Is Personal Data Now Risk? EU General Data Protection Regulation commentary - GDPR part 1

If you are in business you are processing data – so this applies to all of us. We have some time but clearly it would be a mistake to leave preparations until Easter 2018.

(May 2016: edited to include date of application)
(January 2017: edited to reflect draft E-Privacy Regulation)
(May 2018: edited to cover UK “data protection fee”)

Is Personal Data Now Risk? EU General Data Protection Regulation commentary - GDPR part 1

‘Personal Data is now risk’. ‘Simpler and cheaper for companies to do business in the EU…estimated to save €2.3 billion per year’. Both great headlines. But probably neither telling the whole story. The EU’s long-awaited General Data Protection regulation (“GDPR”) will be making some fairly significant changes to the legal framework – but deserves a more measured look at what will really change in practice.

If you are in business you are processing data – so this applies to all of us.

First of all, this new legislation is due to enter into effect in May 2018. So, yes, we have time but clearly it would be a mistake to leave preparations until the Easter before.

And it’s a Regulation, not a Directive. Directives (essentially) need each EU Member State to pass implementing legislation which gives them some leeway over the ways of achieving the stated goals. Regulations become law and don’t need implementing legislation. So the result should be a more uniform legal framework across the entire EU (but see below).

Eden Legal looked at the proposed text back in June 2014 and found there were some positive and some more burdensome parts. So what really has changed?

1. Remember the “right to be forgotten”?

The “right to be forgotten” under the current law is a misnomer really, but important principally for search engines that have to remove certain outdated links.

Will we now have a real right to be forgotten? Under the GDPR, when a data subject asks then generally their data must be erased. So this will now expressly apply to all data controllers, not just search engines. To Eden Legal this seems in reality just an extension of the “right of cancellation” which exists today and which allows data subjects to stop us from continuing to process their data. The new regulation goes further in that if data has been made public then we need to take reasonable steps to inform other controllers of the request. So this gives the data subject a single point of contract and we would then need to inform Google and others that they should stop linking to or duplicating the data. There are some exceptions to this e.g. for freedom of expression (so public figures can’t force us to delete unpalatable news or views) and other legal, public interest, scientific, historical or statistical purposes, but also “for the establishment, exercise or defence of legal claims”. If you were a social network and asked Eden Legal’s advice, we might be tempted to say it could be prudent to keep everything for years in case of a future copyright, defamation or other legal claim where the data might be used in evidence…

2. Security breach? You know what to do…

Up to now, providers of a public communications service (essentially providers of electronic messaging services) were under a specific legal obligation to notify their local data protection authority within 24 hours of detecting a security breach, and then also customers if the breach could adversely affect their privacy or data. The new GDPR will oblige any data controller to notify the supervisory authority of serious data breaches within 72 hours. Processors must also notify controllers of breaches they become aware of. Controllers must also communicate high risk breaches to data subjects.

Rather than prescriptive regulations regarding security, a duty to disclose security breaches publicly may actually constitute a greater incentive to take better care of data. At least there will be little room for doubt regarding what to do when a breach occurs.

3. Notifications are dead… long live the impact assessment

The GDPR notes that having to notify various data protection authorities that you were processing data “did not in all cases contribute to improving the protection of personal data”. No kidding. Apart from having to report the blatantly obvious (or to work through exemptions of varying complexity and coherence) this may in fact have caused businesses either to believe that with a notification all their data protection work was done, or simply to ignore the entire system due to the perceived costs and burdens of doing even that.

So it’s good to see notifications go. However, there being no such thing as a free lunch, some of us will need to carry out data protection impact assessments and submit them to the local supervisory body for consideration. This will be when processing, particularly if using “new technologies” is “likely to result in a high risk for the rights and freedoms of individuals”. We infer that this should really apply only in exceptional cases but the language here seems to introduce an unfortunate degree of uncertainty. A few examples are given where an impact assessment is needed every time: systematic and extensive evaluation of personal aspects on which decisions with legal effects will be based (credit reference scoring comes to mind), bulk processing of sensitive or criminal records data, or surveillance of a large public area. The GDPR obliges national supervisory bodies to list what must be subject to an impact assessment and permits them to list what won’t be. Although these will be considered under the consistency mechanism, designed to avoid wide discrepancies between Member States, already the “one continent, one law” principle seems undermined and it seems hard to justify legally why this should be left to each Member State to decide. Given the uncertainly, more than usual care may be required until we have the national black (and white) lists, any guidance from supervisory bodies, and case law on where the borderline may lie.

