Over four years in the making, the General Data Protection Regulation (the “GDPR”) was approved by the European Council and Parliament on April 14, 2016, and will come into force beginning on May 25, 2018. In the wake of ever-increasing cyber security and data privacy threats across the globe, the GDPR is intended to harmonize data privacy laws across Europe and increase data privacy protections for all European Union citizens. The GDPR will replace the Data Protection Directive 95/46/EC (the “Directive”), which required each member state of the European Union to pass national legislation to implement the intended outcome of the Directive. The result was a patchwork of similar, yet distinct, data privacy laws across the European Union member states. By contrast, the GDPR will have immediate and direct legal effect throughout the European Union because it is a regulation and not merely a directive. This also means that companies to whom the GDPR will apply (including companies based outside of the European Union) must be ready to comply with the regulation before the middle of 2018.
New, Key Concepts
1. Increased Geographical Reach
One of the most noteworthy changes contained in the GDPR is the regulation’s enhanced geographical reach. The GDPR will apply to all companies processing the personal data of data subjects residing in the European Union. This means that the GDPR will apply to the processing of personal data by controllers and processors in the European Union, without regard to whether the processing actually takes place within the European Union. Furthermore, the GDPR will apply to the processing of personal data of data subjects in the European Union by a controller or processor that is not established in the European Union, where the activities relate to (a) the offering of goods or services to European Union citizens (regardless of whether payment is required) or (b) the monitoring of behavior that takes place within the European Union. Additionally, non-European Union businesses that process the data of European Union citizens will be required to appoint a representative in the European Union.
2. Data Protection Officers
Similar to the Directive, the GDPR refers to “data controllers” and “data processors.” A data controller is an entity that determines the purposes, conditions and means of the processing of personal data. A data processor is an entity that processes personal data on behalf of a data controller. Under the GDPR, data controllers and data processors whose core activities consist of processing either (a) operations which require regular and systematic monitoring of data subjects on a large scale or (b) special categories of data or data relating to criminal convictions and offenses, must appoint a Data Protection Officer (“DPO”), a requirement not found in the Directive. A DPO must be appointed on the basis of professional qualities and expert knowledge on data protection law and practices. A DPO may be either a staff member or an external service provider; in either case, however, the DPO must be provided with the appropriate resources to carry out their tasks. Finally, a DPO must report directly to the highest level of management within an organization and must not carry out any other tasks that could result in a conflict of interest.
3. Stricter Conditions for Consent
The conditions for consent are more exacting under the GDPR. An organization’s request for consent must be given in an intelligible and easily accessible form, which must be accompanied by a document setting forth the purpose for the proposed data processing. Furthermore, it must be as easy to withdraw consent as it is to provide it.
4. Breach Notification
Under the GDPR, breach notification becomes mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Moreover, the notification must be made within a mere 72 hours of discovery of the breach. As any company that has previously dealt with a data breach knows, this 72-hour window will afford little opportunity for hesitation or delay. Additionally, data processors will be required to notify their controllers “without undue delay” after discovering a data breach.
5. Increased Penalties
Increased penalties for non-compliance represent another significant departure from the Directive. Under the GDPR, an organization in violation of the GDPR may be assessed a fine of up to 4% of the organization’s annual global revenue or €20 million (whichever is greater).
6. Right to Access
Under the GDPR, data subjects will now have the right to obtain confirmation from a data controller as to (a) whether personal data concerning them is being processed, (b) where such information is being processed and (c) for what purpose such information is being processed. The data controller must also provide a copy of the personal data, free of charge, in an electronic format.
7. Right to be Forgotten
The GDPR contemplates the “right to be forgotten.” This right will entitle a data subject to have a data controller (a) erase his or her personal data, (b) cease further dissemination of the data and (c) potentially have third parties halt processing of the data as well. Conditions for such deletion include (i) the data no longer being relevant to the original purpose for processing or (ii) the data subject withdrawing consent. A data controller is also tasked with evaluating a data subject’s rights in relation to the “public interest in the availability of the data” when considering a request from a data subject to have his or her personal data erased.
8. Data Portability
The GDPR also includes the concept of data portability. Data portability encompasses a data subject’s right to receive the personal data concerning him or her from a data controller and to transmit that data to another data controller. Like the right to access and the right to be forgotten, data portability dramatically augments the rights of data subjects.
9. Privacy by Design
The GDPR also features a concept known as “privacy by design.” This concept requires a data controller to “implement appropriate technical and organizational measures . . . in an effective way . . . in order to meet the requirements of [the] Regulations and protect the rights of data subjects.” The idea is that data protection should be included in the original design of any system that interacts with protected data, rather than being incorporated into the system later as an afterthought or a corrective measure.
In conclusion, the GDPR will differ in several important ways from the Directive. In addition to placing more stringent requirements on those entities handling personal data, the GDPR will also attempt to place control of personal data dissemination back into the hands of data subjects themselves. Furthermore, the GDPR will affect companies based outside of the European Union—including those based in the United States—that process the personal data of individuals within the European Union. Given the scope of the changes, it is critical that companies affected by the GDPR begin making preparations for compliance as soon as possible.