Is Personal Data Now Risk? EU General Data Protection Regulation commentary - GDPR part 1

If you are in business you are processing data – so this applies to all of us. We have some time but clearly it would be a mistake to leave preparations until Easter 2018.

(May 2016: edited to include date of application)
(January 2017: edited to reflect draft E-Privacy Regulation)
(May 2018: edited to cover UK “data protection fee”)

Is Personal Data Now Risk? EU General Data Protection Regulation commentary - GDPR part 1

‘Personal Data is now risk’. ‘Simpler and cheaper for companies to do business in the EU…estimated to save €2.3 billion per year’. Both great headlines. But probably neither telling the whole story. The EU’s long-awaited General Data Protection regulation (“GDPR”) will be making some fairly significant changes to the legal framework – but deserves a more measured look at what will really change in practice.

If you are in business you are processing data – so this applies to all of us.

First of all, this new legislation is due to enter into effect in May 2018. So, yes, we have time but clearly it would be a mistake to leave preparations until the Easter before.

And it’s a Regulation, not a Directive. Directives (essentially) need each EU Member State to pass implementing legislation which gives them some leeway over the ways of achieving the stated goals. Regulations become law and don’t need implementing legislation. So the result should be a more uniform legal framework across the entire EU (but see below).

Eden Legal looked at the proposed text back in June 2014 and found there were some positive and some more burdensome parts. So what really has changed?

1. Remember the “right to be forgotten”?

The “right to be forgotten” under the current law is a misnomer really, but important principally for search engines that have to remove certain outdated links.

Will we now have a real right to be forgotten? Under the GDPR, when a data subject asks then generally their data must be erased. So this will now expressly apply to all data controllers, not just search engines. To Eden Legal this seems in reality just an extension of the “right of cancellation” which exists today and which allows data subjects to stop us from continuing to process their data. The new regulation goes further in that if data has been made public then we need to take reasonable steps to inform other controllers of the request. So this gives the data subject a single point of contract and we would then need to inform Google and others that they should stop linking to or duplicating the data. There are some exceptions to this e.g. for freedom of expression (so public figures can’t force us to delete unpalatable news or views) and other legal, public interest, scientific, historical or statistical purposes, but also “for the establishment, exercise or defence of legal claims”. If you were a social network and asked Eden Legal’s advice, we might be tempted to say it could be prudent to keep everything for years in case of a future copyright, defamation or other legal claim where the data might be used in evidence…

2. Security breach? You know what to do…

Up to now, providers of a public communications service (essentially providers of electronic messaging services) were under a specific legal obligation to notify their local data protection authority within 24 hours of detecting a security breach, and then also customers if the breach could adversely affect their privacy or data. The new GDPR will oblige any data controller to notify the supervisory authority of serious data breaches within 72 hours. Processors must also notify controllers of breaches they become aware of. Controllers must also communicate high risk breaches to data subjects.

Rather than prescriptive regulations regarding security, a duty to disclose security breaches publicly may actually constitute a greater incentive to take better care of data. At least there will be little room for doubt regarding what to do when a breach occurs.

3. Notifications are dead… long live the impact assessment

The GDPR notes that having to notify various data protection authorities that you were processing data “did not in all cases contribute to improving the protection of personal data”. No kidding. Apart from having to report the blatantly obvious (or to work through exemptions of varying complexity and coherence) this may in fact have caused businesses either to believe that with a notification all their data protection work was done, or simply to ignore the entire system due to the perceived costs and burdens of doing even that.

So it’s good to see notifications go. However, there being no such thing as a free lunch, some of us will need to carry out data protection impact assessments and submit them to the local supervisory body for consideration. This will be when processing, particularly if using “new technologies” is “likely to result in a high risk for the rights and freedoms of individuals”. We infer that this should really apply only in exceptional cases but the language here seems to introduce an unfortunate degree of uncertainty. A few examples are given where an impact assessment is needed every time: systematic and extensive evaluation of personal aspects on which decisions with legal effects will be based (credit reference scoring comes to mind), bulk processing of sensitive or criminal records data, or surveillance of a large public area. The GDPR obliges national supervisory bodies to list what must be subject to an impact assessment and permits them to list what won’t be. Although these will be considered under the consistency mechanism, designed to avoid wide discrepancies between Member States, already the “one continent, one law” principle seems undermined and it seems hard to justify legally why this should be left to each Member State to decide. Given the uncertainly, more than usual care may be required until we have the national black (and white) lists, any guidance from supervisory bodies, and case law on where the borderline may lie.

UPDATE May 2018: In the UK, the data controller registration will go – but in its place comes a “data protection fee” that requires data controllers to… yes… register. The amount of the charges is fairly similar, there are similar exemptions as before, and we won’t be asked to give information about what we do with our data. Also, if we are already registered then this will only apply when we need to renew. See the 2018 regulations here.

Now read part 2 of this Article, in which Eden Legal discusses non-EU data controllers, data protection by design and by default, and processing children’s data.

We were probably never going to be 100% happy with the way the GDPR turned out, but it’s what we have and as always Eden Legal will be advising on how best to prepare and comply with the new rules.