Developments in Data Protection
- By Paul Sullivan
On 23 June 2016, the UK voted by referendum to leave the EU. If, and when, ‘Brexit’ occurs, the UK will need to be able to continue to trade with EU member states, and to do so the UK will be required to comply with EU standards.
In or out, this will necessitate equivalence, if not full compliance, with the forthcoming General Data Protection Regulation (GDPR). At the time of writing, the UK is a Member State of the EU. As such, the UK will, by direct effect, be bound by the GDPR from 25 May 2018.
Under the GDPR, there are six principles with which data controllers must evidence compliance:
- lawfulness, fairness, and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality
The significant implications of the GDPR are considered below.
The GDPR goes beyond the current Data Protection Directive (DPD) to encompass data controllers and processors beyond the EU, which would presumably include a post-Brexit UK.
Privacy by Design
There are obligations of accountability placed on data processors which seem rather onerous with requirements to (i) maintain certain documentation, (ii) conduct impact assessments and (iii) implement data protection by design, and by default. It will fall to the data controller to be able to evidence the data subject’s express consent.
Public authorities will, under certain circumstances, be required to designate a Data Protection Officer (‘DPO’) to ensure accountability. This DPO will be required to have ‘sufficient expert knowledge’ and may be either employed directly or under a service contract.
The GDPR will impose new obligations upon data processors including:
- Maintaining written records of data processing carried out on behalf of each data controller
- Designating a DPO (where required)
- Notifying data controllers of any breach without undue delay
Explicit consent will be required for the processing of sensitive data. There will be an obligation on the data controller to evidence consent, and it should be as straightforward to withdraw such consent as to give it in the first place. The key consideration will be whether the consent is freely given.
It is noted that a margin of appreciation is afforded to the Member States on the age of consent for minors, which may impact on the desire for harmonisation across the EU.
The processing of data will continue to be on the basis of transparency.
Notification of data breach
There will be an obligation on data controllers to notify their data protection authority of most breaches without undue delay and, where feasible, within 72 hours of occurrence. In certain circumstances, this obligation will extend to informing data subjects too. This will be subject to a threshold test: breaches unlikely to result in a risk to the rights of individuals need not be reported, only cases where there is likely to be a “high risk.”
The levels of financial penalty that can be imposed for a breach is to be overhauled, with the existing upper limit of £50,000 being replaced with tiered penalties up to 4% of annual worldwide turnover / €20m. This should certainly serve to emphasise the fundamental importance of compliance with the GDPR.
There is a rather cumbersome provision intended to allow companies operating in more than one Member State the facility of dealing with a single supervisory body.
This may inadvertently result in a diminution in consistency with truly multi-national companies being able to pick and choose what that might perceive to be a more favourable venue. Apple Inc., for example, may be more inclined to select Dublin over Copenhagen as their venue.
Removal of notification requirement
Data Controllers will no longer be required to notify their national authority of their activities. Rather, the administrative burden will shift to the Data Controller who will be obliged to conduct his own risk assessments. Given the increased sanctions for any breach, this will place an onerous burden, particularly on SMEs.
European Data Protection Board
The Art. 29 Working Party (Art. 29 WP) is to be replaced by an independent European Data Protection Board (‘EDPB’) of similar composition, but with an independent secretariat, whose primary role shall be to contribute to the consistent application of the EDPR throughout the EU.
Binding Corporate Rules (‘BCRs’)
BCRs were originally designed by the Art. 29WP to facilitate the international transfer of data by multinational companies within the European Economic Area (‘EEA’) to their affiliates outside the EEA and will be legally binding, providing data subjects with enforceable rights.
Currently, BCRs are recognised by approximately two-thirds of the Member States. The approval process is cumbersome, and uptake has been low. Under the GDPR, the process is to be streamlined.
Although the provisions are largely unchanged, the process appears to have been streamlined, with the removal of the requirement of prior authorisation in certain circumstances. A number of restricted derogations are permitted. The GDPR is, however, silent on the issue of ‘safe harbour’.
Rights of data subjects
The rights of data subjects are significantly strengthened.
This reflects the judgment in the Google Spain case where a Spanish national, González, made a complaint to the national Data Protection Agency (AEPD) against La Vanguardia newspaper, Google Spain SL and Google Inc. over content from the newspaper that appeared in Google search results against his name relating to his insolvency.
AEPD rejected his complaint against the newspaper on the basis that their publication had been lawful, but upheld the complaint against Google and requested that they withdraw the personal information from their indexes. Google challenged this decision, and the matter was referred to European Court of Justice (CJEU) for a preliminary ruling on whether their activities were subject to the Data Protection Directive.
The CJEU held that the activities of Google fell within a wide definition of ‘data processing’ notwithstanding that the data was not altered, sorted, or controlled by them in any way. Google was deemed to be a data controller.
It was contended that the data processing was conducted outside the EU by Google Inc. and that the role of Google Spain SL was merely the sale of advertising space. The CJEU rejected this on the basis that the selling of advertising space was ‘inextricably linked’ to the search results alongside which they were displayed.
This judgment does not extend to any extensive balancing exercise between the right of the public to access the complete record online and that of the individual to be ‘forgotten’. Further, it is questionable as to whether it would be desirable for search engines to be the arbiters of what information the public at large may readily access online.
For more information about this article, or any other aspect of our business and personal legal solutions, get in touch.