EU data protection legislation is some of the best in the world, but the past year has seen a number of upheavals in how things are done.
Changes to the law are being made in substantive ways, and also in procedural ways for how the law will be implemented in the EU region and affect the rest of the world.
Particularly in relation to the EU and US data protection relationship, changes from the EU Data Protection Directive to the new EU General Data Protection Regulation (GDPR) will affect not just EU citizens, but other countries around the world, with the US in particular bearing a large number of these changes detrimentally.
In tandem, the striking down of the EU-US Safe Harbor provision made large changes to how the EU deals with the transfer of data to the US, and the new EU-US Privacy Shield is still to be tested."
Let's take a look at what the new EU General Data Protection Regulation (GDPR) is, what it will change, and how businesses can comply going forward.
The EU Data Protection Regulation (shorten as GDPR) is a new piece of legislation that was unveiled in 2012.
It's proposed to come into force in late 2015 or early 2016 and it's intended to replace the EU Data Protection Directive which has been in place since 1995.
Like the EU Data Protection Directive, the GDPR will apply to all EU member states, but it will also apply to many more countries around the world.
Let's take a look at some of those changes now, and what it may mean for your business.
One of the primary changes that the new GDPR regulation will make is that data collectors (website/mobile apps that are collecting personal data from users) will be required to reveal more information to users than previously.
The GDPR regulation sets out that:
These changes in the regulation are not significantly different to what's now required by the current Directive but focus more on small details like disclosing to users the period for which the personal data will be stored and the existence of the right to request access to and update or removal of the collected data.
GDPR also increases the responsibility of the controller of the data, which no longer just includes the original collector. This means that third parties such as cloud providers are now also responsible in the case of a breach.
Now let's take a look at how this regulation will be implemented and what's different between the Directive and the GDPR regulation.
The new regulation puts a new requirement in place for some businesses to have a Data Protection Officer (DPO).
A DPO is a staff member whose role is to ensure that the regulation is complied with in their business or organization.
The DPO's role is an independent one and they must keep a register that can be accessed by any interested person.
The EU Data Protection Officer's Network has released a paper setting out professional standards for Data Protection Officers. This paper notes that:
the DPO shall be selected on the basis of his or her personal and professional qualities, in particular, his or her expert knowledge of data protection.
Once a DPO has been selected for a business, their appointment must be registered with the European Data Protection Supervisor. The DPO can be appointed between 2 and 5 years and is eligible for reappointment up to a maximum of 10 years.
Some of the ways in which the DPO can ensure the regulation is complied with are:
Previously, the EU Data Protection Directive was required to be implemented in local laws by individual EU member countries and each country had up to 3 years of the Directive being issued to do this. For example, the UK has been using the UK Data Protection Act 1998 to implement the Directive.
The new GDPR regulation will change that. Instead, the regulation will automatically apply to all EU countries. EU countries won't have to implement their own local laws to comply with this regulation.
However, without the 3 year lead-in period, some businesses may be caught out if they don't get up to speed before the law comes into force.
Businesses who want to be in compliance early, a draft of the Regulation has already been issued. This means that EU member states and businesses can use this draft to get started on complying with GDPR.
Another major step away from the Data Protection Directive is that GDPR will cast a wider net in terms of catching online service providers around the world. Rather than simply applying to businesses operating within the EU, the law also applies to anyone dealing with personal data of EU citizens.
If you think your business might be captured by this regulation, such as having users from the EU, you need to set up compliance measures sooner rather than later.
We'll cover compliance measures at the end of this guide. The GDPR regulation includes stronger rules on the transfer of personal data outside of the EU which you should know about.
For the personal data of citizen from the EU to be transferred out of the EU, the third country (the country the personal data is transferred to) must be one that "ensures an adequate level of protection" for that personal data.
When considering whether a third country ensures "an adequate level of protection", these factors are looked at:
The European Commission has deemed several countries to have met these criteria. Currently, these are:
If your business isn't one of these countries listed above, a legal international agreement can be put in place between the EU and the country to agree that data can be transferred there.
The most well-known of this kind of agreement is the US-EU Safe Harbor agreement. However, major changes have just occurred in the European Court of Justice that mean that the Safe Harbor agreement may no longer be enforceable.
GDPR initially proposed to remove the Safe Harbor provisions which governed the transfer of data between the US and EU. However, this issue never came to light in the context of the regulation, as the Safe Harbor provisions were recently been struck down by the European Court of Justice before the regulation could come into force.
Previously, the European Commission considered the US to provide "adequate protection" only under the Safe Harbor provisions. This meant that without the provisions of the Safe Harbor agreement, the US could no longer be considered to provide "adequate protection" for the purpose of storing the personal data of EU citizens.
The new General Data Protection Regulation was assumed to change this, but the European Court of justice stepped in and made changes before the regulation could do so.
