New Data Rules
Once upon a time, only businesses established in the European Union (EU), or those that used equipment in the EU, were subject to EU data protection regulations. If a business didn’t comply with a regulation, the penalty would differ depending on fines established by the individual EU member state.
But the times, as Bob Dylan famously sang, are a-changin’. And that change is coming in the form of the EU General Data Protection Regulation (GDPR), which was adopted by the European Parliament in April and goes into effect on May 25, 2018.
EU citizens have had the right of data protection since 1995 when the EU Data Protection Directive was approved. This directive allows personal data to be transferred out of the EU to a third country, but only if that country ensures an adequate level of protection of the data, such as through domestic law or international commitments. It also requires EU member states to designate one or more public authorities to monitor the application within their territory to ensure data protection.
However, not all EU member states implemented the directive in the same way, leading to inconsistencies that created legal uncertainty and high administrative costs for some companies as they attempted to comply with various versions of the directive.
In 2012, as part of the EU’s push for a Digital Single Market, a proposal was made to modernize the directive through the creation of an EU GDPR. This regulation would lay out in legislation, as opposed to court decisions, the rights EU citizens have in regards to their personal data and how data controllers and processors would respect those rights.
During the course of four years, the EU negotiated and deliberated, ultimately coming up with the current 261-page regulation that guarantees a right to be forgotten, easier access to personal data, data portability, data breach requirements, data protection by design and default, and stronger enforcement of these requirements.
“The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules,” said EU Commission Vice President Frans Timmermans, Vice President Andrus Ansip, and Commissioner for Justice, Consumers, and Gender Equality Vêra Jourová in a statement.
“These rules are for the benefit of everyone in the EU,” the EU commissioners explained. Individuals must be empowered: they must know what their rights are, and know how to defend their rights if they feel they are not respected.
While the roughly two years between now and May 2018 may seem like ample notice, it’s imperative that companies begin making the necessary changes to ensure compliance immediately, says Ann LaFrance, partner and coleader of Squire Patton Boggs’ Data Privacy and Cybersecurity practice. “They are telling people, actively, ‘You’ve got two years for a reason. It’s going to take you time, so get started,’” she adds.
This is because the definition of personal data has been expanded under the GDPR to mean any information related to an identifiable person that can be used to identify him or her. Personal data now includes names, identification numbers, location data, and online identifiers, as well as factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual.
“The definition applies to identifiers which might not necessarily have somebody’s name in it, but together with other information would allow you to identify an individual,” says Marcus Evans, data protection partner at Norton Rose Fulbright LLP, who leads the firm’s European practice. “And it’s being written with the sort of 21st century technology in mind.”
For instance, IP addresses are now considered personal data as part of the GDPR.
“For the online tracking community, the very broad definition of personal data that’s in the regulation makes it even harder to argue that an identifier, which is linked to a machine, is not personal data,” Evans adds. “The definition of personal data is now covering the same grounds that it’s come to cover today in Europe, but just in a much clearer way so there’s no wiggle room.”
Personal data also includes human resources information and the transferring of that data, LaFrance adds. For example, imagine a scenario where a U.S.-based HR manager has direct reports in Paris using a global HR management system that the manager has access to.
“If I, a U.S. manager, can observe all of the performance, evaluations, and so forth of the French employee, that is a transfer of data,” LaFrance says. “A lot of companies don’t think about it in that way. They think of it as sending of data, but when you’re in a global shared database, remote access from a point outside the EU is also a transfer of data.”
When data collectors gather this information, they also must obtain consent from EU citizens. Consent, as the GDPR explains, is “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Citizens will also have the right to rescind their consent for data controllers to use their data. This means that unless the data is necessary to complete a business function or to build a case in court, the data controller must delete the citizens’ data when asked to do so.
“This does not mean that on each request of an individual all his personal data are to be deleted at once and forever,” the EU Commission explains in a fact sheet. “If, for example, the retention of the data is necessary for the performance of a contract or for compliance with a legal obligation, the data can be kept as long as necessary for that purpose.”
