Summary of The Substantial Material Changes
The sections below summarise the substantial material changes imposed by the Regulation, compared to the current framework under the Directive.
The material scope as foreseen in the Proposal for a General Data Protection Regulation has not substantially changed compared to the current Directive 95/46/EC. As to the territorial scope, the new rules are expected to have a major impact on non-EU established companies targeting the EU market.
Controllers or processor established in the EU
The draft Regulation applies to the processing of personal data "in the context of the activities of an establishment of a controller or a processor in the EU".
The determining factor is the location of the establishment whose activities entail personal data processing. An establishment will be deemed to exist where there is an effective and real exercise of activities through stable arrangements in the EU (whether through a branch or a subsidiary with legal personality). Whether the actual processing takes place within or outside the EU is irrelevant in determining the applicability of the Regulation.
It should be noted that it is no longer just the location of the controller that is relevant for determining the applicability of EU data protection law. Indeed, the draft Regulation (in contrast to the current Directive) refers not only to the establishment of a controller in the EU, but also to the establishment of the processor in the EU.
Controllers not established in the EU
A Controller with no establishments in the EU may still be required to comply with the Regulation, when the controller:
- processes personal data of data subjects residing in the EU; and
- such processing activities relate to offering EU data subjects goods or services or monitoring their behaviour.
Monitoring occurs when individuals are tracked on the internet with data processing techniques which consist of applying a 'profile' to an individual, particularly in order to take decisions concerning the individual or for analyzing or predicting his/her personal preferences, behaviours and attitudes.
The current rules regarding use of EU based equipment would no longer apply.
General Processing Requirements
The draft Regulation clarifies the conditions for invoking a data subject's consent as a legal basis for processing. Consent requires an explicit, freely given specific, and informed indication of wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him being processed(eg by ticking a box when visiting a website or by any other statement or conduct which clearly indicates the data subject's acceptance of the proposed processing). This appears to remove the possibility of implied consent being effective.
If the consent is given in the context of a written declaration that also concerns another matter (e.g. general terms and conditions), it should be noted that the requirement to give consent must be distinguishable in its appearance from this other matter. The data subject has, at all times, the right to withdraw his or her consent.
The draft Regulation provides a strict framework for processing the personal data of children.
In particular, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years will only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller must in this respect make reasonable efforts to obtain verifiable consent.
Data Subjects' Rights
The draft Regulation introduces a new obligation imposed on the controller, whereby the controller must have "transparent and easily accessible" policies with regard to the processing of personal data and for data subjects to exercise their rights. It must provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.
Where personal data are collected, the controller must provide the data subject with information. Compared to the current Directive, the types of information to be provided to the data subject have been expanded by the draft Regulation.
Procedures and mechanisms
The controller must establish procedures for responding to, and mechanisms to facilitate requests for data subjects' access, rectification, erasure, portability and objection requests. Where personal data are being processed by automated means, the controller must also provide means for requests to be made electronically.
Except in cases of excessive requests (in particular due to repetitive character), no fees may be charged in this respect by the controller.
Whereas the Directive simply provides that data subject requests must be answered without excessive delay, the draft Regulation imposes specific requirements regarding the content, the term and the format of the response to be given by the controller.
If the data controller rectifies or erases any data as a result of the data subject exercising his right to rectification and right to be forgotten, the controller must inform any recipient, to whom the data has been disclosed, of the change, unless this proves to be impossible or involves disproportionate effort.
Access and rectification
The draft Regulation extends the right of access to personal data. The key changes are as follows:
- The data subject would have the right to make requests to the controller at any time rather than at reasonable intervals.
- The following additional information must be provided to a data subject who makes a request:
- details of recipients in third countries to whom the personal data is disclosed
- the period for which the personal data will be stored
- the existence of the data subject's right to request rectification or erasure and to object to processing
- details of the data subject's right to complain to the supervisory authority and the authority's contact details,
- the significance and consequences of processing, at least in relation to measures based on profiling.
As with the Directive, the data subject has a right to obtain a copy of the data.
The right to rectification gives data subjects the right to have any inaccurate data about them rectified, and any incomplete data completed.
