The General Data Protection Regulation: what to expect
Regardless of the success or otherwise of the government’s ongoing Brexit negotiations, European law will continue to have a significant impact in the UK, at least in terms of data protection. From 25 May 2018, the new General Data Protection Regulation (GDPR) will directly apply to the UK, as well as the remainder of the European Union, and is set to transform the current approach to data protection.
The changes are set to affect both data controllers and data processors, introducing tougher sanctions to a wider range of possible individuals and companies. One of the GDPR’s central aims is to give more rights to individuals, as well as providing them with easier recourse for misuse of their private data.
For the purposes of the GDPR, a data controller is the person or body who, alone or jointly with others, determines the purposes and means of the processing of personal data. A data processor is the person or body who processes the personal data on behalf of a data controller.
In this article, we will discuss some of the headline changes to UK data protection law set to be brought in by the GDPR in May 2018. As the changes will be wide-reaching and radical, any business involved in the processing of data should seek thorough advice on the impact the GDPR is likely to have on them.
Severe sanctions
The GDPR will both increase the highest level of fines for non-compliance and introduce revenue based fines for “undertakings”. An undertaking in this context is not defined by the GDPR, but in EU case law, group companies in the past have been considered part of the same undertaking. This could mean that fines are calculated as a percentage of an entire multinational group of companies, rather than the single entity in question. However, this is not an absolute rule and each case will be assessed on its facts.
The higher category of sanctions, for breaches of basic data processing principles, the rights of data subjects and other major infringements, will involve fines of the higher of €20,000,000 or up to 4% of an undertaking’s total worldwide turnover for the previous year.
The lower category, for breaches of certain controller and processor obligations, or those of relevant bodies, feature fines of the higher of €10,000,000 or 2% of an undertaking’s worldwide turnover for the previous year.
Additionally, the GDPR grants individuals the right to claim compensation from data controllers and processors. This applies to any person who has suffered “material or non-material damage”, including distress and hurt feelings without financial loss. Additionally, data subjects will be able to nominate bodies to bring claims on their behalf, which could lead to group claims against businesses.
Broader scope
The GDPR is set to extend the reach of data protection law in two key areas.
Firstly, it will have a wider application in terms of the organisations caught within its scope, applying “to the processing of personal data in the context of the activities of an establishment of a controller or processor in the [European] Union, regardless of whether the processing takes place in the Union or not”.
The GDPR further fleshes out this broad definition by citing the “effective and real exercise of activity through stable arrangements” to be decisive in defining an “establishment”; “the legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”. As a result, the GDPR may apply to non-EU subsidiaries processing data, as well as individuals within such organisations.
Notably, the application of the GDPR specifically applies to data processors as well as data controllers, encompassing organisations who act as data processing agents. As previously mentioned, this means they will be liable for sanctions if they fail to meet their obligations under the GDPR.
Additionally, organisations that are not established in the EU may still be caught, where their activities involve processing the personal data of individuals within the EU, and are related to either (a) the offering of goods and services to data subjects within the EU (irrespective of whether payment is required), or (b) monitoring their behaviour, so far as that behaviour takes place within the EU.
These provisions are likely to catch online retailers established outside the EU to the extent they process the data of EU-based customers, as well as advertising networks that use cookies to monitor individuals’ online behaviour. Parent companies based outside the EU, for instance in the US, could now face direct responsibility for compliance with the GDPR.
Secondly, the GDPR is set to catch more data within its scope. Personal data is defined in the regulation as “any information relating to an identified or identifiable natural person”. The word “identifiable” here enables a very broad interpretation of personal data; even if the organisation holding the data cannot identify a natural person from the data, it will still be “personal data” provided anyone is capable of doing so using “all means reasonably likely to be used”.
The natural person’s name is only one of the possible identifiers envisaged by this broad definition. A person is identifiable if he or she can be identified directly or indirectly by reference to a name, identification number, location data, online identifier or factors specific to that individual’s identity.
