- Out with the Old, In with the New: 6 Upcoming Changes to Eu Data Protection Law Under the GDPR
- November 8, 2017 | Authors: Samuel D. Goldstick; Christine N. Czuprynski; Cody S. D. Wamsley
- Law Firms: McDonald Hopkins LLC - Bloomfield Hills Office; McDonald Hopkins LLC - Chicago Office
This is the second in a 3-part series examining the Global Data Protection Regulation. Click here for the first article, which gave a high-level overview of the GDPR and stay tuned for future insight on what GDPR enforcement you can expect.
The much-anticipated General Data Protection Regulation (GDPR) will soon replace the current European Data Protection Directive 95/46/EC (the Directive), representing one of the most significant changes to EU data protection law in over two decades. Although the GDPR is similar in many respects to the Directive, there are several important changes to come under this new law that will undoubtedly have a significant impact on companies operating across the globe.
I. Rules Directly Applicable Across the EU: Directive vs. Regulation
The GDPR is different not only in substance to its predecessor but also in form. A regulation applies directly to EU member states and, as a formal matter, allows them little discretion in implementation. On the other hand, a directive sets forth desired results and policies but depends upon member state implementation into national law. Consequently, the Directive required transposition into the national laws of each member state, resulting in 28 different interpretations of EU data protection law and, as such, a fragmented legal landscape in Europe.
As the GDPR is a regulation, and not a directive, it has immediate binding legal force and will create a unified data protection law that is directly applicable in all EU member states (as well as in Iceland, Liechtenstein and Norway, which are part of the European Economic Area), without the need for national implementing legislation. When the GDPR takes effect on May 25, 2018, it will automatically become part of each member state’s legal framework and should reduce—though probably not eliminate—the current patchwork of data protection laws across the EU.
II. Expanded Territorial Scope
Arguably, the biggest change to the regulatory landscape of data protection law comes with the extra-territorial reach of the GDPR.
Presently, the Directive only applies to businesses that either collect and/or use personal data and are established within the EU (such as by way of having an office, branch or agency located in a member state), or if they are established outside the EU but use equipment within the EU to process personal data. EU jurisprudence deems "equipment" to include servers and employees, and even in some cases only one representative, as well as more traditional forms of equipment. Thus, there would generally be no jurisdiction with respect to a non-EU established entity that did not utilize any means within the EU for processing personal data.
As compared to the Directive, the GDPR has a significantly broader territorial scope that applies not only to organizations established within the EU (regardless of whether such processing takes place in the EU), but also to organizations based outside the EU that process the personal data of EU data subjects in connection with either:
• The “offering of goods or services” to data subjects in the EU (irrespective of whether payment is required), or
• The “monitoring” of their behavior within the EU.
Under the first prong, determining whether a non-EU established business offers goods or services to EU data subjects is based on the business’s intent (i.e., whether it “envisages” offering goods or services to a data subject). The
GDPR explains that having a commerce-oriented website that is accessible to EU residents does not by itself constitute offering goods or services. However, the existence of certain factors could indicate a non-EU company's intention to attract EU residents as customers and, as a result, become subject to the GDPR. Such factors include:
• Marketing goods or services in the same language generally used in an EU member state.
• Listing prices in EU member state's currencies (e.g., the euro, British pound and Swiss franc) and enabling EU residents to place orders using such currency.
• Referencing EU users or customers in its publications or online.
Even if a business cannot adequately demonstrate that its activities sufficiently satisfy the first prong of this analysis, it still must consider whether it engages in the “monitoring of behavior,” the practice of tracking individuals online to create profiles and analyze/predict personal preferences, behaviors and attitudes. Moreover, all websites that use tracking cookies and applications that track online usage will be subject to the GDPR to the extent that the information collected, in the aggregate, renders an individual identifiable. In practice, this means that a company located outside the EU which is targeting or profiling consumers in the EU, such as ad tech or social media companies, for example, will likely be subject to the GDPR. This demonstrates a huge shift from the existing Directive.