Right to be forgotten and to erasure
Whereas the principles underlying the right to be forgotten under the current Directive have been recognised by the European Court of Justice in its landmark Google Spain ruling, the scope of this right has been further clarified and extended in the draft Regulation.
A data subject may require the controller to erase his personal data, and to refrain from further disseminating such data, especially in relation to data made available by the data subject when he was a child, in the following cases:
- the data are no longer necessary for the purposes for which they were collected or otherwise processed
- the data subject withdraws his consent or when the storage period consented to has expired, and where there is no other legal ground for processing the data
- the data subject objects to his personal data being processed (see below), or
- the processing of the data does not comply with the Regulation for other reasons.
Where the data were made public by the controller, it must take all reasonable steps to inform third parties that are processing such data, that a data subject requests them to erase any links to, or copy or replication of that data. Where the data controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
Several exceptions exist to the obligation to erase the data without delay, including e.g. compliance with a legal obligation. In some cases, the controller may restrict the processing of the data rather than erasing them, notably:
- if the data's accuracy is contested, for a period enabling the controller to verify the accuracy
- if the controller no longer needs the data for the accomplishment of its task but they have to be maintained for evidence purposes
- if the processing is unlawful but the data subject opposes to their erasure and requests the restriction of their use instead, or
- if the data subject exercises its right to data portability (see below).
In case of such restricted processing, with the exception of storage, the data may only be processed for evidence purposes, with the data subject's consent or for the protection of another person's rights or an objective of public interests. The controller must inform the data subject before lifting the restriction on processing.
The draft Regulation introduces a new right to data portability, which grants data subjects the right, where data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. This right is similar to the existing data subject access right, but in addition, it requires that the data is made available in a specific format.
Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
The right to data portability is primarily aimed at social media platforms but would apply to all controllers and is likely to place a significant burden on data controllers.
Right to object
The general right to object, applicable in cases where personal data is used for purposes of direct marketing, has been extended to cover the situation where processing is based on the necessity to protect the data subject's vital interest.
In addition, it is now the data controller that bears the burden of proof to demonstrate that there are compelling legitimate grounds for its processing activities.
Principle – The draft Regulation restricts the possibility of taking automated individual decisions regarding natural persons. Natural persons have the right not to be subject to measures which may have legal effects or which significantly affect them where such measures are solely based on profiling. A measure will be deemed to be solely based on profiling where it is solely based on automated processing intended to evaluate certain personal aspects relating to a natural person or to analyse or predict, in particular, a natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Exceptions – A person may nevertheless be subjected to such a measure based on profiling in exceptional cases, namely if the processing is:
- carried out in the course of entering into or performance of a contract (where the request for entering into / performance of the contract was lodged by the data subject and was satisfied or suitable safeguarding measures were adduced)
- expressly authorised by (EU or national Member State) law, or
- based on the data subject's consent.
In such cases, the controller has an extended information obligation towards the data subject. The data subject must be informed of the existence of processing for such measure based on profiling, and the envisaged effects on the data subject.
In any case, automated processing intended to evaluate certain personal aspects of a natural person may not be based solely on the so-called "special categories of data", i.e. data revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, genetic data, data concerning health or sex life or criminal convictions or related security measures.
Previous draft versions of the Regulation provided that measures based on profiling could never be taken with respect to children. Whereas this prohibition has been deleted in the draft Regulation, the explanatory recitals still refer to this principle.
Internal Compliance Requirements
The controller has an obligation to ensure that all processing of personal data is performed in compliance with the Regulation. Moreover, the controller must be able to demonstrate such compliance.
To this end, the controller must adopt specific policies and measures, and verify the effectiveness of those measures. If proportionate, this verification will be carried out by independent internal or external auditors.
The minimum measures to be taken by the controller are listed and further elaborated in the draft Regulation:
- keep extensive documentation of the processing operations
- implement data security requirements
- perform a data protection impact assessment (only required in specific cases)
- obtain prior authorization or prior consultation from the supervisory authority (only required in specific cases),and
- designate a data protection officer (only required in specific cases).
