Four years in the making, the European Union’s General Data Protection Regulation (GDPR) obtained its final legislative approval on April 14, and the final text was published in the Official Journal yesterday. It will be enforced after a two-year transition, beginning on May 25, 2018, replacing the national laws and regulations based on the venerable 1995 EU Data Protection Directive and reaching companies that target EU consumers from outside the EU.
While the GDPR largely retains the principles and terminology of the 1995 Directive, it also adds some new principles with uncertain consequences, such as a stricter concept of consent, a requirement for data portability, and a “right to be forgotten.” At the same time, if offers hope for a greater level of uniformity across Europe, which multinational enterprises may welcome, as well as relief from registration burdens that have persisted in many countries (although this is offset by a new obligation to notify security breaches).
Companies should be looking ahead to the new compliance landscape in their product design, operational planning, privacy policies, security systems, and contracts beginning … well, now.
Why a Regulation?
Since 1995, Europeans have been covered by national (and in some countries state or provincial) comprehensive information privacy laws governing the private sector that are based on a European Union “framework directive,” Directive 95/46/EC (the “Data Protection Directive”), supplemented by Directive 2002/58/EC (the “ePrivacy Directive”) in the field of electronic communications. In January 2012, the European Commission proposed reforming the legal structure for privacy protection in Europe to address several issues:
• eliminating inconsistencies in national laws;
• raising the bar to provide better privacy protection for individuals;
• updating the law to better address contemporary privacy challenges, such as those posed by the Internet, social media, mobile apps, cloud computing, “big data,” and behavioral marketing, that were in their infancy when the Data Protection Directive was drafted;
• reducing costly administrative burdens for companies dealing with multiple data protection authorities.
The Commission proposed replacing the 1995 Directive with a General Data Protection Regulation (GDPR). Ultimately, the European Council and Parliament agreed, after extensive dialogue over the precise content of the GDPR and an accompanying debate over a separate directive that will govern international police and judicial cooperation in criminal matters, as part of the reform package.
As a regulation, the GDPR will have direct legal effect throughout the EU, enforced by national data protection authorities and courts, without requiring transposition into national legislation (a process that took years in the case of the 1995 Directive and produced mixed results). EU regulations are used in several other areas, such as approvals for pharmaceutical products, health and safety standards for consumer goods, and rules for competition (antitrust) law. EU regulations promise greater uniformity in standards and interpretations than a framework directive can produce, which is generally viewed as a benefit for companies doing business in multiple European countries.
Coordination and Consistency
Under the Directive, there has been a certain level of coordination in interpretation and enforcement. Apart from informal contacts among authorities, there has been a succession of non-binding opinions issued by the “Article 29 Data Protection Working Party,” an advisory committee comprised of representatives of the national supervisory authorities (commonly termed “data protection authorities” or DPAs), along with the European Data Protection Supervisor appointed by the European Commission. Under the Regulation, that group will become a more independent and powerful regulatory body called the European Data Protection Board, tasked with ensuring “the consistent application” of the GDPR. An entire chapter of the Regulation (Articles 55-63) is devoted to cooperation and consistency, with procedures for multiple DPAs to coordinate investigations and promulgate consistent decisions and policies reviewed by the Board and reported to the European Commission.
One feature of coordination that should be helpful for multinationals is a provision for companies to work with a “lead supervisory authority” in the country where the company has its “central administration.” That authority will then coordinate with the authorities in other countries where the company operates, attempting to achieve consensus on issues that affect all of them.
Personally Identifiable Data
The Regulation to some extent clarifies and possibly expands the sometimes vague concept of personally identifiable information, defining a “data subject” as a natural person who can be identified “by means reasonably likely to be used by the controller or by any other natural or legal person,” including by reference to “an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person” (Art. 4(1)). Adding location data and online identifiers to the existing language of the Directive makes it more likely that the Regulation will capture various forms of identifiers used in mobile devices and apps, advertising networks, and website analytics.
A possible concern for companies outside the EU is the expanded scope of jurisdiction under the GDPR. Under current laws (based on Article 4 of the 1995 Directive), a company without a legal establishment in an EU country is not subject to its data protection law, unless the company makes use of equipment located in the country to process the data. Thus, there is generally no jurisdiction without employees or servers on the ground.
That changes when the GDPR comes into force: the Regulation applies to processing outside the EU that relates to the offering of goods or services to data subjects (individuals) in the EU or the monitoring of their behavior. Thus, the operators of US-hosted commercial websites or mobile apps may find themselves directly subject to the Regulation, along with a wide array of US-based service providers who support European retailers.
It is questionable whether European supervisory authorities or consumers would actually try to sue US-based operators over violations of the Regulation. But the expansive jurisdictional scope of the Regulation may pose challenges for US companies making contractual representations and warranties about compliance with “all applicable laws,” and it is entirely possible that DPAs or courts may demand that European clients stop dealing with US vendors that do not comply with the Regulation.