Active consent
Under the GDPR, data subjects who agree to the processing of their personal data must indicate their “freely given, specific, informed and unambiguous” consent by a statement or clear affirmative action. Such an action could include actively ticking a box on a website or choosing specific settings for an online service. Pre-ticked boxes or inactivity will not constitute consent for the purposes of the GDPR, and each purpose for which the data is being processed will require separate consent. Clear records will be crucial as data controllers must be able to prove the subject’s consent.
In order for consent to be “informed”, data subjects must be made aware of the data controller’s identity and the purpose of the processing. If consent is given within a contract, the requirement to give consent must be distinguishable from the other matters dealt with in the contract.
As to whether consent is “freely given”, it will be relevant whether consent is a condition of the performance of a contract where data processing is not necessary to that contract’s execution. Additionally, the bargaining power between the parties will be a relevant factor, for instance a relationship between an employer and employee will rarely be balanced.
Data subjects will have the right to withdraw their consent at any time, and must be informed of this right. Furthermore, consent must be as easy to withdraw as to give, which will likely substantially change current practices, where withdrawing consent often requires an email.
Individuals’ rights
The GDPR grants individuals specific rights in relation to the use of their personal data, all of which aim towards greater transparency.
One of the most high profile rights is the right to erasure, commonly referred to as the ‘right to be forgotten’, stemming from the Google Spain case from 2014. Following this case, Google were required to remove certain search results on the basis that they had no legal basis to process the information. The right is enshrined within the GDPR in certain limited circumstances, principally (as in Google Spain) where there is no legal ground for processing the information involved.
Additionally, individuals will continue to have the right to rectify inaccurate or incomplete personal data relating to them and object to the processing of personal data for direct marketing. They will have expanded rights not to be subject to automated decision taking and profiling (without consent, legal authority or necessity) and will have the new right to receive all personal data concerning them in a structured, commonly used format (in certain circumstances).
Subject access requests, which existed under the previous directive, will now be free of charge, and relevant information must be provided by the recipient of the request within one month in most cases, with a limited right to extend this to three months.
Lastly, the GDPR sets out information which data controllers must provide to data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (in particular where the information is addressed to a child). This information includes the identity and contact details of the controller, the contact details of the data protection officer (where applicable), the purpose and legal basis of the processing, the recipients or categories of recipients of the personal data, the existence of their rights (referred to above), and other information relating to their data.
Business impact
The GDPR will require widespread and drastic changes to the way businesses process and store data, with obligations extending significantly beyond those outlined above. The scale of the potential fines under the new regime reflect the urgency with which business managers must create strategies for fixing existing data protection methods, and complying with new obligations.
Companies will need to review all of their current contracts, whether they are suppliers, customers or otherwise, to ensure they are GDPR compliant. Specific attention should be given to data-specific provisions, and financial terms may be adjusted given the increased risks of non-compliance with the GDPR. Additionally, organisations must review their terms and conditions to ensure consent provisions are identifiable and clearly written.
More companies must now take active steps to ensure compliance with the GDPR, even if they are not based within the EU, but have European operations. Processors now also face the risk of fines and private claims brought by individuals, and must therefore take their own responsibility for GDPR compliance.
Given the wide definition of “personal data” it is safe to assume all data will fall within the GDPR. The GDPR introduces the new concept of “pseudonymisation”, whereby personal data will not be identifiable without separately held additional information, and companies which utilise this method are rewarded under the GDPR. Therefore, organisations should use anonymisation or pseudonymisation wherever possible, and avoid the processing of identifiable personal data.
The GDPR will make it more difficult for processing of personal data to be legally justified, particularly where special categories of personal data are involved. Failure to process data within the core principles of “lawfulness, fairness and transparency” will lead to the highest possible fines. Organisations will be more accountable to both regulators and data subjects, and therefore data controllers and processors must keep detailed records of their data processing, and analyse what areas must be brought up to the standard imposed by the GDPR. In some circumstances, organisations must appoint a data protection officer to oversee large scale monitoring of data subjects.
The GDPR will soon directly apply throughout Europe, including the United Kingdom, and ensuring businesses do not fall foul of its provisions is not an endeavour to be taken lightly.
Thomas Moore, Trainee Solicitor, Simkins