The European Court of Justice's decision in October 2015 in "Maximillian Schrems v Data Protection Commissioner" examined the Data Protection Directive's provisions that the transfer of personal data to a third country may take place only if that third country ensures an adequate level of protection of the data.
The Data Protection Directive also set out that the Commission could find that a third country ensured the "adequate level of protection" by reason of its domestic law or its international commitments. The Commission had taken advantage of this provision, by deeming that the Safe Harbor agreement ensured an "adequate level of protection" for the data of EU citizens.
However, the Court of Justice noted that despite the Commission's power to make a decision that the transfer of a person's data to a third country complies with the requirements laid down by the Data Protection Directive, there was nothing in that directive that prevented oversight by the national supervisory authorities of transfers of personal data.
As a result, the Court of Justice felt that despite the Commission's decision that the US-EU Safe Harbor provisions were adequate, the Court of Justice could still decide whether or not that Commission decision was valid.
The Court noted that:
legislation [i.e. US legislation that allows NSA spying] permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
As a result, the Court found that Safe Harbor decision was not compatible "with the protection of the privacy and of the fundamental rights and freedoms of individuals."
To that end, the Court declared the Commission's Safe Harbor decision invalid.
The EU Data Protection Authorities set a deadline of January 31 for the European Commission to agree on replacement Safe Harbor provisions, and the new EU-US Privacy Shield was approved by the EU Commission on 2 February 2016.
However, the Privacy Shield is still being slammed with criticism from privacy advocates, lawyers, and companies, who have all noted that it is not clear enough. With regard to consumers, the Privacy Shield has been critiqued for not providing them with enough protection.
This means that it is likely that changes to the Privacy Shield may still be yet to come.
The GDPR will be stricter overall and will include greater penalties for those organizations or businesses who don't comply with the regulation.
It appears that a three-tiered system will be used. Each tier covers a different level and type of data breach and corresponding penalties.
Under the first tier, those that intentionally or negligently fail to respond to data subject (users) access requests promptly or charge a fee for handling such requests, could be fined up to 0.5% of their total worldwide annual turnover.
The next tier is a fine of up to 1% of annual turnover. This could be imposed on businesses that:
The highest tier fine, which is up to 4% of a business' turnover, would be handed out if the business "intentionally or negligently process[es] personal data without having a legal basis for doing so, break[s] rules on profiling, fail[s] to notify data breaches, or transfer[s] personal data outside of the EU without adequate safeguards."
GDPR will allow consumers to file "class action" style lawsuits against data controllers who lose personal data.
This is an increased risk that the risk management staff in your business will need to take account of from both a legal and a financial perspective.
First, figure out whether or not you deal with the data of any EU citizens.
If your business (website/mobile app/desktop app) is an international one (users anywhere can use it), it's better to assume that some of your users may be EU citizens, rather than assume the opposite.
Most online businesses use a method called browsewrap, which is not a good method of getting consent from users on legal agreements. This is what browsewrap looks like, from the Tech Target network website's footer:
Here's another example of what browsewrap might look like on a mobile device, from the YouTube app:
Browsewrap requires the user to search the website for the website's legal agreements. It assumes that the user has clicked on it and agreed to the agreement. But most courts have not found that browsewrap method to be legally enforceable.
Under this method, it's clear that the user has agreed to the agreements and that users were given sufficient notice of the agreements to which they were agreeing to. Not surprisingly, most courts do think that clickwrap methods are legally enforceable.
These clickwrap methods use a check box or an "I agree" button for the user to check to ensure that the user gives consent.
Here's an example from Facebook when creating a new account:
If your website or mobile app allows for users to create accounts, this is an excellent example to get consent to your legal agreements.
Here's another example from Coinbase, where you can see how the clickwrap has been implemented on their mobile app:
In the Coinbase's example, you can see that a user is required to click "I agree" before the user can proceed with creating an account with Coinbase through its mobile app.
The next thing you should do is ensure that you set up the DPO role early.
Your staff member will need time to learn their role, figure out what is required of them, and set up their own compliance measures for the organization.
They'll need time to develop policies and procedures, and figure out how they're going to manage the data protection methods in your business to be compliant with the regulation's requirements.
DPOs should be relieved of other duties within your organization so that they can focus fully on their tasks as a DPO.
Finally, ensure that your risk management and legal teams are aware of the GDPR regulation and they are working on keeping your organization compliant with the rules of the GDPR.
All in all, the EU Data Protection Regulation - or GDPR - will be a big upheaval in the data protection world, not just in the EU but also anywhere that deals with the data of EU citizens.
Ensure that you have these necessary compliance measures in place before you're bound by the GDPR regulation. The fines can be relatively harsh and could be a big hit to most small businesses if these businesses don't ensure that they're complying with the regulation's rules.