Update Data Protection No 5
EU has agreed on terms of General Data Protection Regulation
On 15.12.2015 EU Commission, Council and Parliament agreed on the final terms of the General Data Protection Regulation (GDPR) in their trialogue negotiations. It is generally expected that the draft will be adopted soon, in any event not later than summer 2016. This ends the uncertainty about the content of the new European Data Protection law which will be directly applicable in all Member States two years after the adoption by Commission, Council and Parliament. We take this as an opportunity to highlight some essential rules.
Due to the complexity of the biggest data protection reform since the establishment of data protection law, we will only report the most important provisions in detail. The essentials may be summarized as follows:
- Potential fines are raised up to EUR 20 million or 4 % of the of the total worldwide annual turnover (Art. 79 GDPR).
- For companies that operate in different EU countries a national leading supervisory authority ("one-stop shop") will be the primarily responsible authorities (Art 51a GDPR).
- Many national data protection laws will be inapplicable, if they are already covered by the GDPR´s broad scope. In Germany this applies to many sections in the Federal Data Protection Act (‘Bundesdatenschutzgesetz’ BDSG) as well as to the provisions of the German Telemedia Act (Temeldiengesetz – ‘TMG’). Furthermore national rules regarding personal data in social and welfare systems as well as healthcare will be inapplicable. The Member States are only allowed to regulate the data processing in some exempted areas, like data processing in the employment context (Art . 82 GDPR).
- The appointment of a Data Protection Officer will be mandatory throughout the EU. However, it is unclear at what threshold a company must appoint one (Art. 35 GDPR).
- The written form is no longer a requirement for consent but other requirements will be stricter, especially regarding the necessary "voluntariness" of consent. Consents of persons under 16 years must be authorized by the holder of parental responsibility.
- Transparency obligations – i.e. the obligation to provide information on data processing operations - are considerably expanded (Art. 14 GDPR).
- In the context of data processing the data processor will bear a greater responsibility and must comply with more formal requirements (Art. 26seq GDPR).
- The obligation to report security incidents is significantly expanded according to Art. 31 GDPR and will exist alongside the obligation arising from national and EU IT - security laws.
- There are significantly more formal requirements before an undertaking is allowed to process data (so – called “data protection impact assessment”, Art. 33seq. GDPR).
- The right to data portability is implemented in Art. 18 GDPR.
- The right to be forgotten (Art. 17 GDPR) has been implemented in accordance with the requirements of the CJEU.
- Privacy by design and by default have been established as principles in Art. 23 GDPR.
The most serious change in the data protection legislation is the substantially increase of potential fines. So far, in Germany fines up to EUR 300,000 were a possible sanction for unlawful processing of data. The penalty framework of Art. 79 GDPR now includes fines of up to EUR 20 million or, in the case of an undertaking, 4% of its global annual turnover (Art 79, para. 3a GDPR). Thus, data protection compliance in undertakings should have greater weight in the future. It is remarkable that - by the wording of DPRG - the basis for calculating finds is not the worldwide turnover of a group of companies but the infringing entity’s turnover (maybe a subsidiary with significant lower turnover). This is most likely due to the fact that no general permission or exemption for group internal data transfers exist in European data protection law.
One stop shop
The competent authority for an undertaking which is active in more than one Member States will be the so called “lead supervisory authority” according to Art. 51a DSGVO. The authority, which is responsible for the “main establishment” of a group in Europe, will be the lead supervisor authority for all questions relating data protection in all of Europe. For cross-border cases the lead supervisory authority shall coordinate the activities of the other national data protection authorities (Art. 54a DSGVO). Even in purely national cases, the national supervisory authority must consult the lead supervisory authority and the latter has the right to decide whether it will deal with the case (Art. 51a para. 2c DSGVO). Thus, the forum shopping for international corporations receives a new dimension. Furthermore the concept of “one stop shop” will result in a challenge for the national supervisory authorities, as most of them already have to fight with significant capacity bottlenecks. But new important questions arise also for companies: What is the “main establishment? According to the definition of Art. 4, para. 13 GDPR, not only the administrative headquarters must be taken into consideration, also the seat of the entity or office that has de facto sovereignty over the processing of data in the EU may be the main establishment.
Increase of potential fines
According to GDPR each undertaking shall designate a data protection officer, if its core activities consist in data processing and/or or if the undertaking processes special categories of data pursuant to Art. 9 GDPR like health data or information about religious affiliation. In both cases, however, the data processing must relate to “a large scale” of processed personal data. Obviously, it was not possible during the trialogue to agree on a specific threshold. In the drafts a certain number of employees or a number of processed records or persons concerned had been proposed. However, specific figures can no longer be found in the final text. The resulting legal uncertainty is even more severe, as a violation of the obligation to designate a data protection officer may result in a fine of up to EUR 10 million in accordance with Art. 79 para. 3 DSGVO. It is therefore advisable to appoint a data protection officer for each company just to avoid any risk. German companies - which usually have a data protection officer - should for now retain it to avoid uncertainty.
