The end of 2015 saw the conclusion of the negotiations surrounding the General Data Protection Regulation (GDPR), the European Regulation set to replace the Data Protection Directive (95/46/EU), which turned 20 years old in 2015.
The GDPR is expected to strengthen the rights of European data subjects and there are a number of ways that legislators have chosen to do this.
The definition of personal data has been extended to include Biometric and Genetic data but also to include any data which allows any living person to be identified, which covers Unique IDs (UID) such as those found in Cookies, Device IDs (such as IMEI number on a mobile device) and IP addresses.
There are many facets to the GDPR which are worthy of discussion in more depth than this article will go into now but we will be looking at each of the sections in more detail through a serious of additional articles in the coming weeks and months, as well as interactive discussions in the form of webcasts.
The GDPR covers the collection, processing, storage and transfer of personal data relating to any European citizen by any entity anywhere in the world. This means that even if an organisation doesn’t have offices in a European Member State but it has activities that relate to European citizens’ personal data then the GDPR applies. In other words, if an organisation offers goods or services to EU citizens or if it collects information about the behaviour of EU citizens (such as web site analytics or behavioural profiling for marketing purposes) – it is required to comply with the GDPR.
Consent requirements are more stringent now and organisations must obtain “explicit” consent for the collection and processing of all Personal data, whether sensitive or non-sensitive data.
Consent must be “unambiguous” that is to say it must be as a result of a specific action. Inactivity, such as not clicking “Accept” on a notice on a web site but continuing to use the web site, is not accepted as consent under the new rules.
Consent must also be informed, meaning the person who is consenting must be reasonably expected to understand what it is they are consenting to. As such, Privacy Policies and similar notices/contracts must be concise and in simple language that the average person will be able to understand.
The age of the person giving consent is also relevant and any child aged 13 years or under cannot consent to the processing of personal data and any child between the age of 13 and 16 should by default require consent to be given by a parent or legal guardian (although this is subject to change by Member States).
The “Right to be Forgotten” has also been formalized, as have individuals’ rights to deny or withdraw consent. More importantly, withdrawal or refusal of consent should not be detrimental to the individual – that is to say, consent must not be a tool of duress which, if an individual declines, prevents them access to a particular product or service.
Transparency is a key area of the GDPR which is closely tied to consent being “informed” and “unambiguous”.
Data Processors and Controllers
There are more complex sections of the GDPR covering issues such as Data Processors /Data Controllers, where their individual responsibilities lie and who is liable for non-compliance or breaches. In general, Controllers are still responsible for the actions of their Processors but there are specific cases where Processors are now also responsible, such as the transfer of data outside of the European Economic Area (EEA). Furthermore, Controllers now have the right to audit their Processors (to ensure they are doing as they say) and Processors must seek explicit approval to appoint sub-processors or transfer data outside of the EEA.
The Data Protection Authority (DPA) responsible for overseeing complaints and enforcement, will be the DPA in the Controllers’ main country of establishment in Europe. That DPA must work with other relevant authorities (such as the DPA for the country in which the data subject resides) and a decision should be agreed by all relevant authorities. In cases where there is disagreement between authorities, a new European Data Protection Board will hold ultimate power. This should begin to deal with the issue of organisations setting up their main establishment in countries where the DPA is considered to be more lenient and less likely to issue any significant enforcement penalty or decision and is often referred to as the “One-stop shop”.
The issue of Damages has also been addressed by the GDPR and data subjects have the right to claim for both material and immaterial damage. This means that a data subject will not need to prove any material loss in order for them to seek compensation from a Controller or Processor.
It is also worth mentioning that NGOs and other groups representing the interests of consumers and citizens are given the power to file complaints on behalf of citizens, as opposed to those data subjects impacted by a breach having to file individual complaints independently.
Penalties have been one of the hot topics of the development of GDPR with fines or penalties up to 4% of global turnover from the previous year for most breaches (with a 2% cap for minor breaches) and it is important to note that breaches relating to consent fall under this 4% penalty which means that organisations will need to be much more serious when it comes to obtaining consent, otherwise the penalties could be significant.
Interpretation of the Rules
Of course another related and important point is that GDPR is a Regulation – not a Directive. This means that every Member State must implement the rules verbatim into their national laws – which should prevent any issues with regards to interpretation. One of the biggest problems with the previous Directive was that many aspects were interpreted in different ways by each Member State. This meant it was difficult to have any comprehensive action in the case of breaches, as one Member State might have a different interpretation of the rules to another Member State. Now we have one rule to rule them all, if you will excuse the obvious pun!
Why Transform now
The GDPR is not expected to come in to force before 2018 but organisations should start to prepare for these changes now, as a matter of urgency. As small and large organisations know, change requires significant time to implement – plan, build, test, deploy – and leaving this to the last minute could potentially put an organisation at risk of significant penalties and loss of consumer trust.
In general, the GDPR goes a long way towards the modernisation of the previous Directive which was rapidly being outpaced by new and emerging processes and technologies which were not envisioned 20 years ago. The GDPR may not be perfect and certainly there are many areas where it is lacking – for example it does nothing to address the issues raised by the annulment of Safe Harbor last summer - but it does at least bring Data Protection law into the 21st Century and provides a foundation on which to build.
If you have any questions with regards to how your organisation can begin to prepare for the upcoming changes brought by the GDPR, particularly in relation to consent and digital analytics/profiling, please feel free to get in touch.