On May 25, 2018 the European Union (“EU”) General Data Protection Regulation (“GDPR”) will take effect, marking one of the most significant changes to European data privacy and security in over 20 years. Most multinational companies will be impacted by the GDPR and compliance will be an ongoing matter for anyone collecting and/or processing personal data in the EU and/or offering goods or services to EU citizens.
The GDPR is based on the fundamental principle of the protection of the human right to privacy, and is designed to harmonize EU member state legislation and to ensure that personal data can flow freely and securely around the EU (Recitals 3, 5 and 6).
What Are the Principles Contained in the GDPR?
The GDPR contains significantly enhanced protections for individuals than currently in place under the EU Data Protection Directive (the “Directive”), and the associated national legislation. Its legal status as an EU Regulation is important as it has binding, and direct effect, within the EU and does not require national implementing legislation. Therefore, individuals have directly acquired rights – and remedies – in relation to the protection of their personal data. Personal data has a broad meaning under the GDPR, as under the old Directive, and encompasses “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4). Personal data, therefore, includes someone’s name, email address, national security number, bank details, health insurance number and other identifiers of a living individual.
The GDPR places a specific accountability obligation on the data controllers in relation to the processing of personal data that requires the controllers to be able to demonstrate compliance (see Article 5(2)) and, therefore, seeks to embed its protections in corporate governance and culture at the highest levels of an organization.
Under Article 5 of the GDPR, there are six fundamental principles that apply to the processing of personal data. These specify that personal data must (1) be processed lawfully, fairly and transparently in relation to the data subject (also known as the “lawfulness, fairness and transparency” principle); (2) collected for specific, explicit and legitimate purposes and not processed for further purposes (also known as the “purpose limitation”); (3) adequate, relevant and limited to what is necessary (also known as the “data minimization” principle); (4) accurate, kept up to date where necessary and deleted/corrected if inaccurate (also known as the “accuracy” principle); (5) kept in a form that permits identification of data subjects and for no longer than is necessary (also known as the “storage limitation”); and (6) processed in a manner that ensures appropriate security and protection against unauthorized or unlawful processing (also known as the “integrity and confidentiality” principle). There are also further obligations when sensitive personal data is processed, i.e., data that reveals information about individuals such as their racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data or data concerning sexual orientation or sex life.
The lawfulness, fairness and transparency principle is one of the most detailed aspects of the GDPR as it sets forth, in Articles 6 and 7, the basis upon which personal data can be collected and processed and the conditions for obtaining consent. The changes to the consent rules are one of the most radical under the GDPR and bear close scrutiny if consent is being relied upon to collect and process personal data. In some circumstances, such as the employer/employee relationship, consent can no longer be relied upon where the relationship involves one where there is a fundamental imbalance of power such that consent cannot be freely given.
As set out above, one of the key purposes of the GDPR is to afford individuals specific rights in relation to their personal data. Articles 12 to 23 of the GDPR set out those rights, which give the data subject the right to (1) transparency; (2) receive information and access their personal data; (3) rectification; (4) erasure/to be forgotten; (5) restrictions on processing; (6) data portability; (7) object to processing; and (8) object to automated decision making.
A major change of the GDPR is the territorial scope of the new law. The Directive did not regulate businesses based outside the EU. However, under the GDPR, even if a US-based business has no employees or offices within the EU, the GDPR may still apply.
Under Article 3 of the GDPR (and Recitals 22-25), a non-EU established organization will be subject to the new law where it processes the personal data of EU citizens in connection with:
- Offering goods or services to individuals in the EU (including doing so free of charge); or
- “Monitoring” the behaviour of individuals in the EU.
Any non-EU organization will also be subject to the GDPR if the personal data of EU citizens is transferred to it.
The creation of a level playing field for businesses established inside and outside the EU through an expansion of territorial scope was a much publicized objective of the GDPR. Although Article 3 of the GDPR represents a significant expansion of the territorial reach of an EU Regulation, a global approach to the protection of individuals’ rights has been necessary for some time.
