Previously in Part 1 and Part 2 we reviewed the (new) right to be forgotten, obligations to notify security breaches, data protection impact assessments, applicability to non-EU based data controllers and processors, data protection by design and default, and processing of children’s data. This time we explain the main new provisions on: options for legal international transfers of data, and the headline-grabbing fines and penalties for breaches of the new Regulation.
1. International transfers – a slightly expanded menu
The starting point is that international transfers of personal data outside of the EU/EEA that don’t guarantee “adequate” legal protections are still prohibited.
The European Commission may continue to issue “adequacy decisions” for transfers on the basis that the laws or protections applicable provide a level of protection “essentially equivalent” to that in the EU (a reference to the Court of Justice’s test for adequacy in the Safe Harbor decision). Under the Regulation this mechanism can now be applied not only to a third country but also to a “territory or one or more specified sectors” within a third country, or an international organisation. From prior drafts of the Regulation, we understand that “sectors” could mean e.g. “the private sector” or “specific economic sectors” – presumably based on particular binding rules applicable to such sectors.
For transfers not covered by an adequacy decision, we have a range of possible tools that can make the transfer compliant with the Regulation without requiring further authorisation:
- legally binding and enforceable agreements between public authorities;
- binding corporate rules:
Although not the quickest or easiest to put in place, and still requiring approval from the relevant supervisory body, these will now be valid in all Member States (under the Directive there are still a few that don’t recognise them). Also they may be implemented between enterprises “engaged in joint economic activity” and not just within a company group;
- Model Clauses adopted by the European Commission;
- Model Clauses adopted by a national supervisory body:
The existing EU model clauses will remain valid until expressly revoked. Using the EU model clauses “as is” will not require prior authorisation anywhere in the EU (in certain member States under the current law they still do);
- an approved code of conduct binding on the data importer;
- an approved certification mechanism binding on the data importer:
These last two are new and potentially attractive options: we’ll see whether trade associations for example decide to take advantage of the opportunity for self-regulation.
Finally, as today, non-standard (“ad hoc”) contractual clauses will still be usable but will now expressly require approval by a national supervisory body (which not all Member States had insisted upon currently).
On the other hand, decisions or orders from courts or authorities in third countries will not generally be an acceptable basis for transfers, unless based on an international agreement.
The menu is certainly extensive and should develop over time if new codes of conduct and certifications become available. The only “short order” option remains the model clauses – we’d like to hope that further sets of these could be added e.g. for processor to sub-processor transfers, which at the moment often need to be covered by ad hoc clauses.
2. Fines & Damages – there are worse things I could do?
If we’re only aware of one thing under the Regulation, then given the media excitement around it, it’s probably the potential fines for breaches of its provisions of up to 4% of our annual worldwide turnover (or if higher Euro 20 million). This is probably what they meant by personal data now being “risk” (and explaining a 20 million fine to management or shareholders is certainly something designed to keep us awake at night).
The main applicable sanctions (more or less from low to high) will be as follows:
a) warnings or reprimands: for minor violations;
b) temporary or permanent limitations or bans on processing;
c) “effective, proportionate and dissuasive” penalties (outside the areas where the Regulation harmonises the fines) which may include criminal liability depending on Member States’ legal systems;
d) lower level fines (of up to Euro 10 million or up to 2 % of total worldwide annual turnover): for breaches by a controller or processor of obligations e.g. in relation to:
- obtaining children’s consent for provision of information society services;
- notifying a data breach to the supervisory authority;
- notifying a data breach to data subjects; or
- designating a data protection officer;
e) higher level fines (of up to Euro 20 million or up to 4 % of total worldwide annual turnover): e.g. for:
- non-compliance with the basic principles for processing, including obtaining consent;
- breaches of data subjects’ rights;
- transfers of personal data to a third country or an international organisation without ensuring an adequate level of protection; or
- non-compliance with orders of the supervisory authority e.g. for temporary or definitive limitations on processing, suspension of data flows, or to provide access.
The “administrative fines” will be imposed by the Member States’ supervisory authorities (or in Denmark and Estonia by the applicable courts). The Regulation sets out a number of aggravating and mitigating factors – including notably whether the breach had been voluntarily notified or not – which should guide the decision on the level of the fine up to the maximum.
Data Protection authorities have already had varying powers to issue fines (Spain notably imposed three €300,000 fines on Google for data sharing across services; the UK’s ICO highest fine to date was GBP 350,000 for massive automated cold calling). For the most part they have been applied sparingly, though often this has been for reasons of lack of resources and so only very blatant or exemplary cases were pursued. The resources will remain limited. However, public data awareness and activism may make complaints more common and data breaches will also now need to be made public. So these powers seem unlikely to remain dormant for long. Given the scale of the fines and also the degree of discretion regarding the level on the scale, as well as a potential open door for data controllers to point the finger at data processors and vice versa, it seems inevitable that some of those DPA resources will be spent on legal challenges.
Independently of the actions that supervisory bodies may take, data subjects are expressly given rights to:
- complain to the relevant supervisory authority;
- claim in court against a decision or failure to follow up a complaint by a supervisory authority;
- bring a claim against a controller or processor for breaches of the Regulation; and
- “receive compensation” for any “material or non-material damage” suffered due to breaches of the Regulation. The data controller will be liable, except where the damage is caused by a processor who has breached the processor’s obligations under the Regulation or has exceeded or breached the controller’s instructions. The relevant actions will be brought in the courts of the establishment of the data controller. It will be for the controller or processor to prove that they weren’t in any way liable for the damage.
You can catch up with Part 1 and Part 2 here. In future articles, we’ll look at: how to obtain consent from data subjects, who needs a data protection officer, rights to data portability, and new direct obligations on data processors.
READ THIS NEXT: EU-US Data Transfers: Update July 2016 – Privacy Shield agreed