February 2016 edition
The Insider: Europe’s new data protection law – what do you really need to know?
Over the past several months, you have probably been bombarded with data privacy articles, questions, and concerns. Given the sheer volume of material on the topic, it is difficult to figure out what you truly need to know about the current state of data privacy and data protection in Europe. We saw the European Court of Justice strike down the US-EU “Safe Harbor” agreement last October, and we know that there was recently an agreement reached on a new EU-wide data privacy law. The hard part is figuring out what it all means. This month I am going to try to sum things up in a useful way so that when those questions and concerns come across your desk, you have some ready answers and a road map for the next steps you and your company needs to take.
On December 15, 2015, the “powers that be” within the various parts of the government of the European Union agreed on the terms of a new data privacy law. The new General Data Protection Regulation will replace the existing EU Data Privacy Directive, adopted back in 1995. Below I will discuss some of the key new provisions, but one of the biggest differences between the two pieces of legislation is that the 1995 Directive was a “floor”, i.e., each EU Member State was required to implement their own data privacy law with “at least” as strong of protections as set out in the Directive. The Member States were free to (and many did) implement stronger protections, leading to a lot of inconsistency across borders. The new Regulation, however, is designed to provide a uniform data privacy law that will go into effect across the entire European Union. It will not require action on the part of the Member States, and it will supersede the Directive (and any Member State versions thereof).
It’s not final ... yet
While there is plenty of hoopla about the new law, keep in mind that it is still not final. The exact wording must be approved by the European Parliament. This will most likely occur in February or March 2016. There will be opportunities to amend the Regulation before the final vote, but realistically the chance of any major changes is very slim. Once the law is “final,” it will not go into effect for two years, i.e., in 2018. In the meanwhile, the Directive (as implemented by each Member State) will still control data privacy in the EU.
Time to get moving
While two years may seem like an eternity, there are enough substantial changes and new obligations in the Regulation (vs. the Directive) that there is really no time to lose in terms of preparing. If your company processes the personal data of EU citizens (or processes personal data in the EU), you need to get moving.
10 key provisions
The Regulation is over 200 pages long, so I am only able to summarize some of the key provisions I think you need to be most concerned with at this point:
- Who’s covered? – Any company processing personal data within the EU and any company that processes the personal data of EU citizens (and such processing relates to the offering of goods and services to EU citizens, e.g., a French language site with euros currency) is covered by the Regulation, regardless of where the company or its equipment is located. This applies to both data controllers and data processors. This broad sweep of coverage is a huge change from the Directive.
- Enforcement – On its face, there are substantial fines that the EU or relevant Data Protection Authority (DPA) can levy against any company that breaches the provisions of the Regulation. The fines can be up to the greater of €20M or 4% of global gross revenue. Moreover, there is now the possibility of joint and several liability of the controller and the processor.
- “One stop shop” – A welcomed change under the Regulation is that it will provide companies with the ability to deal with one DPA in the EU country where the data controller has its main business establishment. Under the Directive, a controller had to deal with multiple DPAs if it processed personal data in more than one EU country.
- Data Privacy Officer – All companies where data processing is a “core” activity and all companies processing “sensitive data” on a large scale will need to formally appoint a Data Privacy Officer (DPO). This applies to both a controller and a processor. A family of companies can have one DPO to act on behalf of the group. Additionally, DPOs will be responsible both for ensuring that their companies properly train their employees on data privacy issues and for ensuring that their company regularly tests, assesses, and evaluates the effectiveness of its data security processes. The quality of such training and testing/evaluation will bear directly on the amount of any fine in the event of a data breach.
- “Right to be forgotten” – Many of you have probably heard of the decision against Google in Spain requiring Google to honor an individual’s request that certain data and information about him or her be deleted. This “right to be forgotten” concept is now enshrined in the Regulation and will become an obligation of all companies subject to the law. Surprisingly, the law will require that the company immediately take down the questioned information while it is deciding if the request for permanent deletion is warranted under the law.
- Notification of breach – In the event of a data breach involving personal, unencrypted data, the breach must be reported to the applicable Data Protection Authority within 72 hours (if “feasible”) and the company must notify the affected individuals without “undue delay” when the breach is likely to result in a “high risk” to the rights and freedoms of those individuals.
- Obligations on data processors – A data processor (i.e., a party processing data on behalf of a data controller) may not subcontract any of the processing work without the prior specific or general written consent of the data controller. This is a big change from the Directive. Unlike the Directive, the Regulation will place direct liability for violations on all data processors and not just the data controller. The Regulation also contains numerous specific contractual obligations that data controllers must impose on their data processors and any subprocessors, as well as new obligations owed by data processors to data controllers (e.g., confidentiality, responding to data subject rights requests, privacy impact assessments, etc.).