Offering Goods and Services to EU Citizens
The mere fact that a non-EU company’s website is accessible from within the EU will not mean that it necessarily offers goods and services under the GDPR such that it must comply with its requirements. It must be clear that the organization intends to offer such goods or services to EU citizens to be subject to the GDPR’s terms. Recital 23 to the GDPR sets out that if an organization’s website provides an option to access the website in the EU Member State’s local language, pay in the local currency or identifies EU customers specifically then this may make it apparent that the organization intends to offer goods and services to EU citizens. Therefore, a US company with an internet presence that targets sales or marketing to individual EU Member States may be subject to the the Directive, is partially the subject of an Adequacy Decision. It is a mechanism jointly implemented by the European Commission and the U.S. which enables organizations to voluntarily adhere to a certification scheme and implement technical measures to protect personal data.
However, the Privacy Shield only provides partial comfort for transfer of personal data to the U.S. It is only relevant for those organizations that have adopted it and it does not provide all the protections necessary under the GDPR. Therefore, simply signing up to self certification under the Privacy Shield will not be sufficient if personal data is transferred out of the EU to the U.S.
The GDPR also introduces regular reviews of Adequacy Decisions granted by the European Commission to non-EU jurisdictions (Article 45(4) and (5), and Recital 107 to Article 45 of the GDPR). The Privacy Shield will be annually reviewed with the possibility that the Privacy Shield may be found to offer insufficient protection under developing EU law under the new GDPR.
Therefore, using the other exceptions, and ensuring compliance with the GDPR, may be necessary.
Firstly, the use of standard contractual clauses or binding corporate rules (for intra-company transfers) will be the most appropriate way of effecting transfers from the EU to outside the EU. Essentially, these contractual arrangements will impose the requirements of the GDPR on the non-EU recipient of personal data.
Secondly, there are derogations from the prohibition on transfer contained in Article 49 of the GDPR. These can also be relied upon to transfer personal data outside the EU, to the U.S. for instance, if appropriate security measures and other measures for complying with the GDPR’s principles are guaranteed. For example, under Article 49 an organisation may seek to ensure that: (i) the data subject has explicitly consented to the proposed cross-border transfer of data; (ii) the transfer of data is necessary for the performance of a contract or the implementation of pre-contractual measures; (iii) the transfer is necessary for the establishment, exercise or defence of legal claims; or (iv) the transfer is necessary for important reasons of public interest. Further guidance on the use of derogations has been published by the Article 29 Working Party of EU Data Protection Authorities.
Enforcing the GDPR Outside the EU
Article 51 of the GDPR provides that each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of the Regulation, and under Article 78 all data subjects have the right to an effective judicial remedy against any legally binding decision of such a supervisory authority.
Under Article 27 of the GDPR there is a requirement for an overseas data controller or processor falling within its scope to designate a representative in their organisation who is based in an EU Member State who will act as the point of contact for the relevant supervisory authority, and who is also subject to certain record-keeping requirements. Further, the recitals to Article 27 of the GDPR state that the designated representative could be subject to enforcement actions in case of non-compliance by the controller. However, the GDPR fails to specify in what circumstances the representative or the data controller may be subject to enforcement measures, merely stating that the designation of a representative is without prejudice to the liability of the controller.
However, the mechanism for overseas enforcement is currently unclear and it is highly likely that litigation will ensue both within and outside the EU to clarify how individual’s rights are to be protected.
It should also be remembered that the GDPR establishes a right to compensation for damages suffered by an infringement, whether monetary loss or non-material damage (Article 82). Necessarily, this provision will lend itself to class actions and/or group actions by aggrieved individuals.
The GDPR is a lengthy and complex Regulation that sets down high level principles. There is plenty of scope for years of judicial and regulatory interpretation of its 99 Articles and 173 Recitals.
However, one thing is certain, which is that the scope of the GDPR will touch all multinational organizations and will involve a change in the corporate approach to the collection, use and protection of personal data. Such regulatory changes can prove to be both an opportunity and a challenge.