GDPR stands for the General Data Protection Regulation, the new (well, not so new anymore! We’ve been waiting for it for 4 years, ever since the EU Commission announced for the first time its intention to completely overhaul the EU’s privacy regulatory framework!) European legislation on everything (well, almost everything) privacy.
The GDPR comes into force on 25 May 2018 and will replace the EU Privacy Directive (95/46/EC) of 1995.
What was the inspiration behind the GDPR?
The first, and obvious reason for anyone who’s been following the development of the world wide web since its invention in the mid 90’s, the current regulatory framework is over 20 years old, and although there has been some attempts at modernizing the law, most noticeably the adoption of the ePrivacy Directive in 2002, the existing legislation fails to a large extent to account for recent technology developments and the new forms of data processing that have appeared in the new millennium.
The second one lies with the choice of instrument that was chosen in 1995 when the current legislation was passed. A Directive, under EU law, only provides for a framework for EU Member States to follow in adopting their own law. It’s a baseline, not an instrument that mandates the EU countries to implement as law. From there, there has been as many privacy legislations in the EU as there are Member States and, needless to say, not much consistency in the rules, which basically means that any company doing business in the EU would have to comply with not only EU law, but also all national legislations on privacy across the EU! A nightmare!
Last but not least, the EU is currently composed of 28 members (yes, the UK still is one of them, and will be until 2019!) and having to navigate 28 different legislations on privacy made it very difficult for companies doing business in or with the EU which, in turn, has somewhat lowered the appetite for U.S. companies in particular to want to do business in the region.
So what is new now?
Well, first and foremost, this is a Regulation, not a Directive, and in EU’s speak, this means the instrument is directly and automatically applicable to Member States, and lets go of the requirement of passing national legislation on the matter. It therefore creates the uniformity and consistency in the way privacy and data protection are interpreted throughout the EU. Comes May 25, 2018, the Regulation becomes law in all of the Member States of the EU, a massive change from the current situation.
Ok, now that we have laid out the foundations, to whom does this Regulation apply?
In the words of the GDPR, the Regulation applies to any business that (i) processes personal data of EU residents when offering them goods and services (whether or not for payment), or (ii) monitors behavior occurring in the EU.
Covered data includes personal, pseudonymous, and sensitive data of EU “data subjects” (i.e. information that relates to “identified or identifiable natural persons”).
What are the key features of the new legislation?
- Consent – Companies must get affirmative consent to process the personal information of individuals. Consent must be “freely given, specific, informed and unambiguous.” For example, the individual’s failure to click an “opt out” box, by itself, is not valid consent. Consent must also be reversible, and specific to each type of processing.
- Internal Compliance — businesses will need to implement comprehensive EU-compliant data protection compliance programs, and then be able to provide evidence of these programs to EU data protection authorities if asked.
- Built-In Privacy — New products and services must encompass “Privacy-by-Design” or “Privacy-by-Default” concepts when personal information is to be collected. In addition, Privacy Impact Assessment (PIA) may be required to work out risks inherent in new products or in connection with certain activities, and appropriate security and other protections would need to be implemented based on that risk assessment.
- Data Breach Notification — The GDPR imposes notification requirements for data breaches (this is new in the EU!). Businesses will have only 72 hours to notify data protection authorities and, in certain circumstances, affected individuals, after a data breach. They must also implement a specific data breach response and mitigation plan.
- Individual Control — Businesses must be responsive to requests from individuals to know what personal information is collected about them and how it is being used or object to “profiling” using their personal information, and also request that their information be accessed or even deleted (under certain circumstances).
- Data Privacy Officers — In certain circumstances, foreign businesses may also need to appoint a Data Privacy Officer.
- Data Processors are Liable! – Whereas under the current Directive companies that process data on behalf of other companies aren’t directly responsible under EU laws (except in connection with the implementation of appropriate data security), under the GDPR these subcontractors are directly responsible from the moment they process the data of EU residents as part of the services they offer.
- Increased Penalties – The GDPR includes significantly increased penalties for violations: fines as high as Euro 10M or 2% of annual worldwide revenue in the preceding year, or Euro 20M or 4% of annual worldwide revenue, depending on the type of violation.
Now, the above may not seem a lot to companies of a certain size in particular, with multinational operations and a well-established culture of compliance as relates to privacy, but to most companies – and even to us privacy professionals – it is a huge step and something that requires a real change of culture at most companies. It takes months to get ready for GDPR, so don’t delay!
Oh, and yes, GDPR and the Privacy Shield are 2 very different things. Just because you have self-certified under the EU-U.S. Privacy Shield (the successor to the defunct Safe Harbor some of you may have heard of) will not make you GDPR-compliant.
So contact us now! Admitted as lawyers in both the EU and the U.S., and well versed in privacy laws on both sides of the Atlantic Ocean, we are ideally positioned to assist you in complying with the GDPR!