Member News

European General Data Protection Regulation

By AEM Carnelutti

The European General Data Protection Regulation 2016/679 (“GDPR”) is a European regulation on data protection and privacy.[1] The GDPR was enacted on April 27 and is going into effect on May 25, 2018, after a two-year transition period. It replaces the national privacy laws based on the venerable 1995 EU Data Protection Directive and reaches all companies processing EU consumers’ data. The GDPR creates a new privacy framework in European law that grants broad privacy rights to individual EU residents and requires covered companies to comply with specific privacy requirements within the May 25 deadline. This article will illustrate the main aspects of such new framework and what companies need to do for GDPR’s compliance.[2]

Scope of Application of the GDPR

Personal Data

The GDPR applies to the use and collection of “personal data”. Its definition is quite broad and includes any information linked to an individual such as a name, identification number, location data, an online identifier or data specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.[3]

Extra-territorial Application

The GDPR has an extra-territorial effect.[4] The regulation applies to all companies collecting or processing personal data of EU residents regardless where such companies are located or their collection or processing takes place. The GDPR, indeed, may catch controller or processor not established in the EU when their activities relate to: i) offering goods or services to EU citizens (irrespective of whether payment is required) or ii) the monitoring of conducts that take place within the European borders. The “offering goods or services” is more than mere access to a website or email address, but might be evidenced by use of language which refers to the possibility of ordering goods or services through the website or mentioning customers or users who are in EU. The “monitoring” activity occurs, for example, when individuals are tracked on the internet by techniques which apply a profile to enable decisions to be made, predict personal preferences, etc. Lastly, the GDPR also extends to non-European parent companies for the actions of their EU or non-European subsidiaries (as long as they are performing the activities described above within the European borders).

Targeted Companies

One of the main impactful aspects of the regulation is that it generally applies to both companies controlling or processing data. As these operations essentially embrace any conceivable operation related to data, the regulation, therefore, apply to any companies dealing with data or operations that could be performed with data, including simple data collectors.[5]

Compliance to GDPR’s obligations.

The GDPR imposes many obligations on a company to which the regulation is applicable. Some of these obligations, the majority of which are set out in Articles 28-37 of the GDPR, are a continuation of those established by the 1995 EU Directive, but others are either new or expanded.

Controllers

The main obligations of a controller are described below:

  • Processing of EU personal data: processing EU personal data may only be undertaken if the controller has at least one of the five lawful basis for that processing listed in Article 6 of the GDPR.[6] Where the controller cannot rely on any of the five legal bases set forth above, it will need to obtain the individual’s express consent that must be valid under the GDPR. To be valid, consent must be freely given, specific, informed and unambiguous.  Controllers intending to rely on consent will therefore need to make sure that they implement a mechanism that actually enables them to collect and monitor where consent is obtained as described above – freely, specifically, in an informed manner and unambiguously. As a consequence, any company will no longer be able to use long illegible terms and conditions full of “legalese”, rather intelligible and easily accessible form (with the purpose for data processing attached to that consent).[7]
  • Delegation to a processor: when a controller delegates a processor to process personal data on its behalf, the controller must use only processors that provide, by a binding written contract or other legal act, sufficient guarantees that they will comply with GDPR’s requirements. The same applies to sub-processors.[8]
  • Data Breach Notification: In the event of a data breach, the controller must notify the supervisory authority “without undue delay” and within 72 hours of discovering the breach, where feasible. A reasoned justification must be provided if this timeframe is not met. Additionally, if the data breach is likely to result in a “high risk to the rights and freedoms of natural persons,” the controller must notify the affected data subjects without undue delay, unless one of a number of exceptions is triggered.[9]
  • Record-keeping: controllers are expected to be accountable in relation to the processing of personal data. Consequently, they need to implement measures to document their compliance to GDPR, maintain records of all processing activities, including certain specified types of information, and make them available to the relevant supervisory authority upon request.[10]