The Directive requires organizations outside the EU to designate an agent in the EU if they use equipment in the EU to process personal data. The Regulation recognizes that this will be a more common issue with the expanded scope of jurisdiction. Article 25 provides that controllers outside the EU selling to consumers in the EU, or profiling them, must designate a “representative” in the EU, presumably to respond to privacy-related inquiries and complaints from DPAs or individuals, although the Regulation does not detail the representative’s responsibilities. But Article 25 exempts controllers in countries (such as Canada) deemed to provide an adequate level of legal protection, or employing fewer than 250 persons, and those that “only occasionally” offer goods or services to EU residents.
Stricter Conditions for Consent
Like the Directive, the Regulation requires a lawful basis for processing, most commonly the consent of the individual data subject. But the Regulation is much more insistent on acceptable conditions for establishing consent, which is defined as a “freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
Article 9 carries over from the Directive the concept of “special categories” of especially sensitive data concerning race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life. These generally require express consent or a legal obligation in order to collect or process the data, and they require heightened security and attention to data storage limits. The Regulation adds genetic and biometric data to the categories of sensitive data.
The existing Directive does not expressly address the privacy of children, and there are no national laws in Europe similar to the Children’s Online Privacy Protection Act (COPPA) in the United States. By contrast, the new Regulation has provisions on protecting the privacy of children (Article 8).
The age threshold for parental consent was much debated and kept changing right to the end of the legislative process. It was finally set at 16 by default, but Member States are allowed to lower it to 13, the age used in the US under COPPA. The national variation in threshold ages could be a challenge for the operators of websites and mobile apps. Specifically, the consent of a parent or guardian is required to process personal data on a child under the threshold age when offering any “information services,” although this provision expressly does not change the age of legal consent under national law to enter into a contract. The Regulation contemplates that the European Commission may establish specific methods to obtain verifiable parental consent. The Commission is expected to look at FTC experience in the US to identify some practicable forms of parental consent.
Privacy Policies and Communications
The Regulation (Article 11) requires “transparent and easily accessible policies” and communications in “clear and plain language” adapted to the data subjects, including any information addressed to children (defined in the Regulation as persons under 18 years of age). Where the controller uses automated means, it must provide for data subjects to submit choices, requests, and complaints electronically. If the controller makes requested corrections or deletions, it must also communicate those to any third-party recipients of the data, if feasible.
The Right to be Forgotten
The Directive includes a right to request access and corrections and to object to further processing of personal data in special cases. The Regulation goes farther with “rights to be forgotten and to erasure” as well as to rectification (Article 17). This entails the right to have the controller erase data and take reasonable steps to inform third parties to erase data and links where the data are no longer necessary for the original or lawful purpose, or the data subject has withdrawn consent, or the announced storage period has expired, especially in cases where the data were collected while the data subject was a child (under age 18), as in California law.
There are numerous exceptions, and this right is supposed to be balanced against freedom of expression, public health interests, legal obligations, and historical and scientific research needs. The Commission may adopt more specific rules; until it does so, the “right to be forgotten” remains a large grey area, particular for social media.
Another area of uncertainty concerns the new “right to data portability” (Article 18), which is supposed to allow an individual data subject to demand a copy of personal information to transfer to a new service provider, if the data is available in a “structured and commonly used format.” Again, the Commission may adopt implementing measures, and this provision of the Regulation is likely to be meaningless until it does.
Direct Marketing and Profiling
The Directive already allows data subjects to opt out of direct marketing, and it requires transparency if there are automated decisions such as declining transactions based on risk scores. These provisions are expanded in the Regulation, in sections entitled “Right to object” and “Measures based on profiling” (Articles 19 and 20). The marketing opt-out must be “clearly distinguishable from other information.” Automated decisions must include safeguards such as an appeal to human intervention, and they cannot be based solely on the defined sensitive categories of personal data such as race and health.
Privacy by Design and by Default
The Regulation expresses the new principles that data controllers are responsible for designing and implementing mechanisms to protect personal data in conformance with the Regulation and ensuring that, by default, personal data are collected and used only as necessary for specific purposes, retained no longer than necessary, and not made available to an indefinite number of persons. Once again, the Commission is empowered to adopt measures putting meat on these bones.
Privacy Governance and Documentation
The Regulation does away with the requirements that now exist in many countries for some or all controllers to register their data processing activities with national or state data protection authorities. Instead, the Regulation obliges controllers, processors, and representatives to maintain documentation of specified aspects of personal information handling (Article 28), and to make that documentation available on request to the supervisory authorities. The Commission may adopt standard forms for the documentation.
Controllers are also obliged under the Regulation to conduct a “data protection impact assessment” where processing operations pose specific privacy risks (Article 33); high-risk operations require prior consultation or authorization from the supervisory authority (Article 34).
