General Data Protection Regulation 2016/679 (GDPR) will come into force May 25th, 2018. The Regulation is the product of four years of negotiations and arduous work.
It must be underlined that a regulation does not require an implementation by the European Union (EU) member States through national law and will be directly applicable. The GDPR aims at harmonizing the current legal framework and increasing legal certainty. Companies and public bodies will be subject to the same obligations whereas individuals will benefit from an equivalent protection. A harmonized legal framework allows for an easier flow of business and keeps international business partners in check. Nonetheless, it remains to be seen how each member State will interpret and implement the GDPR into their national legislation.
The European Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive 95/46/EC) still applies until the coming into force of the Regulation. The Directive set a certain standard of protection and was implemented by each member State. A common framework is in place in the EU but it widely varies from one member State to another. However, certain key principles have been adopted and remain in the GDPR.
The core principles of processing and protecting personal data have remain unchanged.
Under Article 5, personal data must be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate, and where necessary, kept to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data.
Although these six principles are unaltered, the GDPR sets a higher bar. The legal justifications for processing personal data, including sensitive data, fall into a limited category. The requirements for consent have also become more rigorous. Controllers or processors will only have narrow justifications for processing data for new purposes. These few examples illustrate the legislator’s intent to provide a more efficient protection of personal data.
It is also important to keep in mind that the GDPR imposes more stringent penalties. Failure to comply with any of the above may be sanctioned by a fine up to 20 million Euros or up to 4% of the annual turnover, whichever is greater.
In practice, this implies that companies and public bodies or authorities processing personal data will have to update and change their bylaws and contracts. Most of the concerned entities are not currently in conformity with the Regulation and will be compelled to make fast adjustments.
GDPR : significant changes
- A broader meaning of personal data
Under Article 4 1°, personal data is defined as “any information relating to an identified or identifiable natural person”. Personal data will be considered as such if a natural person can be identified by using all means reasonably likely to be used. As such, an “identifiable person” is a low threshold to overcome. This extensive definition broadens the scope of the GDPR to an unprecedented degree. Most data collected falls under this definition and will be protected.
- A wider territorial scope
The GDPR applies to controllers and processors established within the EU, regardless of whether the processing takes place in the Union or not. This implies that regardless of the data subject’s nationality, the European processor or controller will be subject to the Regulation.
It also applies to controllers and processors which are not established within the EU but process personal data of subjects within the Union. As such, the GDPR’s scope extends beyond the EU member States and ensures that the standards set for data protection are respected to their fullest.
In short, the GDPR warrants the subject’s data protection by casting as wide a net as possible, even overseas, and guarantying that any European data being processed or European processor or controller is subject to the Regulation (Article 3).
- Accountability of processors
For the first time, the GDPR directly regulates data processors and not merely controllers. Processors are hired as agents or suppliers for the controllers. Article 28 of the GDPR closes a loophole by rendering every participant in data processing accountable. Indeed, not only does a processor have a specific set of rules which he or she is subject to, the processor is now just as accountable as the controller and may be imposed heavy fines if he violates the rules in the GDPR.
Moreover, the national supervisory authority to whom the processors and controllers answer to will have to cooperate with other national supervisory authorities if they are concerned by the data processing.
- Data Protection Officers
Controllers or processors falling under Article 37 will have to appoint a Data Protection Officer (DPO). This specifically includes public authorities and other large processors or controllers. The DPO must have “expert knowledge of data protection law and practices”. He or she must be involved in “all issues which relate to the protection of personal data” (Article 38, I) and the controller or processor must support the Officer in his function.
Article 39 enumerates the DPO’s duties and they namely include informing and advising the controller and processor, cooperating with the supervisory authority and monitoring compliance to the GDPR and other member State or Union data protection legislation.
The DPO is an independent function. He or she directly reports to the highest management level of the controller or processor who do not have control over the DPO. The latter is bound by confidentiality or secrecy concerning the performance of his or her tasks (Article 38, 5). However, data subjects may contact the DPO regarding the processing of their personal data and to exercise their rights under the GDPR.
In a few words, the DPO enables large structures, whether public or private, to better protect, manage and process personal data in compliance with the applicable laws. He or she is involved at all stages of data processing and is an invaluable asset as an expert.
In conclusion, the GDPR harmonizes the core of data protection by increasing accountability, the standards of protection for the processing of personal data and specifying the participants involved in the processing of personal data. It also clarifies certain notions and will ensure a global identical level of protection.