Out-Law Guide | 05 Oct 2020 | 9:11 am | 6 min. read
The entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018 brought about the biggest overhaul of EU data protection law in more than 20 years and represented an attempt by EU policy makers to ensure the law on the collection, use, sharing and protection of personal data was fit for the digital age.
The GDPR accompanies its cousin in law enforcement data protection matters, the Police and Criminal Justice Data Protection Directive, and, unlike that Directive or the previous Data Protection Directive of 1995, is directly applicable in all EU member states. It is also applicable to organisations based outside of the EU that nonetheless target services at individuals in the EU based on the processing of their personal data.
While the GDPR is designed to enhance individuals' data protection rights, the necessary corollary of stronger rights for data subjects is more onerous obligations for controllers, and, for the first time, processors.
In addition, the GDPR has introduced stronger potential sanctions for organisations that breach their obligations under the framework, as well as a new system of regulation. The 'one-stop-shop' regime is designed to account for the increasingly cross-border nature of business operations and allows companies to deal with just one supervisory authority of an EU member state.
There are a number of specific areas of data protection law that the GDPR has changed.
In addition to the GDPR being applicable to EU-based organisations, non-EU controllers and processors will be caught where the processing activities are related to the offering of goods or services to data subjects in the EU, or the monitoring of their behaviour.
The concept of 'personal data' has been clarified to cover any information related to identified or identifiable living individuals, and there are specific definitions for genetic data and biometric data. The GDPR also provides a definition for 'anonymous information' and the concept of 'pseudonymisation' – this being data that can no longer be attributed to a specific data subject without additional information that is held separately and secured.
Compared with pre-GDPR data processing, more information has to be provided to individuals about what personal data is being collected, for what purpose, for how long it will be kept, to whom it will be disclosed and to where it is being transferred.
In another first for EU data protection law, processors are subject to statutory requirements in addition to those they face under contract.
The statutory obligations are wide-ranging but include a duty to implement appropriate security measures when processing personal data on behalf of a controller, as well as to follow the instructions of the controller and ensure the reliability of its staff involved in processing the personal data. In addition, they have an express obligation to notify the controller of personal data breaches.
Processors may also be exposed to claims for financial damage or distress by individuals affected by a personal data breach, as those individuals are free to sue any organisation involved in the supply chain – which could lead to the pursuit of the organisation that is perceived to have the deepest pockets, with the Regulation leaving it open to the contracting businesses to remedy the position between them in the event claims are successful.
Minimum mandatory contractual provisions in data processing clauses and contracts are outlined in the GDPR. The Regulation requires that prescriptive obligations are included in data processing clauses, and that the requirements flow-down to any sub-contractors used by processors. This raises potential tensions in the context of cloud computing where some service providers may have difficulty agreeing to flow-down requirements.
Among the new rights introduced for data subjects under the GDPR is the so-called 'right to be forgotten'. This built on the previous right to erasure that enabled individuals to request that a controller deletes personal data that has been or is being processed in contravention of data protection laws. An individual can now request that their personal data be deleted in specified circumstances and, where the personal data has been made public, that other controllers processing the personal data also erase links to, or copy or replication of, such personal data.
This is a new right which entitles a data subject to obtain from the controller a copy of his data in a structured, commonly used and machine-readable format. The data subject can also request that the personal data is sent directly to another controller, where technically feasible.
A general, mandatory system for notification of personal data breaches is also provided for the first time in EU data protection law under the GDPR.
Under the GDPR, controllers must notify their supervisory authority of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
A processor has to notify controllers it contracts with of personal data breaches it identifies "without undue delay".
Restrictions on transferring personal data outside the European Economic Area (EEA) have been tightened up, with the highest possible fines available under the GDPR able to be levied for infringements of the data export rules.
The system of 'adequacy decisions' continues to apply, which enables the free-flow of personal data to non-EEA jurisdictions that provide data protection safeguards essentially equivalent to those under the GDPR, including effective independent data protection supervision and effective and enforceable rights for individuals and judicial redress. Other pre-existing mechanisms designed to underpin data transfers to non-EEA jurisdictions, such as standard contractual clauses and binding corporate rules, also remain available. New transfer mechanisms have been introduced, such as use of approved codes of conduct and certification schemes; but the self-assessment of adequacy by businesses is no longer available as a means of achieving compliance in the area of data transfers. The ruling of the Court of Justice of the EU (CJEU) in the so-called 'Schrems II' case, however, invalidated the EU-US Privacy Shield as a framework businesses can rely on for EU-US data transfers.
There are stricter rules requiring controllers to put in place, and implement, policies and documented procedures which not only serve to ensure compliance with the GDPR but also to evidence that compliance.
Full documentation, record keeping and logging, for example, is important to help organisations avoid formal enforcement actions or reduce the level of fines they may face for infringement, such as in proving that proper consents for data processing were obtained where this is scrutinised by supervisory authorities.
Controllers are also obliged to implement "data protection by design and default", including data minimisation and security by default.
Public authorities and private companies whose core activities involve large-scale monitoring or large-scale processing of sensitive data or data on criminal convictions must appoint a data protection officer (DPO). Processors engaged by such controllers may also have to appoint DPOs.
A DPO must operate independently and must not take instructions from his employer.
Before commencing any processing likely to result in a high risk to individuals, such as profiling activities, controllers have to carry out a review of that envisaged processing to assess the privacy risks to individuals, and identify measures to address these risks and demonstrate the processing operation is compliant with the GDPR. This is called a data protection impact assessment (DPIA).
Where the DPIA indicates that the processing would be high risk, in the absence of measures by the controller to mitigate that risk, the controller will be required to consult with their supervisory authority before being able to process that personal data under the GDPR. The authority has the power to suspend or even ban the processing.
Each supervisory authority has published a list of processing operations exempt from a DPIA or specifying processing operations where a DPIA is required.
Administrative fines up to a maximum of €20 million or 4% of a business's worldwide annual turnover are possible under the GDPR.
The GDPR addresses administrative sanctions in two tiers. For infringements falling under the lower tier, the potential maximum administrative fine that can be issued is the greater of €10 million or 2% of a business's worldwide annual turnover of the preceding financial year. For infringements falling under the higher tier, the potential maximum administrative fine that can be issued is the greater of €20 million or 4% of a business's worldwide annual turnover of the preceding financial year.
In addition to administrative fines, the GDPR provides for a number of other powers available to supervisory authorities. The implementation of these powers is based on national laws.