EU General Data Protection Regulation – Part I
"Regulation EU 2016/679, the General Data Protection Regulation (GDPR), was published in the Official Journal of the European Union on 4 May 2016. Although the Regulation entered into force on 25 May 2016, all companies, public authorities and natural persons (other than activities of a purely personal or household nature), which are engaged in processing personal data in the EU, will have until 2018 to review and adapt their processing activities to comply with the GDPR. Thus, on 25 May 2018, the Regulation will formally repeal the previous Directive 95/46/EC on Personal Data Protection (i.e. Data Protection Directive).
The GDPR seeks to afford technologically neutral protection, by addressing legal aspects of the processing and free movement of personal data in light of the technological developments of the past 20 years. The review of the personal data protection system that led to the GDPR derived from the central role that the Internet plays in personal and business life and the concerns of individuals about unlawful intrusions by both companies and public authorities into their personal data (e.g., see the CJEU's judgement in case C-362/14, Maximillian Schrems v Data Protection Commissioner, invalidating of the EU-US Safe Harbor).
The main changes embodied in the GDPR can be summarized as follows:
1. A new (territorial) scope of protection.Unlike the Personal Data Directive, the GDPR applies to the jurisdiction both where either the controller or the processor is established in the EU, irrespective of where the data processing is carried out, as well as where the controller is a non-EU organization but has an establishment in a jurisdiction where Member State law applies. Notably, the GDPR also applies where the data subject is in the EU and the data processing falls within a controller's or processor's non-EU activities (e.g., the offering of goods and services to individuals in the EU or the monitoring of an individual's behaviors within the EU). Therefore, since the GDPR also focuses on an individual's place of residence, the applicability of the GDPR will require an assessment on whether an EU resident is targeted by the processing activities.
2. New types of personal data, such as genetic, biometric and so-called pseudonomized data, are recognized.
3. Establishment of a basis for the lawful processing of personal data processing, including provisions for obtaining the data subject's consent.
4. New rights for individuals, namely the right to be forgotten, the right to restriction of processing and the right to data portability.
5. A special regulation on individual automated decision-making and profiling.
6. Accountability obligations not only for controllers but also for processors with respect to data protection by design, data protection by default, records of processing activities, security of processing, data protection impact assessment and designation of the data protection officer.
7. Revised international data transfers.
8. A cooperation mechanism for the various national protection authorities.
9. A new liability scheme with respect to remedies and penalties in the event of a violation of the GDPR. In this present post and another post to follow, we will elaborate on some of these changes.
Looking at the 'definitions' applicable to GDPR, it is apparent that the introduction of pseudonomized personal data blurs the dichotomy between personal data and anonymized personal data. Pseudonomyzation allows for reducing the linkability of personal data with the data subject, and it is accordingly a useful security measure placed half-way between information related to an identified, either directly or indirectly identifiable individual (personal data), and information whereby an individual can no longer be identified (anonymized personal data) [see Recital 26 of GDPR and WP216 - Opinion 05/2014 on Anonymization Techniques]. Pseudonymization also falls within the technical and organizational measures that are designed to comply with the principles set out in the GDPR, given that controllers are now required to implement privacy by design.
Until now, the EU National Data Protection Authorities (DPAs) had taken different views of the conditions wherein personal data are considered to have become pseudonymous or anonymous, giving rise to inconsistencies between jurisdictions. For example, instead of focusing on the qualification of information as personal data, the UK and Swedish DPAs have followed a risk-based approach aimed at assessing the risk of identification and related harm to the data subject (see the UK Information Commissioner's Officer's 'Anonymization: managing data protection risk code of practice’; the Swedish Data Protection Authority's guidelines on cloud services). Also, the GDPR has included, among special categories of data, health, biometric and genetic data, whose processing on a large scale will require the data protection impact assessment to establish the risks connected with the data processing.
Controllers are now subject to the obligation to identify the risk to the rights and freedoms of individuals associated with their data processing, especially where new technologies are deployed, by carrying out a Data Protection Impact Assessment (DPIA). This process is aimed at allowing controllers to comply with their accountability obligations by performing personal data processing according to the GDPR. It is important to highlight that the GDPR now also imposes obligations on processors, which are requested to help controllers fulfill their own obligations under the GDPR. For example, processors will have to assist the controller to comply with an individual’s request for the exercise of its rights and with the obligation to notify data breaches to the DPAs, to implement adequate security measures and to ensure that if processors appoint sub-processors, the obligations included in the corresponding agreement mirror those passed on to the processor by contract with the controller.
In this regard, the controller-processor contract will now have to detail the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. This contract will serve to detail how the processor will carry out the data processing on behalf of the controller, who will be accountable for the processor's activities in accordance with the GDRP. The processor's new obligations under the GDPR have not been warmly welcomed by all, with some considering it too burdensome when applied to a commoditized service, such as cloud infrastructure services (for any interesting perspective on how the GDPR affects cloud computing, see Kuan Hon's 'GDPR: Killing cloud quickly?').
All the foregoing has led to the introduction of a new liability scheme through which processors may be jointly and severally liable with controllers, unless an exclusion applies. Likewise, both controllers and processors will be subject to administrative fines under the GDPR, up to a maximum of 20 million euros or 4% of the total worldwide turnover, whichever is higher."