An organization must appoint a data protection officer (DPO) if it employs 250 or more persons or if its core activities require “regular and systematic monitoring of data subjects” (Articles 35-37). The DPO’s position, independence, and responsibilities are similar to those of DPOs under current German, Dutch, and French law.
Data Breach Notice and Documentation
The Directive does not expressly require notice of data breaches. The Regulation addresses both notice to the authorities and notice to the affected individuals. Article 31 requires notice of any personal data breach to the supervisory authority within 24 hours, followed by notice to the individuals of personal data breaches “likely to adversely affect the personal data or privacy of the data subject,” unless the controller satisfies the authority that the data were rendered unintelligible (such as by encryption). The Regulation also requires fairly extensive documentation of security incidents.
The Directive speaks generally of the requirement for appropriate technical and organizational measures to safeguard personal data. The Regulation goes beyond this, not only by requiring notice and documentation of security breaches, but also referring to a risk evaluation and the Commission’s authority to adopt specific security requirements (Article 30).
Codes of Conduct and Certifications
The Regulation encourages industry associations to draw up data protection codes of conduct and seek national or EU-wide certification (Article 39). This may be a promising avenue, as it has been in the US, in areas such as online advertising, market research, clinical trials, and children’s entertainment.
International Data Transfers
The Regulation preserves the legal mechanisms accepted under the Directive for transferring personal data outside the EU/EEA: “adequacy determinations” by the Commission, approved binding corporate rules, standard contract clauses (“model contracts”), and other derogations such as informed consent, performance of contract, and legal claims (Articles 40-45).
This is an an area in flux, as the EU considers a new EU-US “Privacy Shield” program in the wake of the European Court of Justice ruling in the Schrems case, but for now most companies continue to use model contracts to move data to the US, India, China, and other countries that do not benefit from an EU adequacy decision.
Like the Directive, the Regulation contemplates enforcement both through the supervisory authorities and the courts, with penal and administrative sanctions as well as civil remedies. But the Regulation ups the ante for administrative penalties, which can be as high as EUR 20 million or 4% of the annual revenues of an enterprise in certain cases (Article 79).
National supervisory authorities are already reviewing changes in administrative and investigative procedures that the Regulation will compel. Inevitably, some will be more proactive than others in exercising their new powers.
The ePrivacy Directive, including the 2009 amendments that produced the so-called “Cookies Rules,” is not superseded by the Regulation. The Commission is currently studying whether changes will be required, but for now companies should anticipate continuing compliance with the requirements that vary from country to country on displaying pop-ups with notices, links to privacy policies, or opt-ins to accept cookies, GIFs, and other software objects on websites.
There’ll Always Be an England
For a variety of historical reasons, US companies have been more inclined to locate their European central administrative offices in the UK than anywhere else in Europe. The UK Office of the Information Commissioner has a reputation for efficiency and practicality. This works to the advantage of companies that will be able to rely on OIC as the “lead supervisory authority” under the Regulation – assuming that UK voters decide next month to remain in the EU. If they do not, US companies will have to rely on subsidiaries or representatives elsewhere in the EU, while the UK negotiates a bilateral arrangement with the EU that may eventually result in the UK becoming subject to the substantive provisions of the Regulation in any event.
Impact of the Regulation Outside the EU
Under the European Economic Area (EEA) Agreement, the Regulation applies throughout the EEA as well as in the 28 Member States of the EU. Thus, the three EEA countries not in the EU – Norway, Iceland, and Liechtenstein – will become subject to the Regulation at the same time as the EU countries.
Other nations that have adopted laws closely modeled on the 1995 EU Data Protection Directive, including Switzerland and Israel, are likely to consider amendments tracking some of the changes reflected in the Regulation. Eventually, they may be required to do so, to maintain their current EU adequacy decisions, but the EU is not likely to insist on that for some years.
What to Do Now?
Two years may sound like plenty of time, but there is much to do for the many firms that will need to be in compliance by May 25, 2018, especially as such a large number of them have not previously been directly subject to EU privacy law. Here are some suggestions:
• Companies operating in Europe: Prepare for compliance. Follow the Brexit referendum and decide where you want to organize your central administration.
• Companies without a European establishment but selling to, or monitoring, European consumers: Prepare for compliance and find an EU representative, if applicable.
• Create or update documentation of your personal information handling and security practices, as well as security incident reporting and security breach notice procedures and templates for privacy impact assessments and risk evaluations. Good models are available.
• Review data protection compliance language in contracts that will be in effect in May 2018 and later.
• Consider conforming to internationally accepted security management standards (ISO 27001/27002), as these are more readily understood in Europe and will likely be referenced in the Commission’s implementing measures.
• Recruit or train an individual who can serve as the data protection officer, or identify an external resource who can serve that function.
• Review product and marketing plans for the European market for possible compliance issues.