions. As provided in the Directive, the transfer of personal data to a location outside the EU remains restricted. Personal data of EU residents can only be transferred to a country with adequate data protection. Unless and until the United States is deemed to have adequate data privacy protection, the transfer of data must look to options such as the Privacy Shield, Model Contracts, Binding Corporate Rules, derogations such as consent and other limited exceptions under the GDPR. Exceptions or derogations are allowed under GDPR for the following: data subject explicit consent to proposed transfer provided data subject is informed of possible risks of such transfer due to absence of adequacy decision and appropriate safeguards are implemented, or the transfer of personal data is necessary for performance of contract. GDPR retains same derogations as Directive including consent but adds new opportunity for business to assert compelling legitimate interests of controller. The GDPR acknowledges as valid current requirements for BCR s as provided in Directive. BCR s will still require prior approval by DPA but process will be streamlined and easier to follow. Standard contractual clauses (model contracts) no longer will need prior DPA approval as currently required in some member states. Finally, a new program under GDPR allows for transfer based upon codes of conduct or certifications that are approved by relevant EU authority and so long as appropriate safeguards are applied.. [On October 6, 2015 the European Court of Justice invalidated the EU-US Safe Harbor framework that allowed the storage and processing of personal data of EU citizens so long as the business self-certified compliance with certain privacy policies and procedures. Thousands of businesses relied upon this safe harbor framework. On February 2, 2016 the European Commission and U.S. Department of Commerce announced a new data transfer framework, the so-called Privacy Shield, to replace the invalidated Safe Harbor agreement. The proposed Privacy Shield includes a federal ombudsman to oversee intelligence access to EU citizen data, a multi-step complaint process for EU citizens, and additional enforcement and remedies for noncompliance. On July 12, 2016 the Privacy Shield was finally approved. Businesses can self-certify with the United States Department of Commerce as of August 1, 2016. Additional materials, details, and guidance on Privacy Shield compliance are available -4-
at the US Department of Commerce website. https://www.commerce.gov/page/eu-usprivacy-shield What Should You Do Today? You must continue to comply with the Directive while, at the same time, preparing for the GDPR and possibly the Privacy Shield. May 25, 2018 will be here sooner than you think. Start preparing now. Perform a Risk Analysis. What risks does business face under current service model and activities? Where are gaps that need to be filled? Compliance Checklist. Transparency: Privacy Notices and Information disclosure; Collection and Purpose Limitations; Children Information; Consents and Ability to Withdraw; Tracking of Preferences; Accuracy; Privacy Program Management and Processes; Cross Border Data Transfer compliance; Use of Data Protection Impact Assessments; Obligations as Controller and/or Processor; Third party contracts to process information; Records to document activities as controller/processor; Documented data security program and processes; Use of Encryption and other technical safeguards; Anonymization and Pseudononymisation; Data breach readiness and response; Incident Response plan; Mechanism for providing access to information; Handling of complaints and requests for erasure, correction, and opt-outs; Make Appropriate Changes. What steps can be taken to meet the new requirements? Resource Planning. What resources are necessary to transition to the GDPR? Budget. What additional costs may be incurred in compliance planning? Team Approach. Engage all key stakeholders in planning including the legal, HR, finance, product/service development, and marketing functions. GP:4518956 v1-5-