While this may sound like a “boring detail,” LaFrance says, it’s a very big issue for many companies who are not used to having to practice good data hygiene—getting rid of data they no longer need.
“This is a big problem for many companies who don’t have any kind of data retention, erasure, or purge obligations or processes in place,” she adds. For instance, frequently when LaFrance asks clients when they’re going to erase data they have collected, they say “we don’t have any idea, we keep it forever.” This practice, however, can’t be continued under the GDPR.
Because of this erasure requirement, LaFrance says that it is in a data collector’s interest to avoid consent when collecting EU citizens’ data. Instead, she recommends using another justification, such as efficiency to collect that data and retain it.
“Or you might say that it is necessary for the performance of the legitimate interests of the controller—meaning the employer,” LaFrance adds. “Meaning it’s legitimate for them to have an efficiently run business. You really want to avoid consent where you can.”
And it’s not just companies based in Europe or with a physical presence in Europe who need to begin making changes to their data practices. Now, any data controller that collects EU citizens’ personal data to monitor their behavior, to perform a business function, or to target them to sell them goods or services, as well as the data processors that process this information for controllers, are subject to the GDPR.
“Under the regulation, it is no longer just a matter of the controller making sure that the processor does the right thing,” LaFrance explains. “Processors will be directly liable under the statute for certain obligations that are specified, including maintaining the security of the information that it’s processing.”
Security measures may include using encryption and pseudonymization—replacing identifying data with a label to disguise an individual’s identity—to protect personal data. Other measures could include ensuring the ongoing confidentiality, integrity, and availability of processing systems and services; ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical accident; and testing and evaluating the effectiveness of technical and organizational measures for ensuring the security of data processing.
High-risk data controllers, a category that has not been defined in the regulation but could include controllers who collect healthcare data, will need to seek EU data protection supervisors’ approval for these security measures.
“If a data breach occurred and you had not done any of this, and you’re hacked into, regulators will go after you for the top maximum penalty, I’m sure, because it will show that you had total disregard for the law,” LaFrance says. “So one of the reasons to actually go through this process is in case you are breached. Because if you show that you went to the data protection supervisor, everybody agreed, and nonetheless some incredibly sophisticated hacker got in, in a way that will be a defense.”
If a data processor or controller is breached, under the GDPR it will be required to notify the national supervisory authority within 72 hours of becoming aware of the breach, if it puts individuals at risk.
In this notification, the processor or controller will have to describe the nature of the personal data breach, including when possible the approximate number of data subjects affected and the kind of data that was breached. They are also required to describe the likely consequences of the breach and measures taken, or proposed to be taken, to address the breach.
Data controllers will also have to notify EU citizens if their data has been compromised in a data breach. This communication must be in “clear and plain language,” the regulation explains, and it must describe what data was affected, the likely consequences of the breach, and the measures the controller has taken to address it.
However, if the controller implemented appropriate technical and organizational protection measures—such as encryption—and applied them to the data that was affected by the breach, then it is not required to notify affected individuals.
Exceptions are also made for controllers where it would involve “disproportionate effort” to notify individuals of the breach. “In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in equally effective manner,” the GDPR says.
This 72-hour requirement will likely result in data controllers’ putting together template responses to inform the authorities and individuals of the breach, Evans says.
“There are very few data breaches where you can pull together all the information within 72 hours,” according to Evans. “So I think this is just going to mean that people have to go through some form of drill before the breach comes in as to how they’re going to respond to it. A big part of that is going to be a sort of holding letter, which actually gives less information rather than more information while further investigations are being undertaken.”
And the penalties for not complying with the regulation are steep, with a maximum penalty of 4 percent of global turnover or €20 million (roughly $22 million) once the GDPR goes into effect.
“If you look at this from a top down perspective, the EU Commission is saying ‘We don’t want just a check-the-box exercise anymore. This is not what we’re about,’” LaFrance says. “The regulators expect everybody to be exercising good data hygiene. They expect companies to be ensuring that internally, and they are going to look at it externally to make sure that people really are processing data fairly and keeping it in a very secure way, depending on the level of risk associated with the data.”