< Back

Share |

The GDPR – an overview

February 2016

After four years of negotiations, the text of the General Data Protection Regulation (GDPR) was agreed at the end of 2015 and is expected to be adopted shortly. We will then have two years before the legislation comes into force.

Taylor Wessing will be exploring the full detail of the GDPR on the Global Data Hub over the coming year but this month, we consider the headlines and our international data protection experts give their reactions.

What’s the issue?

Four years ago, the European Commission published a data protection package to reform, modernise and harmonise European data protection law. The cornerstone of the package is the General Data Protection Regulation (GDPR) which will replace the 1995 Data Protection Directive and, in the UK, the Data Protection Act 1998.

What’s the development?

The GDPR has been the most lobbied piece of EU legislation to date but towards the end of December 2015, it was announced that political agreement had been reached. The agreed text has been published although it still needs to be formally adopted. This is expected to take place in spring 2016, after which there will be a two year implementation period.

What does this mean for you?

After years of pouring over the various drafts of the legislation, it’s fair to say that there are no huge surprises in the final version. This does not mean the legislation lacks bite, not least in the vastly increased levels of fines for non-compliance (up to 4% of annual global turnover or 20m Euros, whichever is greater).

What does GDPR mean for you?

There can be no doubt that despite being in the form of a Regulation (which takes direct effect under Member State law), the GDPR does not achieve full harmonisation of data protection law across the EU. The GDPR leaves scope for Member States to introduce their own requirements in certain instances and also leaves room for the Commission to make delegated acts. Together with the complex 'one stop shop provisions' and some vague wording, the GDPR is going to raise a lot of questions about how it should be put into practice.

The legislation will bring in a large number of changes and organisations will need to consider it carefully and make sure they are compliant by the time it comes into force in 2018. Issues which are attracting particular focus include consent, increased administrative requirements and the need to provide a full audit trail, data exports and the new obligations on data processors.

The level of effort moving towards compliance involves will depend not only on how compliant organisations are with current law, but also on how much their local data protection law resembles the GDPR, as is apparent from the commentary below.

Read more

We will be covering the GDPR in detail, both in terms of what it covers and its application to particular industries over the coming year on our Global Data Hub but here are some headlines from the GDPR together with (sometimes contrasting) reactions from Taylor Wessing's international team of data protection experts.

Territorial scope

The GDPR expands the territorial scope of European data protection legislation to make it applicable to non-EU organisations offering goods or services to data subjects in the EU or monitoring their behaviour to the extent that the behaviour takes place in the EU. This ambitious approach formalises the approach taken by the Court of Justice of the European Union in recent cases but it remains to be seen whether it is enforceable.

    "It would seem rather ambitious for the GDPR to seek to have extra-territorial reach, especially with the collection of personal data of European citizens by Asian companies in Asia, who do not have operations or protectable assets in Europe."
    (Rizwi Wun, Singapore)

    "The fact that controllers in third countries will have to comply with the same rules as EU companies under certain circumstances creates a more level playing field for competition purposes."
    (Bernhard Schörghuber, Vienna)

Notification

There is no requirement to notify authorities of data processing but a requirement to keep records of data processing activities (subject to limited exceptions for SMEs).

    "Current Slovak data protection legislation has centred around formalities to date. The GDPR will require controllers established in Slovakia to comply with the spirit and not merely the letter of the law."
    (Radovan Pala, Slovakia)

One Stop Shop

Organisations will be regulated by a single regulator in the place of their main establishment. The main establishment will be the main administrative location in the EU unless the main decisions about data processing are taken in a different Member State in which case that will be the main establishment. Individuals will be able to make complaints in their Member State at which point that regulator will engage in a cooperation procedure which will be settled by the European Data Protection Board in the event of disagreement. Member State regulators will also be able to deal with any issues arising in their own States subject to a cooperation procedure.

    "While one of the main objectives of the GDPR was to harmonise EU data protection law, the complex arrangements around the 'one stop shop' mechanism and the various derogations permitted under the GDPR mean full harmonisation has not been achieved."
    (Vinod Bange, London)

    "It is the introduction of the cooperation between the lead supervisory authorities that might bring the biggest benefits if it works effectively."
    (Przemyslaw Walasek, Poland)

Penalties

The GDPR significantly raises the stakes in terms of compliance, with maximum penalties of 4% annual global turnover or up to 20m Euros (whichever is higher).

    "The large fines will incentivise compliance."
    (Torsten Braner, Hungary)

    "We are waiting with bated breath to see how the Commission will enforce this and other obligations in Asia."
    (Rizwi Wun, Singapore)

    "Currently the Polish Data Protection Authority is not authorised to impose financial penalties (the most severe sanction for a failure to comply with the data protection laws is criminal liability). Consequently, the possibility under the GDPR to impose high fines calculated on the basis of the total worldwide annual turnover will significantly strengthen the position of the Polish regulator and will require an appropriate revision of the entrepreneurs’ approach to the data protection issues."
    (Przemyslaw Walasek, Poland)

Data Protection Officers

There is a requirement to appoint a data protection officer (DPO) where an organisation’s core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Member States will have discretion to enact national provisions imposing further requirements regarding the appointment of DPOs. This is a step back from the original provisions around DPOs which were more stringent. Clearly though, accommodation has had to be made for jurisdictions like Germany which have had DPO requirements for some time.

