Update on EU General Data Protection Regulation (GDPR)
Written by Ardi Kolah LLM FCIM and Prof Bryan Foss
Q1: What’s the significance of the Council of Ministers version of GDPR published on 15 June?
What this means is that the Council of Ministers has political agreement on the basis of which it can now begin negotiations with the European Parliament with a view to reaching overall agreement on GDPR by the end of the year.
Negotiations with the European Parliament and the European Commission started on 24 June 2015 and all parties made a commitment to reach agreement by the end of the year. For a complete picture of the roadmap, click here.
Q2: In addition to GDPR, what other moves are contributing to reforms in data protection and privacy law across the EU?
This can be summarised as:
- EU Data Protection Directive
- EU Charter of Fundamental Rights
- EU Digital Single Market
EU Data Protection Directive
This is a separate law being proposed for governing the use of personal data in the area of law enforcement and crime. The expectation is that the debate on the EU Directive as well as GDPR by the Council and European Parliament will be run in tandem, with an outcome expected this October 2015
EU Charter of Fundamental Rights
The Charter is an important development as it’s the first formal EU document to combine and declare all the values and fundamental rights (economic and social as well as civil and political) to which EU citizens should be entitled. The main aim of the Charter is to make these rights more visible. It is important to note that the Charter doesn’t establish new rights but assembles existing rights that were previously scattered over a range of international sources. Now that the national courts and Court of Justice of the European Union (CJEU) have to consider the Charter it can be used to assist in cases where EU law is in issue and clearly GDPR needs to be seen within this context.
EU Digital Single Market
In May 2015, the EU outlined its strategy to create a digital single market. The thrust of the proposals included establishing standard rules for buying goods online, pruning cross-border regulations on telecoms and reducing the tax burden on business. The plan also calls for a “comprehensive assessment” of whether Facebook, Google and other internet platforms distort competition (aside from posing significant data protection and privacy risks).
EU Commission President Claude Juncker has promised to transform the EU single market for the digital age by removing regulatory walls, moving away from 28 national markets to a single one and generating €415 bn ($468 bn) a year for the European economy as well as creating 3.8m new jobs.
The call for reform isn’t simply politically motivated – many businesses from within and outside of the EU have been pressing for reform in order to compete across a level playing field rather than risk facing fines and penalties across 28 Member States that pursue their own competition, data protection, privacy laws and regulations.
It’s against this backdrop that GDPR is the final piece of the jigsaw that will create a very different picture of the European Union than exists at present.
Q3: What are the main drivers for GDPR?
There are three key drivers for reform:
- Simplifying the regulatory landscape and framework
- Updating rights and obligations to the opportunities and challenges of the digital world.
- Strengthening enforcement.
The core element of the European Commission package is to completely update and modernise the principles of the 1995 Data Protection Directive. It sets out the rights of the individual and establishes the obligations of those processing and those responsible for the processing of the data. It also establishes the methods for ensuring compliance as well as the scope of sanctions for those in breach of the rules.
Q4: What’s at the root of the reforms being proposed?
This can be summarised as putting individuals back in control of their own data. This is perhaps at the root of the proposed data protection and privacy reforms and has the biggest impact of the changes being proposed by the European Commission. In many ways, this principle more than any other is an attempt to re-establish fundamental rights as well as to strengthen trust within the digital single market.
Q5: What are the main features of GDPR?
There are 4 main features of the EU Regulation:
- Putting individuals back in control of their own data
- Portability of data
- Breach notification
- More effective supervision and enforcement
- One-Stop Shop
Putting individuals back in control of their own data
This is perhaps at the root of the proposed data protection and privacy reforms and has the biggest impact of the changes being proposed by the European Commission. Perhaps more than in any other part of the EU Regulation effecting data protection, the proposed reforms means putting individuals back in control of their personal information in order to re-establish fundamental rights as well as to strengthen trust within the digital single market.
The cornerstone of this is strengthening existing rights such as the so-called ‘right to be forgotten’ and improving citizens’ rights to be informed if their data is hacked.
Portability of data
One of the proposed eye-catching reforms to be included in the GDPR will be portability of personal data across the EU. This is essentially about allowing users to extract in a structured format personal data from service providers and to move that personal data to another provider.
This idea stems from what happens in the mobile telecoms sector and it’s about giving more say to individuals to decide what happens to their data in practice; being able to effectively make a choice in the market and in that way lower the barriers to entry in particular to those markets which are currently dominated by very few big players.
According to the European Commission, this is an example of a question of balance taken within the GDPR – of balancing fundamental rights as well as complementing the principle of competition within the internal market.
In this area, the European Commission has studied in detail what some States in the USA have adopted in terms of data breach notifications and are convinced of the case for a federal approach across the EU. In practice, the same idea is true for the protection of privacy by design. This is about investing in good data protection practice and methods as early and as upstream as possible in the provision of goods and services.
More effective supervision and enforcement
The new emphasis on supervision and enforcement placed by the European Commission reflects the transition from an ex-ante to an ex-post data protection and privacy system.
Data protection and data breaches have become much more serious and relevant and currently we don’t have a credible set of enforcement rules and sufficiently dissuasive sanctions. In Europe, we have a very fragmented situation where certain countries have that power to impose financial sanctions and some countries don’t appear to have that power.
