General Data Protection Regulation: key areas of impact
The GDPR introduced enhanced obligations for processing personal data, strengthened the rights of individuals, and increased sanctions for violations across Europe. Penalties under the GDPR can reach as high as EUR 20 million or 4% of the total worldwide annual turnover of an undertaking per infringement. An “undertaking”, as the EU Data Protection Authorities (DPAs) have explained, includes both the parent company and all involved subsidiaries. DPAs have broad discretion in determining whether a fine should be levied, and to what amount. In the case of minor infringements, as EU DPAs further explain, a DPA may also replace the fine with a reprimand.
With cybercrime and data breaches dominating global headlines, the GDPR also introduces a new notification obligation for data controllers in personal data security breach cases. Under this obligation, data controllers have to notify the competent DPA, within 72 hours, of any personal data breach likely to result in a risk to the rights and freedoms of individuals. The controller will also have to notify the affected individuals if the risk to the rights and freedoms of those individuals is likely to be high.
As companies are increasingly turning to artificial intelligence technologies, as well as personalised product offerings, specific rules on user profiling are another important aspect of the GDPR. The GDPR prohibits profiling that constitutes solely automated decision-making if it produces “legal effects” or “similarly significantly affects” on an individual. This profiling may only take place if necessary for the performance of or entering into a contract, is based on the explicit consent of the individual, or is authorised by the EU or a member state. Where this type of profiling is allowed, the individuals concerned have the right to obtain meaningful human intervention, to obtain meaningful information about the logic involved in profiling, and to contest decisions made by technology rather than by a human being. In most cases, before engaging in any form of profiling, the data controllers will have to conduct a Data Protection Impact Assessment.
The GDPR also tightens existing transparency and consent requirements. Under the new rules, data controllers will have to give individuals more extensive and nuanced information before processing their personal data. Data subject consent will become harder to rely on as a legal basis for personal data processing. As with profiling, these requirements significantly impact the conducting of business online. Many companies have already started amending their current business practices in preparation for the new legal landscape for monetising consumer data. If your company has not started doing this, now is the time to start preparing.
The limitations on transfers of personal data outside the EU remain largely unchanged. However, the GDPR explicitly recognises the already-existing Binding Corporate Rules (BCRs), and introduces new mechanisms such as codes of conduct and certification schemes. The adequacy decisions and the EU-US Privacy Shield framework remain in force. Nonetheless, as a result of the first annual review of the Privacy Shield, EU DPAs have indicated that they may initiate the legal procedure for invalidating the framework unless the US rectifies certain important issues by 25 May 2018. The European Commission is also currently reviewing all adequacy decisions it has issued for non-EU countries. From 30 March 2019, the UK will no longer be a member state of the EU and will thus become a “third country” for the purposes of data transfers. Unless the European Commission passes an adequacy decision, data controllers will have to provide for appropriate safeguards for personal data transfers to the UK. This is worth keeping in mind when structuring future data flows for your company.
Modernising E-Privacy rules
The European Council is currently considering the E-Privacy Regulation, proposed by the European Commission in January 2017, (for an overview of the initial proposal see our previous In context). Although initially set to take effect together with the GDPR on 25 May 2018, it seems unlikely that negotiations will be concluded by then. It is already clear that the new legislation will have a strong impact on a broad range of businesses, including providers of electronic communications, Internet of Things devices, mobile applications, online media content, online behavioural advertising and marketing, and internet browsers. Similarly to the GDPR, the E-Privacy Regulation will almost certainly introduce stricter rules for the protection of electronic communications data. The regulation will also significantly reform the E-Privacy enforcement framework, with sanctions matching those of the GDPR. The new regulation is likely to entrust DPAs with the enforcement of at least part of the new E-Privacy rules. Irrespective of this, EU DPAs will have broad powers to interpret the provisions of the E-Privacy Regulation.
New cybersecurity framework
The NIS Directive lays down the EU-wide cybersecurity framework that comprises security and notification requirements for operators of essential services and for digital service providers. Under the directive, operators of essential services include companies operating in crucial sectors of the economy, such as banking, health, energy and transport. Digital service providers include online marketplaces, search engines and cloud computing services. For an overview of the NIS Directive, see our previous In context of July 2016 and June 2016. Each EU member state will need to determine on or before 9 November 2018 which parties in its jurisdiction are to be considered operators of essential services and therefore subject to the directive.
Adopted in July 2016, the NIS Directive will become fully operational in 2018 after national implementation laws have been adopted in all EU countries. These national laws will also establish the enforcement framework for the EU cybersecurity rules and sanctions for their violation. The Dutch Cybersecurity Bill implementing the NIS Directive is about to be introduced to the Dutch Parliament. Once adopted, the bill will replace the Dutch Data Processing and Cybersecurity Notification Obligation Act, which introduced a notification requirement for serious cybersecurity breaches or loss of integrity of vital electronic information systems. This notification requirement took effect as of 1 January 2018. The duty currently applies to vital providers in various sectors, such as energy, telecommunications, transportation and government. Although the exact scope and provisions of the forthcoming Dutch Cybersecurity Bill are still taking shape, it is likely that it will include serious sanctions. The enforcement regime announced in the Bill so far includes penalties of up to EUR 5 million. Similarly, the public consultation on the proposed UK Cybersecurity Bill published last year also features high penalties matching those of the GDPR. The exact scope and provisions of the bill will take shape in 2018. It is expected that this cybersecurity legislation will continue to apply after Brexit.
A major Equifax data security breach that affected 145 million US individuals spurred renewed efforts to pass a federal Data Security and Breach Notification Act in the US. Presented to the Senate in November 2017, the bill introduces data security obligations and a nationwide data security and breach notification obligation. The Internet of Things Cybersecurity Improvement Act, which seeks to introduce minimum security standards for connected devices, was presented to the Senate earlier in 2017. Next year will shed light on whether these bills will be more successful than similar previous initiatives.
China’s Cybersecurity Law, in effect since 1 June 2017, introduced across-the-board cybersecurity and data protection measures. These include rules on domestic storage of data, restrictions on cross-border data transfers, and extensive security assessments. China’s new data and cybersecurity framework could directly impact any multinational company doing business in China or depending on the Chinese network or data infrastructure. The implementation of the new framework is expected to be finalised in 2018. For an overview of China’s Cybersecurity Law, the progress on its implementation, and the first enforcement actions, see In context of November 2017 and May 2017.
The enhanced obligations of personal data controllers and processors introduced by the GDPR, along with stronger rights for individuals, raise both compliance costs and the risks of non-compliance. As the countdown to the GDPR enforcement starts, companies need to finalise their data protection programmes. Draft Guidelines of EU DPAs published in late 2017, such as those on profiling, transparency and consent, may require final adjustments to existing GDPR compliance solutions. More generally, EU DPAs’ guidance on the GDPR reveals their tendency to broaden and deepen data controllers’ obligations, while narrowing applicable exceptions.
The EU E-Privacy Regulation and the Dutch and British cybersecurity bills, although not yet finalised, will also most likely introduce stricter rules and penalties in their respective areas. We will monitor the progress of their adoption and will keep you informed on these and other relevant developments. In any event, after years of crystal ball gazing, 2018 will be the year data protection and cybersecurity become more strictly regulated and enforced across the world. These developments will have a broad impact on businesses, stretching beyond internal compliance programmes; they will affect the companies’ valuations in M&A transactions, and the design of internal investigation.