    "This is the first time Austrian organisations may be legally required to appoint a DPO yet the wording around when DPOs must be appointed is very vague – what constitutes a "large amount" of sensitive personal data, for example?"
    (Andreas Schütz, Austria)

    "Data Protection Officers will only be mandatory under limited circumstances. While this potentially reduces bureaucratic hurdles for many smaller companies in Germany which may no longer be required to have DPOs, the situation is somewhat uncertain given, not only the rather unclear wording, but also, the scope for Member States to impose additional obligations."
    (Sibylle Gierschmann, Munich)

Breach Reporting

Breaches must be reported to the relevant regulator without undue delay and, where feasible, within 72 hours of becoming aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Data subjects must be informed without undue delay where the breach is likely to result in a high risk to the data subject’s rights GDPR breach reportingand freedoms unless the data has been rendered unintelligible to any third party (for example by encryption), the data controller has taken steps to ensure the high risk is unlikely to materialise or it would involve disproportionate effort to inform data subjects individually, in which case a public announcement can be made. Data processors are required to inform data controllers of any breach without undue delay. The breach reporting provisions have undoubtedly been watered down from the original proposals but they remain potentially onerous.

    "The media in the Netherlands has focused on the issue of data breach notification, particularly as this requirement was introduced into Dutch law on 1 January 2016. Clients have been asking us about how to move to compliance on this and other issues"
    (Frederick Leentfaar, the Netherlands)

    "The new rules on breach reporting will surely ensure a greater degree of focus on compliance with security obligations"
    (Torsten Braner, Hungary)

Consent

Organisations relying on consent to process personal data will need to show that the consent is freely given, specific and informed and is an “unambiguous indication” of a data subject’s wishes and expressed either by a statement or a clear affirmative action. Consent will be purpose limited i.e. related to explicitly specified purposes.

    "Organisations which have historically relied on consent as a justification for data processing could be particularly hard hit and may have to get renewed consent or find another justification for their processing activities."
    (Sally Annereau, London)

    "The issue of consent is of great interest to many, particularly in terms of employer consent to processing, especially where the data is processed by group companies in third countries."
    (Tomas Korman, Slovakia)

Data Protection Impact Assessments

Organisations will be required to carry out data protection impact assessments (DPIAs) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals, in particular, through the use of new technologies and in cases of people profiling. If the DPIA reveals a significant risk, organisations must consult with their regulator before beginning the processing.

    "The GDPR introduces DPIAs as a new measure to mitigate risks of sensitive data processing operations to the rights and freedoms of data subjects. This new provision, which matches similar requirements in force in Germany for years, is a significant step to help lead organisations towards compliance."
    (Paul Voigt, Hamburg)

    "This is another example of the vague wording of the GDPR. What constitutes a "high risk" for the rights and freedoms of individuals will surely be open to debate."
    (Andreas Schütz, Austria)

Data subject rights

The GDPR contains new rights around data portability, the right to be forgotten and to prevent profiling. It also continues the right to object to processing, to rectification and erasure.

    "Czech law already contains most of the rights provided for under the GDPR, including the right to be forgotten online."
    (Karin Pomaizlova, Czech Republic)

Privacy by design and default

This concept is to be enshrined into statute – controllers are specifically prevented from setting defaults to disclose data to all.

Purpose limitation

Data processing must be carried out for the original purpose(s) for which it was collected unless the new purpose is a compatible one.

Data export to third countries

There are similar restrictions on transfers of personal data outside the EU in the GDPR as under current law. Data can be transferred under a Commission adequacy decision (the GDPR contains details of how these should be reached); standard contractual clauses or BCRs for intra-group transfers. In addition, there are limited possibilities to transfer data with consent or where it is necessary for the performance of a contract.

    "Adequacy decisions continue to be a justification for data transfers to third countries but the GDPR supplements the obligations of the Commission by introducing a periodic review mechanism and specifies the criteria that have to be taken into account by the Commission when taking an adequacy decision. The criteria pick up many aspects outlined by the CJEU in its ruling on Safe Harbor. It can be assumed that cross-border data transfers – and the requirements that have to be taken to justify them – will be a particular focus of the European data protection regulators in future."
    (Axel von dem Bussche, Hamburg)

    "Currently clients are mostly interested in issues regarding cross-border transfer of data and transfer of data within the group of undertakings."
    (Przemyslaw Walasek, Poland)

Data processors

Parts of the GDPR will apply directly to data processors who will be subject to compliance requirements and to sanctions for non-compliance.

    "The obligations on processors mean that large numbers of organisations are going to be brought directly into the data protection regime for the first time. Coupled with the increased audit trail requirements, in particular PIAs and obligations around DPOs, many organisations will have a greatly increased compliance burden under the GDPR."
    (Vinod Bange, London)

    "Under Czech law, contracts between controllers and processors must be in writing and this excludes any electronic form so the broader wording of the GDPR regarding the form of the contract is a welcome easing of the compliance burden in the Czech Republic."
    (Karin Pomaizlova, Czech Republic)

Subject access requests

Individuals can make subject access requests (SARs) to find out details of information held about them and how it Subject access requirementsis used. SARs must be responded to by the data controller without undue delay and, at the latest, within one month of receipt of the request. This period may be extended for a maximum of two additional months when necessary, taking into account the complexity of the request and the number of requests. The data controller has the right to charge a reasonable fee to cover administrative costs but only where the requests are "manifestly unfounded or excessive". The controller can also refuse to respond under these circumstances.

    "We are pleased to see recognition of the fact that complex subject access requests may take longer to respond to."
    (Mirena Taskova, London)

Digital consent for minors

While the default age for giving valid consent and using online services is set at 16, Member States will be able to reduce this to as low as 13.

    "As agreement on the GDPR was reached in late December last year, the press has been slow to comment. In the UK, the issue which attracted the most attention was the age of consent for minors but this is likely to change as we move towards implementation."
    (Sally Annereau, London)

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

The GDPR - an overview
Debbie Heywood

Debbie Heywood      


Debbie and our international experts give their views on the GDPR.

"Issues which are attracting particular focus include consent, increased administrative requirements and the need to provide a full audit trail, data exports and the new obligations on data processors."