- Consent – There can be no processing of personal data without the express consent of the individual. Such consent must be “freely given, specific, informed and unambiguous” and “expressed affirmatively.” This likely means no burying the “I consent” language deep within the user agreement. You will need to set up a process to obtain specific consent for any and each use of the personal data. Meaning, aside from collecting and using personal data for the purposes of fulfilling the contract or transaction in question, any “repurposing” of the personal data collected will be difficult unless consent was or is obtained for that repurpose. Furthermore, consent can be withdrawn at any time. Children under the age of 16 require parental permission in order to give consent (though Member States may set different ages for this provision, e.g., 13 years old in the UK). All of this will require a new level of detail and transparency with respect to privacy notices on company websites.
- Transfers of data outside EU – There will still be a prohibition against the transfer of personal data outside of the EU unless (1) there is consent, (2) the transfer is necessary to complete the contract, (3) the destination country provides an “adequate level of data security,” (4) the EU model clauses are in effect, (5) Binding Corporate Rules are in place, or (6) one of several other new exceptions apply such as approved codes of conduct or a certification issued by an approved certification body. As a result, there will be even more pressure on the US and EU to reach a new “Safe Harbor” agreement which provided a legal basis for the transfer of personal data to the US under the Directive. As noted, that agreement was struck down in the Schrems case last October. While many businesses and government officials are hopeful that a US/EU “Next Gen Safe Harbor” agreement will soon be in place, nothing is assured at this point. If such an agreement is not in place by the end of January 2016, US companies that previously relied on Safe Harbor to transfer personal data out of the EU will need to find another mechanism to comply with the Directive, most likely the “model clauses.”
- Data Privacy Impact Assessments – Where data controllers or data processors utilize new technologies and there is “high risk” of data privacy issues, they must conduct a Data Privacy Impact Assessment of the new/planned technology, and document their processing operations and information systems. Such documentation must then be available for inspection by a relevant DPA.
- Obligations around the collection of personal data – A number of new principles and obligations will apply to the collection of personal data under the Regulation vs. the Directive. In particular, personal data may only be collected for a “specified, explicit and legitimate” purpose, and companies will need to enact plans to ensure “data minimization,” “privacy by design,” “accuracy,” “storage limitation,” “accountability,” “integrity,” and “confidentiality” of personal data.
Again, the draft Regulation is over 200 pages long, and there is a lot more to it than the provisions summarized above. And nothing is “final” until the Regulation is actually approved by the European Parliament. As you can already see, there will be many places where different officials may interpret the meaning of certain words differently, such as “high risk” and “if feasible” in the breach notification section. While it will be a uniform law, there will undoubtedly be “nuance” in how the Regulation is enforced by different DPAs over time, just as there has been under the Directive. Overall, the key will be to act in good faith and diligently in terms of trying to comply. It will not be a perfect defense if there are problems, but in my experience, regulators recognize when companies try to do the right thing and fail versus those that simply do not try or care at all. It’s far better to be in the former category than the latter.
Regardless of whether you agree with it or not, whether you think is it great or think it is the worst kind of government overreaching, the bottom line is that the Regulation is here, the Europeans are serious about data privacy and data rights, and the penalties for failing to comply can be substantial. I can summarize my advice on next steps you should take as follows:
- Read it – There is no substitute for reading the Regulation cover to cover. I would not wait until the “final” version is passed to get started on this task.
- Brief it – If you haven’t already done so, it’s time to begin preparing the business (including senior management) for what’s coming. Take your time here and be sure you understand what is being proposed and how it will impact your company. Going into a meeting half-cocked and not understanding the impact is not a good idea.
- Follow it – There will be a lot written about the Regulation over the next two years. Work hard to stay up to date on the latest developments. The International Association of Privacy Professionals has an excellent website and resources that can help you understand the Regulation and the intent behind certain provisions. See www.iapp.org. The European Commission (and the Article 29 Working Party) will provide guidance, FAQs, etc. as the process moves forward. Finally, many law firms and privacy professionals will be writing and blogging about the Regulation as well.
- Plan it – Lastly, you should create a project plan based on your review of the final Regulation and the different requirements as they map to your company’s data privacy practices. You (and a cross-company team) will need to focus your efforts first on the “gaps.” Nothing fancy or complicated is required, a simple matrix can keep you – and the business – focused on what needs to be done over the next 18-24 months, and give your C-Suite and Board of Directors comfort that there is plan in place and you are executing against the plan.
About the author
Sterling Miller was the General Counsel, Corporate Secretary, and Chief Compliance officer for Sabre Corporation from 2008-2014. Prior to that, he was the General Counsel for Travelocity.com and in the Sabre Corporation legal department, in charge of litigation and regulatory affairs. Before moving in-house in 1994, he was an associate in the Litigation Section of Gallop, Johnson & Neuman in St. Louis. In November 2014, he retired from Sabre and decided to start a blog featuring lessons learned in 20-plus years as an in-house lawyer. Read more from Sterling Miller in his blog, Ten Things You Need to Know as In-House Counsel.