Transparency obligation
Each data processor must to a greater extent than before inform the data subjects. Currently, in most contexts, it is sufficient to inform about the identity of the controller the purpose of data processing. Article 14 GDPR now contains a couple of severe further requirements. For example in the event a controller relies on a “legitimate interest” to justify the data processing it is necessary to explain this legitimate interest in detail.
Data protection officer
In addition the retention period, an indication of the right of appeal to the competent supervisory authority and an indication of the right to revoke any consent must be given. In addition, the contact details of the data protection officer have to be given to the data subject.
Requirements for consent
The GDPR does not provide a general requirement regarding declarations of consent to be made in writing, as it is currently the case in Germany according to Sec. 4a of BDSG. Hence in future all declarations of consent may be given by a mere click in the internet or a “touch” on a smartphone. At the same time Art. 7 para 4 GDPR and recitals 32 and 34 demand a high threshold for the voluntary nature of consent. Consent of minors (defined as younger than 16 years) will only be valid in the future, if the consent is authorized or given by a parent or guardian (Art. 8 GDPR).
Broad displacement of national data protection law
National data protection law will not remain applicable where such law is the GDPR´s scope. Excluded are just a handful of special areas defined in Art. 80 et seq. GDPR like data processing in labour context or for the purposes of science (Art. 83 DSGVO). Furthermore, there is a vaguely worded exemption which allows national regulations if the data processing serves public interest (Art. 6 para. 2 in conjunction with Art. 6 para. 1 (e)). However, in Germany a lot of well-established rules, which permit the data processing of credit bureaus, video surveillance, use of personal data for advertising purposes, scoring, and the general permission to generate pseudonymous user profiles for advertising purposes in the online sector (§ 15 para. 3 TMG) will be inapplicable in the future. While in most drafts regulations regarding "health data" and "genetic data" were intended to remain open for Member States (Art. 81f GDPR), in the final text the clauses that allowed national regulations in this area are missing. Probably in many EU Member States now it has to be analyzed in detail which data protection rule in the social law will be replaced by which provision of the GDPR.
The four main permission clauses
In place of the existing detailed national rules the GDPR sets basically six general provisions which determine whether data processing is principally permitted (Art. 6 para. 1 (a) -(f) GDPR). In practice, the following four essential permission clauses will be the most important:
- Data processing is covered by consent of the data subject;
- Data processing is necessary for the performance of a contract;
- Data processing is necessary for compliance with a legal obligation;
- Data processing is necessary for the purposes of the legitimate interests of thedata controller.
Many cases will be solved by „legitimate interest“
To assess whether data processing lies in the “legitimate interest” of the data controller and is not overridden by the interests or fundamental rights and freedoms of the data subject is a complicated task, especially since initially there will be no case law available as guidance. This is even more severe as most of the techniques of the modern world – which should actually been regulated by the GDPR – like targeting for advertising purposes, Big Data, Industry 4.0, Smart Home, Connect Car and the Internet of Things are in the most cases lawful if there is a consent, a respective contract or – at least – sufficient “legitimate interest” of the data controller. However this may be an advantage for undertakings after all, as the important provision of “legitimate interest” opens a broad scope of interpretation which may be used to justify direct marketing which would not be allowed under the current national data protection laws. After all, the recitals contained indications as to when a legitimate interest may exist, such as in data processing for the purposes of:
- Fraud Prevention (recital 38 )
- IT Security (recital 39 )
- Direct marketing (recital 38 )
- Intercompany management (recital 38a)
While by the latter recital at least an indirect “group privilege” is implemented in the GDPR, it must be noted, that new technologies, such as Big Data and Smart Home, are not mentioned as examples of legitimate interest. It is thus important, to analyze in detail the facts of the case and carefully balance the interest of the data subjects and the data controller before apply such technology.
Within the frame of the balancing test, the “reasonable expectations” of the data subjects have to be taken into account (Recital 38). The “reasonable expectations” are a new indefinite legal term in this context which has no example in data protection law.
The two years until the GDPR becomes affective should be used to analyze which permissions could apply to existing data processing and whether there are sufficient valid arguments in favor of an overriding interest of the data processor, where the legitimate interest shall be the basis.
Conclusion
The privacy regulation contains too many new provisions to address all aspects in this Update in detail. From the presented facts the following conclusion can be drawn: Given the new high fines and the many changes in substantive law, undertakings should start early to examine which changes will be needed in the processing of data. Many of the previous guidance of the national supervisory authorities cannot be of any help within the course of the examination. As an exception it is likely that some Opinions of the Art. 29 Data Protection Working Party may be used at least as a landmark, as the Working Party has usually based its Opinions not on the national law but on the old Directive 95/46/EC with its very similar wording regarding the permission clauses. It will be interesting to observe if new guidance papers of the data protection authorities will be published until the applicability of the GDPR.