The countdown has begun. The EU’s General Data Protection Regulation has finally been published and will start to apply from 25 May 2018. If you’re processing personal data (i.e., if you’re in business) it applies to you. Many will ignore it until (or beyond) the last minute. We’ll try to make it as user friendly and digestible as we can.
In Part 1 of this article we reviewed the (new) right to be forgotten, obligations to notify security breaches, and data protection impact assessments. In this Part 2, we look at the application of the new rules to non-EU based data controllers and processors, data protection by design and default, and processing of children’s data.
1. “European rules on European soil” – If we’re outside the EU will it affect us?
The Regulation will apply:
a) where the data processor or data controller is in the EU (so far so good); OR
b) the data processing takes place in the context of an establishment of the data processor or data controller in the EU, whether or not the processing takes place in the EU. (Processing “in the context of an establishment” has been retained from the current law – it seems vague but we imagine deliberately so as, as interpreted by the European Court, it was a critical factor in bringing Google Inc.‘s data processing within the scope of EU laws in the ‘Right to be Forgotten’ case); OR
c) if the processor or controller is not in the EU BUT the “data subjects” (individuals whose data are processed) are in the EU AND the data processing relates to (i) offering them goods or services; OR (ii) monitoring their behaviour that takes place in the EU. We note that the rules apply when the data subjects are “in” the EU – so not necessarily just citizens or residents.
The Regulation is designed to permit data controllers with multiple EU presences to deal with only one EU national supervisory authority (the “one-stop-shop” principle), where currently enforcement may often be carried out in an uncoordinated way by two or more DPAs. The body in the Member State of the “main establishment” will now be the “lead authority” for supervisory activities. On the other hand, a complaint relating only or “substantially” to another Member State may be investigated by a different authority, subject to a process giving the lead authority the option to take over the proceedings and requiring the other authority to be consulted on the decision taken.
Controllers or processors without any EU presence may find themselves within the scope of EU laws for the first time. However, the current law where EU jurisdiction depended in part on the use (except for the purposes of “transit”) of equipment situated in the EU has led to more or less convincing debates around what systems or even user devices located in the EU would trigger this and in which Member State(s). On balance, the additional certainty and simplicity seems welcome, and non-EU entities processing EU data have two years to take advice and adapt.
2. Data protection by design and by default – who in our organisation needs privacy law training?
A small – but for the EU quite new-fashioned – section of the Regulation institutes a cardinal principle of data protection by design and by default.
This requires us to consider the protection of data subjects’ rights not only at the time of processing but also at the time of deciding the means of processing. Examples given are data minimization and pseudonymization which should be at least considered at the product development stage (and data controllers would be well advised to document the fact that they were at least so considered).
The seven ‘foundational principles of privacy by design’ developed by the Information & Privacy Commissioner of Ontario seem likely to be influential in the application of this principle.
Data protection by default is perhaps even clearer – where our service can be provided using less rather than more data processing (e.g. the amount of data, the extent of processing, length of storage, accessibility) then we should ensure that by default it is provided only using what is strictly necessary. Any data processing beyond that will be strictly “opt in”, with particular care needed in relation to user data that is to be made accessible publicly.
On the other hand, these principles are not without limits – the Regulation expressly relates the measures expected to the costs of implementation and the actual risks to privacy, so there may be some flexibility here. Again, if we decide not to adopt a particular measure e.g. we reject an encryption method that is effective but disproportionately expensive, then we would do well to document the reasons for this, and also show that periodically we have reconsidered the matter.
While this may have a significant impact on some business models, again we can welcome the increased certainty: for example, debates around whether consent boxes should be pre-ticked or not should be a thing of the past… We should be aware that the principles are likely to be applied in particular in any privacy impact assessments we may be required to undertake. So product, design and development teams could all benefit from training on the main features of privacy law.
3. Who counts as a child and when can they consent to data processing?
Particularly where personal data processing is based on consent and where fairness depends on the prior notification of various information to the data subject, the position in relation to children’s data has presented a difficult balance. Different EU Member States currently regard children as being able to consent from as young as 12 (UK), 14 (Spain) or require parental consent for anyone under 16 (Netherlands) or 18 (France, at least when it comes to photographs, sensitive personal data, or transfers to third parties for marketing purposes).
The Regulation was therefore never likely to set one age for all the EU above which the minor’s consent can be given personally and below which a parent’s/guardian’s consent will be required. For online services (but not preventive or counselling services), what we have is 16 as the default age, while permitting Member States to set a lower age (but not less than 13) if wished.
However, we need to remember that the Regulation doesn’t define what a “child” is or limit the definition to the above – so if we are targeting or have any users that are under 18 then we still need to pay extra attention to the provisions on plain and intelligible language in privacy policies and notices informing users of their rights (Eden Legal would usually say that we should be doing that anyway); and the right to erasure (“right to be forgotten”) where the child is always entitled to require erasure without any other grounds being required.
You can catch up with Part 1 of this series here. Eden Legal will return in other articles to further aspects of the new Regulation such as obtaining consent, international transfers, new obligations on data processors, data protection officers, and the new system of fines for non-compliance – see part 3 here.