Over the last four years the EU Member States and institutions have been negotiating a new set of rules for data protection in the EU. The final text of the new Regulation was agreed last night (15 December 2015) and will be ratified by the Council of Ministers and European Parliament early in the New Year. The Regulation will enter into force in 2018.
The new General Data Protection Regulation (GDPR) will impact all businesses that handle even reasonably small amounts of personal data, however it will have for reaching implications for 'data intensive' businesses of all sizes – which will include many tech firms, from start-ups to the largest global brands.
What is the GDPR?
The GDPR is a wide ranging regulation that aims to strengthen consumer protection and enhance trust and confidence in how personal data is used and managed. It will replace existing legislation that has been in place since the mid-1990s (Directive 95/46/EC). It is intended to be one of the key regulatory corner stones for Europe's ambition to be a leading global digital economy. The regulation covers how personal data is gathered, stored, shared, processed and used.
The new regulation has expanded the definitions of personal data as any data that can "directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;"
This broad definition means the GDPR will apply to businesses across the global economy.
The new rules will apply not only to businesses which are actually located in the EU but also to businesses located outside the EU if they process the personal data of European citizens and offer them goods and services.
What are the big issues in the Regulation?
1. Consent (Article 4 & 6)
The Regulation has maintained the current definition of 'unambiguous' as the legal basis for consent for processing non-sensitive data. However; the new rules mean that businesses that gather users' data for a specific purpose will not be allowed to transfer or share the data the data for a different purpose without the user's explicit consent. This could inhibit the ability of businesses to innovate with existing data. Explicit consent will also be required for the processing of sensitive data.
A consequences of the new legislation is that businesses will need to seek consent (unambiguous or explicit) more often from consumers. A concern about this is that it could lead to 'consent fatigue' and the kind of 'meaningless consent' people provide when they click away cookie reminders on websites. The implementation phase will need to look closely at how practical consent requirements will be for this will for emerging technologies such as the internet of things (IoT) which are not web-based and have no obvious user interfaces.
2. New liabilities and obligations for data processors (Article 77)
A significant change in the new rules is that data controllers and processors will be jointly liable for any breach of the Regulation.
Joint liability will extend responsibility beyond the companies that collect and use personal data. Cloud-providers, data centres and processers will now be liable for data held on their services. Given that data processors will have little visibility over whether the data collected by data controllers is compliant with the new Regulation, managing the legal implications of this requirement within contracts between controllers and processors will be difficult and potentially costly. This means that customers, particularly SMEs will be faced by higher costs. Consumers will also be faced by a complex legal environment where there is less clarity about who is liable in the case of data breaches. National data protection authorities will need to work closely with industry to develop best practice model contracts to help streamline compliance with joint liability requirements as much as possible.
3. Restrictions on the use of 'legitimate interest' as legal basis to process data (Article 6)
Many companies currently rely on the legal concept of 'legitimate interest' as a legal basis to lawfully process personal data. The new rules restrict the instances where legitimate interest can be used as a legal basis for processing. Companies will have to ensure that any data processed under this legal base is compliant with the now more restricted requirements and reflect member state law. Legitimate interest is a key enabler of the digital economy and underpins companies' ability to combat cybercrime and fraudulent activity. Restrictions on its use as a basis for data processing will prove problematic for many businesses.
4. New restrictions on the use of profiling to support products and services (Article 20)
Many companies rely on profiling and automated decision making based on profiles, to develop cost effective real time personalised services that benefit consumers. The new Regulation will limit the use of profiling in circumstances where its use may lead to 'legal effects' and could mean that companies offering financial services for example are unable to use fully automated profiling, without some form of human review.Automated profiling will be allowed in certain circumstances such as fraud detection and public services or where provided for in national law.
The new rules could be problematic for many FinTech companies as it will make it more difficult for companies to offer some personalised financial and insurance services to consumers. It could also make it harder for companies to detect and prevent fraudulent activity, which cannot feasibly be done manually.
5. Innovation and further processing (Article 6)
In a digital economy, innovation depends upon the ability to use existing data to see and understand the world differently. The new Regulation imposes stricter new limits on such further processing which will make it more difficult for many organisations to drive innovation.
There are differences of interpretation about the precise meaning of Article 6 and how it impacts the ability of companies to develop new innovative services based on existing data. However given the severity of fines that could be imposed (see below) if companies are found to be in breach of the Regulation, legal certainty will be essential for unlocking innovation.
6. Data Breach's and fines (Article 31 & 32)
The requirements for notifying consumers of data breaches have changed. New mandatory breach notifications will have to be made with 72 hours of companies discovering a data breach.
The Regulation will introduce much more punitive fines for companies that are found to be non-compliant with the Regulation. Business could be fined up to 4% of global revenue depending upon the nature of the compliance failure.
7. Children's data (Article 8)
Member States will be able to determine what the age of consent should be for young people accessing 'information society services' without their parent's consent at national level. This could vary from 13 to 16 which will mean a fragmentation in rules in an area where age verification can often prove difficult. Providers of 'information society services' will have to secure parental consent for users under the age of consent.
8. Data Protection officers (Article 35)
The Regulation introduces a requirement for larger firms to appoint a Data Protection Officer (DPO) if they handle large amounts of sensitive data or regularly gather data on customers. SMEs will be exempt unless their core business involves processing large quantities of personal data (most tech start-ups).
The DPO must have expert knowledge of data protection law and practices. Low turnover startups and scaling SMEs could struggle to finance this obligation in what will quickly become a highly competitive market for skilled data protection officers. However member states have the option of expanding the requirements for a DPO.
9. SMEs exceptions
The Regulation takes positive steps to exempt SMEs from some of the more burdensome obligation. Consumers have a newly empowered right to request access to their data. Where those requests are excessive or unjustified SMEs will be able to charge a fee for providing access.Additionally SMEs will have no obligation to carry out an impact assessment on most types of processing unless there is a high risk to consumers.
10. Public Sector exemptions
Within the Regulation there are a large number of exemptions for public services which will mean that in many instances the rules that apply to public services will be different to those that apply to those provided in the private sector.
11. International Data Transfers (Article 43a)
The Regulation also includes provisions on international flow of data. Including rules on how companies should respond to request for data by foreign courts or regulatory bodies. The Regulation states that requests for data, including court requests, should only be recognised if the countries request is based an international agreement. There is a significant risk that this would place companies in the middle of a jurisdictional clash.
techUK is interested in hearing how these issues will affect your company. For more information on techUK's work on Data Protection or to join techUK's Data Protection Group please contact Jeremy Lilley.