Obligation to appoint a representative
Non-EU-established organizations that are caught by the GDPR’s long-arm jurisdictional reach based on its processing activities with regard to residents of an EU member state will be obligated to appoint a representative to act on
their behalf in that member state, unless the processing:
• Is occasional.
• Does not include large scale processing of sensitive personal data (such as racial origin, health/genetic data, religious beliefs, etc.).
• Is unlikely to result in a risk to the rights and freedoms of data subjects. The primary role of this representative is to liaise with the relevant supervising authorities.
III. Direct Liability Imposed on Data Processors
As discussed in the first alert in this series, EU privacy law differentiates between data controllers and data processors.
Under the existing Directive, a data controller would often impose data protection responsibilities and obligations onto the data processor within the parties’ service contract to protect itself against unnecessary data protection compliance risk. In doing so, the data processor would be contractually liable to the data controller but would not be subject to direct enforcement or penalties from a data protection regulator.
In contrast, the GDPR imposes direct statutory obligations on data processors. These obligations mean that data processors may be subject to direct enforcement by supervisory authorities, serious fines for non-compliance and compensation claims by data subjects for any damage caused by breaching specific provisions of the GDPR. Some of the main obligations imposed on data processors by the GDPR include the following:
• Appointing a representative in the EU if not established in the EU.
• Ensuring certain minimum clauses in contracts with data controllers and complying with the mandatory requirements with regard to the content of the Processing Agreement entered into with each data controller.
• Keeping a written record of processing activities carried out on behalf of each controller.
• Cooperating, on request, with the supervisory authority in the performance of its tasks.
• Notifying the data controller without undue delay after becoming aware of a data breach.
• Designating a data protection officer (DPO) in specified circumstances.
• Obtaining prior written authorization from the data controller before subcontracting out any data processing.
IV. Data Breach Notifications
At present, the Directive does not require member states to impose data breach notification obligations. When the GDPR comes into force, however, it will drastically change the current status quo of data breach reporting in the EU.
Notably, the GDPR will impose a widespread mandatory breach notification obligation on all organizations subject to its provisions with respect to providing notice of a personal data breach to the relevant supervisory authority and, in some cases to the individuals affected, within a very short timeframe following discovery of the breach.
Under the GDPR, a personal data breach is broadly defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The breach notification requirements take different forms depending on whether the company is acting as a “data controller” or a “data processor.” These scenarios and related obligations are discussed more fully below.
Obligation for data processors to notify data controllers
In the event that a processor becomes aware of a data breach, it must notify the controller of such breach without undue delay. Beyond this, the processor has no other notification or reporting obligation with respect to a personal data breach under the GDPR.
Obligation for data controllers to notify supervisory authorities
Data controllers must notify the relevant supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk for the rights and freedoms of individuals.
Although the risk of harm exception affords some discretion to controllers for assessing whether or not a breach must be reported, it should be interpreted narrowly. In order to use the exception, a controller must demonstrate – in accordance with the accountability principle – that the breach is unlikely to result in a risk to the rights and freedoms of individuals. For example, breaches that may cause damage to reputation or result in identity theft or fraud, discrimination, financial loss or exposure of personal data protected by professional privilege will likely need to be reported.
To the extent such an exception does not apply, the notification to the regulator must, at a minimum, describe:
1. The nature of the breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned.
2. The name and contact information of the organization’s DPO or other point of contact.
3. The likely consequences of the breach.
4. The measures taken or proposed to be taken to address the breach and mitigate its effects
Controllers that notify after 72 hours of discovering a breach will be required to demonstrate a reasoned justification. Where it is not possible to provide all relevant information about a breach at once, information may be provided in phases without undue further delay. Controllers are also required to keep a record of – and document – any data breaches (whether or not it is notified to the supervisory authority) and permit audits by the supervisory authority.