Edwin Jacobs
For the past six months there have been quite a few ground-breaking developments in the EU’s legal domain of personal data processing. We are referring first and foremost to the General Data Protection Regulation, a new European legal instrument that will be the main tool in the legal arsenal for the protection of personal data. Secondly, in the aftermath of the Schrems-judgement in October last year, the European Union and the United States intensified their work towards a suitable replacement for the Safe Harbour regime, a legal arrangement for transferring personal data from the EU to the US. In February this year these efforts culminated in an “EU-US Privacy Shield”. These developments will have a significant impact on how businesses are allowed to process personal data.
In the short run : compliance en every country still required
The compromise text of the General Data Protection Regulation (commonly abbreviated as “GDPR”) was agreed upon in December 2015. At the moment of writing this article the final version has not been voted nor published in the Official Journal of the European Union yet. The general expectation is, however, that such publication takes place in the first half of this year. But even when the GDPR is published, it will still be two years before the new regime really kicks in. Hence, in the short run our current patchwork of national data protection laws will remain in full force. Although the GDPR’s practical relevance is still some time away, as an organization it does merit to be aware of the changes that it brings. Some of the changes are quite profound and may require some organizational or technical initiatives which take time to roll out.
A preliminary assessment of the GDPR
A broadened territorial scope
The GDPR deals more directly with the inherent borderless nature of online services and expands the scope of EU data protection law significantly. If an organization offers (free or paid) goods or services to individuals within the EU and that offering implies the processing of those individuals’ personal data, the GDPR will apply. The same goes for monitoring behavior of individuals in the EU. In those two circumstances it no longer matters if that organization has an establishment in the EU or whether it uses equipment located in the EU.
If the organization, whether it is a controller or a processor, is not established in the European Union, it will have to designate a representative. This representative serves as a sort of single point of contact for the national data protection authorities and for individuals with respect to all matters related to personal data processing. The legal responsibility for compliance remains with the controller or the processor.
Processors are dealt with more prominently
In the current regime many organizations attempt (rightly or wrongly) to qualify themselves as processors so as to escape the many responsibilities that are placed on controllers by the EU Data Protection Directive (95/46/EC). The GDPR is less lenient towards processors and deals with them far more explicitly. Processors still have to provide sufficient guarantees pertaining to the safety of the personal data processed, but must now also warrant that the processing will meet the requirements of the GDPR. The guarantees to be offered by the processor are thus expanded significantly and the processor himself must be well aware of the applicable data protection rules.
No more prior notifications, however…
The general system of having to notify a processing of personal data to a data protection authority is abandoned in the new GDPR. It was considered as an ineffective and unnecessary administrative burden, with which compliance was generally quite low. However, a new system will take its place, be it in a more focused fashion. For certain high risk processing activities, an organization qualifying as controller has to perform a data protection impact assessment and may even need to consult with the data protection authority. In some instances (e.g. where the core activities of the organization imply processing on a large scale requiring monitoring of individuals) controllers and processors must appoint a data protection officer, a requirement that already exists in some Member States. The drafting of Codes of Conduct will be promoted.
Far more stringent security requirements
Where security of personal data was already part of the current regime, the GDPR foresees quite a few more detailed requirements in this respect. Moreover, whenever an organisation acting as a controller is faced with a data breach, it will now have to notify said breach to the competent supervisory authority not later than 72 hours after becoming aware of it. Only if it can show that the data breach is unlikely to result in a risk for the rights of individuals, will the notification not be mandatory. In some instance even notifications to the individuals themselves may be required.
Transfer to third countries: a stronger legal basis for contractual instruments
Transfers of personal data to third countries will in principle still have to be limited to countries that offer an adequate level of protection, as confirmed by a Commission adequacy decision. However, there are now more alternatives foreseen than there were in the current Directive. Instruments such as binding corporate rules and standard data protection clauses, drafted and approved in accordance with the GDPR, are now full-blown legal alternatives for the European Commission’s adequacy decisions. With respect to transfers to the US, we refer to the section on the EU-US Privacy Shield below.
Enforcement
Last but not least, the national supervisory authorities are given more powers in the GDPR to ensure compliance. Not all Member States had data protection authorities that could impose fines and really had the power to enforce compliance with data protection law. No more so under the future system. Each supervisory authority shall have a full set of enforcement tools at its disposal, ranging from issuing warnings to imposing fines or banning data processing activities. Note that penalties for non-compliance with the rules of the GDPR are far more severe as well.
Transferring data to the US – the EU-US Privacy Shield
Legal vacuum after Safe Harbor
The invalidation of the Safe Harbor regime created a legal vacuum that resulted in a lot of legal uncertainty regarding the legal basis for transferring data to the United States. This uncertainty was partially met by the Article 29 Working Party, the European body that consists of representatives of the national Data Protection Authorities. About a week after the Schrems-judgement the Article 29 Working Party released a statement that they would still allow data transfers to the US insofar these were based on contractual measures and not on the invalidated Safe Harbor regime. They did imply, however, that these contractual tools would be called into question as well if no adequate replacement for Safe Harbor was found in short order. Meanwhile the European Commission has found a compromise with its counterparts from the United States. The content of the newly proposed regime has been made public on the 29th of February 2016. There are quite a few new elements which have direct implications for the organizations who intend to rely on the new system for their intercontinental data transfers.
Self-certification remains the regime’s keystone
A first observation is that the new regime will once again rely on self-certification: organizations can choose themselves whether or not they want to join the EU-US Privacy Shield. If they do, however, they subject themselves to a range of compulsory measures which can be enforced by the competent authorities in the United States (Department of Commerce and the Federal Trade Commission) and the European Union (mainly the national data protection authorities). The certification will have to be renewed every year. Failure to renew the certification may lead to the organization being taken off the list. If indeed the organization has been taken off, all references to the EU-US Privacy Shield must be removed from all public statements. Non-compliance with this requirement may lead to the organization’s coming into the crosshairs of the Federal Trade Commission, who may treat it as unfair or deceptive practice. If an organization self-certifies, it must include a hyperlink in its online privacy policy to the website of the EU-US Privacy Shield list of self-certified organizations.
Adherence to principles
A second observation is that the regime is once again principles-based. Organizations submitting themselves to the EU-US Privacy Shield need to comply with seven principles. These principles embody to a large extent the main ideas behind EU data protection law. For example, organizations will have to inform European data subject in detail about their processing activities, personal data processed will need to be kept safe, processing must be limited to the purposes for which the data were collected and data subjects will enjoy a right to access, correction and deletion. For certain types of data there are supplemental principles to be followed (see Annex 2 of the draft Commission implementing decision).
Stronger enforcement, effective redress
A third observation has to do with the strengthened enforcement and redress mechanisms. While submitting to the new regime is voluntary, compliance with the principles and rules after submission is not. The Department of Commerce will have the authority to monitor inter alia false compliance claims while the Federal Trade Commission will deal with the enforcement as indicated above. Moreover, each organization will be required to assign single point of contact and must have an effective redress system in place to deal with individuals complaints. Within 45 days of receipt of the complaint, the organization must give an answer. The organizations are also required to designate an independent dispute resolution body which will handle disputes between the individual and the organization. The final means of recourse in case of a dispute will be binding arbitration by the Privacy Shield Panel, which may impose monetary remedies.
The author, Edwin Jacobs, is attorney / partner at Timelex in Brussels.