Processors

Processors that fall within the scope of the GDPR must comply with a number of direct obligations, and particularly: i) implement appropriate technical and organizational measures to ensure adequate data security, “in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”; ii) must notify the controller “without undue delay” in the event of breach; iii) process personal data in accordance with instructions from the controller (if a processor acts outside the scope of its authority granted by the controller, it will be considered to be a controller and subject to controller obligations under the GDPR); and iv) if the processor has 250 or more employees, maintain a record of all categories of processing activity carried out on behalf of a controller; otherwise, keep such records only if it is undertaking processing that is likely to result in a risk to the rights and freedoms of data subjects, the processing is more than occasional, or the processing includes certain special categories of data relating to racial or ethnic origin, religious and other beliefs, sexual orientation, or criminal convictions and offenses.[11]

Data Protection Officer and Designated Representative

Data protection officer

A data protection officer (“DPO”) is an enterprise security leadership role provided by the GDPR. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. DPOs also serve as the point of contact between the company and any data protection authority (“DPA”) that oversees activities related to data at European or national level.[12]

The appointment of a DPO represents a significant cultural change in data protection management. It is important to know when a company is required to appoint a DPO. The GDPR requires processors and controllers to designate a DPO when: i) the processing of the data is carried out by a public authority or body, except for courts acting in their judicial capacity; ii) their core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; iii) they process special categories of data relating to criminal convictions and offences.

While the public sector is definitely covered by the first requirement, private sector companies should not be required to appoint a DPO. They normally do not engage in systematic monitoring as a core activity and, to the extent that they process special categories of data, they do so incidentally with regard to their business, typically in the ordinary course of personnel administration. A designated DPO’s legal status anyway applies regardless what is the nature – private of public – of the designating company. Even if a company decides to voluntarily appoint a DPO, the company must appoint a person who has “expert knowledge of data protection law and practices” on the basis of their “professional qualities”.[13] Secondly, the DPO role must be independent, avoid conflicts of interest and cannot receive instruction regarding the performance of their tasks. Also, the DPO has a protected employment status because once hired, it cannot be dismissed or sanctioned with regard to the performance of its tasks.[14]

Designated representative

When a controller is not established in the EU but is nonetheless subject to the GDPR, the controller in certain circumstances must designate a representative in a member state where the EU individuals whose personal data is being processed in connection to the offering of goods and services, or whose behavior is being monitored, are located.  This requirement does not apply when the processing is occasional or when the processing does not involve widespread processing of certain special categories of data, such as genetic and biometric data.[15]

Non-compliance

system of penalties has been established by the new regulation for privacy obligations’ breaches. Each member state’s data protection authority (“DPA”) is empowered by the GDPR to impose fines of up to the higher of 4% of annual worldwide turnover and Euro 20 million, or for other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and Euro 10 million. Administrative fines may, depending on the infringed provision of the GDPR, amount to a maximum of EUR 20 million, or, if this is a higher amount, 4% of the total worldwide annual turnover of an organization.[16] Such fines may be imposed on both the controller and the processor. For example, violating the basic principles for processing, including the conditions for obtaining valid consent as well as non-compliance with a DPA’s order may result in the highest fine of Euro 20 million or 4% of the total worldwide annual turnover. Besides the power to impose fines as described above, a DPA has the corrective power to issue warnings, reprimands and orders. When imposing an administrative fine, in addition to or instead of its other corrective powers, a DPA is also obliged to take into account the specifics of the case, and the exact amount of a fine, depends on (among others) the nature, gravity and duration as well as the intentional or negligent character of the breach.

Individual privacy right: “right to be forgotten”