The European Commission drew inspiration from other areas of Europe such as competition law in looking at the issue of supervision and enforcement. There have been a lot of misgivings about the level of fines and it should be emphasised that these are a ceiling – it’s about a maximum amount of the fine which will be applicable to the most serious cases of violation.
The fine will be between 2-5% of global turnover or €100m and will be based on a number of factors including:
- duration of the data breach
- seriousness of the data breach
- negligence or intention
- nature of the violation
- impact on users
- other factors.
Mitigation factors include having taken all necessary steps to comply with the principles of the EU Regulation including the appointment of an independent Data Protection Officer (DPO).
This is one of the ‘jewels in the crown’ of GDPR and clearly the European Commission sees this as being fundamental in terms of enforcement and supervision that sits alongside its strategy for the digital single market and the Charter of Fundamental Rights.
What’s now proposed is a two-level structure that provides the benefit of proximity for complainants against organisations and companies by recourse to their own Data Protection Authority (DPA) and the courts as well as making it easier to launch a cross-border complaint by reference to a single adjudication body (the lead DPA body of the main establishment).
In this new regime, both bodies will need to agree on the interpretation of the GDPR rather than having diametrically opposed interpretations that would negate the operation of a one-stop shop mechanism. The one-stop shop has become more congruent and more consistent in interpretation and application of EU data protection laws throughout the EU and this is good in terms of legal certainty.
The European Commission view is that the one-stop shop is more effective in the protection of users’ rights and this appears to have gained consensus within the European Parliament and the Council of Ministers.
Negotiations around the one-stop shop mechanism took a while and were debated in detail by the Council where it was important to strike the right balance and for having the ability to adjudicate on cross-border cases with one interpretation of the data protection rules.
Although the UK did have reservations about the one-stop shop principle, the compromise that’s been reached between the Council, Parliament and Commission safeguards the level of proximity for a remedy in particular when the complaint of an individual is rejected and therefore a decision has a negative impact on that individual.
At the same time, the one-stop shop maintains a key objective of having one interpretation of the GDPR in cross-border cases and in many respects reinforces it.
GDPR is therefore likely to reflect the following mechanism for one-stop shop:
when the decision involve measures to be taken vis-a-vis the control of the processor, the imposition of a fine, injunction or to put an end to certain processes, then that decision is jointly agreed and will be formally adopted by the DPA of the main establishment
when the jointly agreed decision has a negative impact on the individual by rejecting their complaint, it will be adopted by the local DPA and in that way it ensures that the decision can be challenged before a domestic court of the complainant.
Given this additional safety value, the European Commission feel that the Data Protection Board wouldn’t have to intervene except in a relatively few cases. Where the local DPA isn’t able to reach agreement with DPA for the main establishment, then the matter will be referred to European Data Protection Board (EDPB) and that decision will be binding on all parties. And this is a legally more robust position under the Fundamental Rights Charter perspective.
Q6: Is agreement on the other outstanding bits of GDPR likely to be achieved before the end of 2015?
Good question and unfortunately we don’t have a crystal ball!
There’s a fair amount of consensus already in place but ‘nothing is agreed until everything is agreed’. Even as the critics slam the European Commission, Council and Parliament for dragging their feet over the progress for data protection and privacy reform across the European Union, it should be remembered that this is one of the biggest shake ups in data protection and privacy for over a decade.
The litmus test will be to see how fast progress in the negotiations can be made after the European Parliament, Council and Commission return to work after the summer recess in September 2015.
Q7: What bits are there still significant disagreements on?
On paper, there appears to be a very long list of differences in opinion on what should and shouldn’t be included in GDPR.
For example, the Council favour a high degree of “flexibility” for EU Member States to implement data protection laws in their territory as they see fit. But this smacks of being more like a Directive rather than a Regulation and is unlikely to carry through to the final version of GDPR.
In reality, all sides aren’t that far apart and we’ll see this as the trilogue negotiations start in earnest from 24 June 2015.
Q8: Where can the different versions of GDPR be read in a table format?
The idiom ‘can’t see wood for the trees’ comes to mind! Getting bogged down in the detail of GDPR can be overwhelming, so this table takes the stress of trying to see where the differences lie in each GDPR version.
However, from the 24 June many of the differences will start to get resolved so the positions in the table will of course change and we’ll report this on our website and on Twitter.
Q9: What should companies and organisations do now to prepare for life under GDPR?
There are many things that companies and organisations should think about doing NOW and these include:
- Minimize data collection – the proposed GDPR has strong requirements that companies limit the data they collect from consumers
- Report promptly – data breach notification is a new requirement that EU companies will have to handle
- Retain carefully – the GDPR minimization rules apply not only to the scope of the data collected but also how long it’s kept. In other words, you shouldn’t be storing data longer than is necessary for its intended purposes
- Beware the new definition of personal identifier – GDPR expands the definition of personal identifiers and this change is important because the EU law centres on protecting these identifiers
- Use clear and easy to understand language – companies will need to obtain explicit consent—an ‘opt-in’ from the consumer—when collecting data
- Find your delete key – ‘right to erasure’ means that when consumers withdraw consent on data they’ve given, the companies will have to remove it
- Remember cloud computing doesn’t escape from requirements under GDPR – the new EU Regulation follows the data.
Q10: How do I keep up to date with progress on the trilogue negotiations?
The GO DPO® website has a load of information and news written in a friendly and jargon-free way.
Also follow GO DPO® on Twitter @EU_Compliance for breaking news. And you can email Ardi@godpo.eu with any questions on GDPR.