System and Operating Requirements
Privacy by design
The draft Regulation introduces the concept of "privacy by design". Although this idea is already reflected in the current Directive, it is now introduced as a specific, stand-alone concept. The controller must implement appropriate technical and organisational measures and procedures which should ensure that the processing complies with the Regulation, and protects the rights of the data subjects.
Privacy by default
The draft Regulation also introduces the concept of "privacy by default", which can generally be considered to be the practical implementation of the existing data minimisation principle, and implies that the controller must implement mechanisms to ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of data and time of their storage.
Security breach notification
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The draft Regulation introduces a notification obligation for controllers and processors in the case of personal data breaches. A processor must alert and inform the controller immediately after establishment of a personal data breach. A controller must notify the supervisory authority without undue delay, and where feasible within 24 hours, after having become aware of a personal data breach.
The draft Regulation also imposes a documentation obligation on controllers which should enable the supervisory authority to verify compliance with the notification obligation, and should only include the information necessary for that purpose.
Furthermore, the controller has a notification obligation towards data subjects. Such notification obligation applies where the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject.
Transfers to Third Countries Or International Organisations
The main changes compared to the current regime relate to enabling controllers and processors to make certain transfers of personal data outside of the European Economic Area (EEA) where it is in the legitimate interests of the controller or the processor. This would only apply where the transfer is not "frequent, massive or structural" but this relaxation of the data transfer restrictions is nevertheless a welcome change for businesses operating in an international environment.
In addition, the draft Regulation envisions binding corporate rules for processors, approval of additional standard data transfer clauses beyond the model clauses, and flexibility for the European Commission to determine a jurisdiction's "adequacy" to receive international data transfers for particular industry sectors or territories within a country.
(JOINT) Controllers and Processors
In line with the Directive, the draft Regulation recognises the principle of "joint controllers", i.e. two or more companies determining the purposes, conditions and means of the processing together. The draft Regulation does, however, additionally impose the requirement to ensure an arrangement is in place between such joint controllers.
Such an arrangement must determine, in particular, the parties' respective responsibilities with respect to the procedures and mechanisms for data subjects exercising their rights.
The draft Regulation grants, to any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with the draft Regulation, the right to compensation from the controller or the processor responsible for the damage suffered.
Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.
Enforcement and Liability
Contrary to the Directive, the draft Regulation introduces the principle of a "one-stop-shop", whereby one supervisory authority (in the country of the controller's main establishment) is responsible for decisions relating to the controller across its EU operations. This principle is expected to reduce the administrative burden for international organisations.
The draft Regulation requires controllers and processors to cooperate with the supervisory authority, eg by providing information and/or access.
For certain specific processing activities, prior consultation with or authorisation from the supervisory authority is required.
Penalties and administrative sanctions
The draft Regulation requires the Member States to lay down rules on penalties applicable to infringements of the Regulation.
Additionally, the draft Regulation foresees an extensive regime of administrative sanctions, empowering each supervisory authority to impose sanctions in cases where a controller intentionally or negligently infringes the Regulation.
Depending on the nature of the breach, supervisory authorities may impose fines varying from 250,000 EUR or 0.5% of the annual worldwide turnover of an enterprise, up to 1,000,000 EUR or 2% of the annual worldwide turnover of an enterprise.
In this context, we note that an "enterprise" is any entity engaged in an economic activity, irrespective of its legal form, so includes natural and legal persons, partnerships or associations regularly engaged in an economic activity.
For enterprises or organisations employing fewer than 250 employees which process personal data only as an ancillary activity, a warning may be given (rather than a sanction imposed) in case of a first and non-intentional case of non-compliance with the draft Regulation.
The draft Regulation also takes into account the degree of cooperation to remedy the violation when determining the fine.
Current Status of the Draft Regulation
The provisions of the draft Regulation are not to be considered as final and are still subject to extensive debate by the European legislative bodies.
For any updates on the legislative process, and other data protection and privacy related news, we invite you to consult our data protection and privacy blog http://blogs.dlapiper.com/privacymatters/
Prof. Patrick Van Eecke
T +32 2 500 1630