One of the main ambitions behind the GDPR is creating a framework that acknowledges and protects some individual privacy rights. These include, for example, a right to require information about data being processed about themselves[17], access to the data in certain circumstances[18], and correction of data which is wrong.[19] There is also a right to restrict certain processing and a right to object to their personal data being processed for direct marketing purposes. Individuals can also ask to receive their personal data in a structured and commonly used format so that it can easily be transferred to another data controller (this is known as “data portability”).[20] One of the individual right that has received the most attention was the so-called “right to be forgotten”. The right to be forgotten entered the EU privacy framework through the European Court of Justice decision in the case Google v. Spain.[21] The ruling recognized the right of Europeans allowing Europeans to ask online search engines to erase information about themselves from search results when the information is “inaccurate, inadequate, irrelevant or excessive” or when their online availability of the information is no longer supported by a public interest. This right, now called “the right to erasure”, is a fundamental data subject right in the GDPR.[22] This allows individuals to require the data controller to erase their personal data without undue delay when i) they are no longer necessary in relation to the purposes for which they are collected or otherwise processed, ii) a data subject has withdrawn his or her consent, iii) a data subject objects to the processing of personal data concerning him or her, or iv) the processing of his or her personal data does not otherwise comply with the GDPR. Alongside an obligation to take reasonable steps to inform third parties that the data subject has requested erasure of his or her data (or links to), the data controller respond to these requests for information within a month, with a possibility to extend this period for particularly complex requests. Data controllers will therefore need to put in place clear processes to enable them to meet these obligations with regard to the right to be forgotten and other individual privacy rights set forth in the GDPR.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data available at https://eur-lex.europa.eu/legal content/EN/TXT/?uri=celex%3A32016R0679 (“GDPR”).
[2] Different national privacy laws have been applying in the European framework since 1995. These laws are based on a European Union “framework directive” Directive 95/46/EC (the “Data Protection Directive”), supplemented by Directive 2002/58/EC (the “ePrivacy Directive”) in the field of electronic communications. In January 2012, the European Commission proposed to reform the privacy protection framework in Europe eliminating inconsistencies in national laws and providing better privacy protection for individuals.
[3] Article 4, supra note 1. Under the GDPR, personal data is defined more broadly than it is in other countries such as the United States. U.S. data privacy laws, indeed, provide protection for Personally Identifiable Information (PII), which is defined somewhat more narrowly – PII must directly identify an individual, and therefore, a such information may definitely be a social security number, whereas IP addresses could not be considered so.
[4] Article 3, supra note 1.
[5] Article 4 of the GDPR uses broad definitions of data controllers and data processors as below: (7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For example, if Alfa sells widgets to consumers and uses Beta to email consumers on their behalf, then with regard to such email activity data, Alfa is the data controller, and Beta is the data processor. This distinction is important for compliance because the GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling the right to access, etc.
[6] Permissible lawful bases are and include: (1) processing necessary for the performance of or entry into a contract with a particular data subject; (2) processing necessary for compliance with a legal obligation to which the controller is subject under EU or Member State law; (3) processing necessary to protect the “vital interests” of the data subject or of another natural person; (4) processing necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller; or (5) processing necessary for the purposes of legitimate interests pursued by the controller or third party, “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
[7] Article 7, supra note 1.
[8] The contract must specify the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data; the categories of data subjects; and the obligations and rights of the controller. In addition to requiring a contractual relationship between controllers and processors, the GDPR mandates a host of stipulations that must be included in such contracts (Article , ¶ 3 (a)–(h), GDPR).
[9] Article 34, supra note 1.
[10] Article 30, supra note 1.
[11] Article 28-34, supra note 1.
[12] As outlined in the GDPR Article 39, a DPO’s tasks include, but are not limited to, the following: i) educating the company and employees on important compliance requirements; ii) training staff involved in data processing; iii) conducting audits to ensure compliance and address potential issues proactively; iv) serving as the point of contact between the company and GDPR Supervisory Authorities; v) monitoring performance and providing advice on the impact of data protection efforts; vi) maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request; and vii) interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information.
[13] Article 37(5), supra note 1.
[14] Article 38, supra note 1.
[15] Article 3(2) and Article 27, supra note 1.
[16] Article 84, supra note 1.
[17] Article 13, supra note 1.
[18] Article 15, supra note 1.
[19] Article 16, supra note 1.
[20] Article 20, supra note 1.
[21] European Court of Justice, 13 May 2014, Case C‑131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, available at http://curia.europa.eu/juris/celex.jsf?celex=62012CJ0131&lang1=en&type=TXT&ancre=.
[22] Article 17, supra note 1.

Compliments of AEM Carnelutti, a member of the EACCNY