UPDATE May 2018: In the UK, the data controller registration will go – but in its place comes a “data protection fee” that requires data controllers to… yes… register. The amount of the charges is fairly similar, there are similar exemptions as before, and we won’t be asked to give information about what we do with our data. Also, if we are already registered then this will only apply when we need to renew. See the 2018 regulations here.

Now read part 2 of this Article, in which Eden Legal discusses non-EU data controllers, data protection by design and by default, and processing children’s data.

We were probably never going to be 100% happy with the way the GDPR turned out, but it’s what we have and as always Eden Legal will be advising on how best to prepare and comply with the new rules.

  • EU International Data Transfers - new 2021 Standard Contractual Clauses

    EU International Data Transfers - new 2021 Standard Contractual Clauses

    The European Commission has issued a new set of standard contractual clauses (“SCCs”) to address new requirements under the GDPR, changes in the digital economy, but most importantly the European Court’s judgment in Schrems II requiring supplementary measures for some exports. The new SCCs are comprehensive and fill some gaps; but they require data importers and exporters to invest significantly in documenting how they will overcome local government surveillance laws.

  • Adtech Regulation under the EU’s draft Digital Services Act

    Adtech Regulation under the EU’s draft Digital Services Act

    A lot has been made of the liability and transparency provisions of the EU’s proposed Digital Services Act.

    However, there are also a few advertising-specific obligations (proposed to be) coming for online platforms that deserve a closer look.

  • "Due diligence" obligations for EU online platforms

    The quickest-possible look at the EU’s draft Digital Services Act and proposed new obligations for intermediaries and online platforms.

    Eden Legal will return with additional posts on: (1) liability for illegal content; and (2) specific adtech-related obligations, under the proposed Regulation.

    #Lawinagraphic – minimum wordiness, maximum user-friendliness.

  • How will Artificial Intelligence Systems be regulated in the EU?

    How will Artificial Intelligence Systems be regulated in the EU?

    The European Commission has put forward a proposed Regulation on a European Approach for Artificial Intelligence, also known as the “Artificial Intelligence Act”. It’s a proposal and before entering into application faces a likely lengthy path through the EU institutions which seems bound to produce a hefty amount of debate and amendments.

  • 2021 will be the Year of Smart Contracts

    2021 will be the Year of Smart Contracts

    Smart contracts are here. Eden Legal’s very initial, very personal thoughts on them.

  • GDPR EU/UK Representative - do we need one?

    GDPR EU/UK Representative - do we need one?

    Everything you need to know about appointing an EU and/or UK representative as required by the GDPR.

    Update 14 February 2021: under the EU Council’s agreed position on the future E-Privacy Regulation, providers of electronic communications services, providers of publicly available directories, senders of direct marketing over electronic communications services, and anyone using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment (i.e. adtech!) will also be required to appoint a representative in the EU and communicate it to the relevant national supervisory authority.

  • GDPR and Brexit - take us to the bridge

    GDPR and Brexit - take us to the bridge

    The EU-UK Trade and Cooperation Agreement has avoided major changes to personal data flows between the EEA and UK at least until 30 April 2021. However, if we process data of individuals in both the EEA and the UK, then we face the prospect of complying with two similar but distinct regulatory regimes.

  • The ICO fines Marriott and BA for GDPR Breaches - 10 Takeaways

    The ICO fines Marriott and BA for GDPR Breaches - 10 Takeaways

    If you’re handling personal data subject to EU (and/or UK) laws then you would do well to read the UK Information Commissioner’s (“ICO”) decisions to fine Marriott and BA for failures to have in place appropriate cyber-security measures. And this post for 10 more easily digestible takeaways.

  • EU Court invalidates Privacy Shield - what to do?

    EU Court invalidates Privacy Shield - what to do?

    The Court of Justice of the EU has struck down the EU Commission’s EU-U.S. Privacy Shield Framework decision, but in principle left in place the EU Commission’s Standard Contractual Clauses, which organisations can sign in order to impose EU-style data protection obligations on non-EU data importers. For now, where we used to rely the Privacy Shield framework, the pragmatic approach may be to sign SCCs – but the story won’t end there.

  • How do we become certified under the EU-U.S. Privacy Shield?

    How do we become certified under the EU-U.S. Privacy Shield?

    The EU-U.S. Privacy Shield framework may be an interesting tool to permit international transfers of personal data without any other permissions or contracts.
    UPDATE: The Privacy Shield framework remains in place and we can still apply to be certified, but on 16 July 2020, the EU Court of Justice decided that it could no longer be used to authorise transfers of personal data from the EU/EEA/UK to the USA, and other mechanisms need to be used.