The EU General Data Protection Regulation (GDPR), which was published in May, sets out a new, unified privacy law for Europe. The new law is relevant not just to businesses established in Europe; it will also apply to entities worldwide that provide goods and services to individuals in Europe, and online platforms and other website operators that are accessible from Europe.
On 4 May 2016, the General Data Protection Regulation (GDPR), was published in the Official Journal of the European Union (L 119/1). It will apply from 25 May 2018, at which point it replaces the current legal framework. Unlike directives, which have to be transposed into national laws by the Member States, regulations such as the GDPR will apply directly in all Member States of the European Union and in Iceland, Liechtenstein and Norway, which are part of the European Economic Area (EEA).
The territorial reach of the GDPR will, however, extend far beyond the EU/EEA. It will affect any business coming into contact with European data, from large Silicon Valley tech companies to private Chinese bloggers.
Worldwide Territorial Scope
The territorial scope of the GDPR is laid down in Article 3. It applies to entities established in the EU/EEA that are processing the personal data of natural persons (data subjects) for their own purposes (as data controllers) or on behalf of another entity (as data processors) (Article 3(1)).
Uniform Law Throughout the European Union/European Economic Area
The GDPR regulates nearly all aspects of data protection law at an EU/EEA-wide level and thus brings a much higher level of harmonisation of data protection standards throughout the EU/EEA compared with the current framework. The EU Member States/EEA countries will, however, still be able to determine some details; for example, they can lower the minimum age for consenting to the processing of personal data from 16 to 13 years (Article 8(1)), and can add requirements for the processing of genetic data, biometric data and/or health data (Article 9(4)).
While each Member State/EEA country will continue to have a separate supervisory authority responsible for monitoring the application of the GDPR (or possibly multiple supervisory authorities), the supervisory authority of the country of the (main) establishment of a data controller or processor will take the lead and act as a “one-stop shop” for cross-border situations (Article 56). Businesses not established in the EU/EEA will be required to designate a representative in the EU/EEA, unless their data processing under the GDPR is only “occasional” (Article 27). While the wording is vague, this exception will most likely apply to website operators that don’t specifically target the EU/EEA. Where the previous regime essentially required a representative for each relevant Member State/EEA country, a single representative will be sufficient under the GDPR.
In certain circumstances, the GDPR also introduces an obligation to name a data protection officer, who may be an employee or an external consultant. A data protection officer is now always required where the core activities of a controller include the monitoring of individuals on a large scale, or where certain categories of data (such as racial or ethnic origin, political opinions, sexual orientation, religious beliefs, trade union memberships, genetic data, biometric data, health data and data concerning the subject’s sex life) are processed on a large scale (Article 27(1)). Member States and EEA countries have the option to also continue to require data protection officers in additional situations; for example, Germany may continue to require data protection officers for businesses employing more than nine persons that will regularly handle personal data.
The GDPR also introduces new rights for data subjects. For example, Article 20 sets out a right to data portability, entitling the data subject to receive their data in a machine-readable format that can then be transferred (ported) to a new service provider. The GDPR also expands the right to erase data to include a “right to be forgotten”, even where the data has previously been made public (Article 17). The GDPR further strengthens the principle of “data protection by design and default” (Article 25) and requires data controllers and processors and the affected data subjects to inform the supervisory authority in case of a personal data breach (Articles 33 and 34).
Increased Limit for Fines
The GDPR will drastically increase the upper limit for administrative fines to €20 million or 4 per cent of worldwide annual turnover, whichever is higher (Article 83). This is, however, the upper limit for the most extreme and severe violations of the GDPR, and does not imply that the fines imposed in average cases will actually increase.
Data Transferred to Non-EU/EEA Countries
The rules relating to data exports to non-EU/EEA countries will not change significantly because they were already fully harmonised under the old framework. Data exports will continue to be allowed where the European Commission has established that the level of data protection in the destination country is adequate (Article 45); where the data exporter is using appropriate safeguards, such as the standard contractual clauses (model contracts) (Article 46), or binding corporate rules (Article 47); where the data subject has given his or her consent (Article 49(1)(a)); where the transfer is necessary for the performance of a contract (Article 49(1)(b) and (c)); or where other derogations for specific situations set forth in Article 49 exist.
Data exports to the United States have, however, been overshadowed by recent developments. During the final stages of the law-making process for the GDPR, the European Court of Justice held that the US–EU Safe Harbor framework would not guarantee an adequate level of data protection and declared the adequacy decision of the Commission null and void (Schrems, C-362/14, ECLI:EU:C:2015:650). Discussions on a new framework, dubbed the EU–US Privacy Shield, which would be implemented under the existing directive and continue to apply under the GDPR, are independent from the GDPR, and will hopefully be concluded much earlier than May 2018.
While the GDPR is not yet applicable, the date for enforcement is now fixed, and the less than two years left should be used to prepare for the new law.
Businesses established in the European Union or the European Economic Area should only have to make minor adaptations to their current procedures and policies. Data controllers—such as website operators—located outside the EU/EEA, which will be hit by the extended territorial scope of the GDPR and are as of now unfamiliar with European data protection requirements, will likely have to make significant changes and undergo a steep learning curve. Where software changes are required, two years is a short period of time, and businesses choosing a new data centre, or establishing a new software platform that will live into 2018, should be taking the requirements of the GDPR into account.
On the other hand, the necessary changes should not be rushed. While the text of the GDPR is final as published in the Official Journal, the Member States and EEA countries still have to pass new laws to make use of the options granted under the GDPR. For example, they may impose additional requirements on the processing of health data, which could have a significant effect on the international health care sector. Businesses engaging in data exports to the United States, or US businesses importing data from the European Union or the European Economic Area, should consider waiting until the fate of the EU–US Privacy Shield has become more clear.