The final negotiations in respect of the proposed European Union (EU) General Data Protection Regulation (GDPR) commenced between the European Commission, the European Parliament and the European Council on 24 June 2015.
These three-party negotiations, known as the trilogue, are expected to conclude by the end of 2015 with the adoption of the regulation, which is intended to introduce a new European data privacy law fit for the digital age, and will have a significant impact on businesses and IT professionals.
At a press conference following the first trilogue meeting, all three European institutions reiterated their resolve to reach an agreement by the end of 2015 and have set out a series of meetings over the next months to finalise any outstanding points.
The GDPR will apply not only to businesses based in the EU, but more importantly, also to businesses outside the EU that process personal data collected through offering services or goods to citizens in the EU or from monitoring their behaviour. So the regulation will apply, for example, to a business in the US that through its website collects personal data on its EU customers.
The European authorities want to make sure that businesses comply with the detailed data privacy requirements under the GDPR and have proposed fines of up to 5% of annual worldwide revenue for non-compliance. Data protection authorities in EU countries will remain responsible for enforcement, including fines, with the GDPR adopting a so-called “one-stop shop” approach where a business will be subject to the supervision of a lead data protection authority in the EU country where it has its main establishment.
With only a few months to go before the expected adoption of the regulation, it is important that businesses both in the EU and outside of it get an understanding of what impact the GDPR will have on them.
Some of the key requirements under the proposed regulation include the following:
Accountability
Core to the GDPR is an obligation on businesses to demonstrate compliance with data privacy requirements through the adoption and implementation of appropriate policies and procedures. This includes the requirement to carry out privacy impact assessments where the use of personal data is likely to present specific risks to an individual, such as the use of health data. Businesses will, as a result, need to develop a process to ensure such privacy assessments are carried out where required.
There is a further requirement for businesses to implement privacy by design through use of technical and organisational measures – such as encryption, for example – to protect personal data and to ensure that, by default, only a minimum amount of personal data is processed. This includes the obligation to maintain detailed records of flows of personal data across the business.
Right to erasure
A business will be required to erase an individual’s personal data, without undue delay, where the individual withdraws their consent or objects to the use of their personal data – subject to a limited number of exceptions.
Despite the very considerable concerns that have been expressed about whether it is technically possible to erase all data in the digital age and the competing interests of freedom of speech, it seems likely that the right to erasure will exist in some form in the final text of the regulation.
Businesses should consider how this new right may impact them and should also consider reviewing their existing data retention policies and procedures to meet the data minimisation requirements under the GDPR.
Profiling
Profiling is very broadly defined under the GDPR to mean using data to evaluate personal aspects relating to an individual, including predicting their performance at work, economic situation, health, interests, behaviour or location.
The regulation introduces a number of restrictions on profiling, including the right for an individual not to be subject to a decision which significantly affects the individual and which is based on automated profiling. In many cases, profiling will only be permitted where the explicit consent of the individual has been obtained.
These restrictions are likely to have a considerable impact on businesses engaging in, for example, big data analytics, as well as more general business activities, such as credit scoring and employee monitoring. Businesses should consider reviewing their current profiling activities to assess what impact the new restrictions on profiling under the regulation may have.
Data breach notification
Information security continues to be a key issue for both industry and many regulators. The GDPR not only imposes requirements to implement appropriate security measures, but also makes it a mandatory requirement to report a data breach to the relevant data protection authority.
The time period within which a breach must be reported has been an area of much discussion with the European Council proposing that, where feasible, not later than 72 hours after having become aware of the breach, while the European Commission have proposed an even more challenging time limit of 24 hours. There is also a requirement to report a data breach to an individual affected, without undue delay, where such a breach is likely to result in high risk to the individual.
However, importantly, there are exceptions from the requirement to notify individuals, such as customers, where the business has implemented the appropriate technological measures so as to render the personal data unintelligible, for example, by using encryption.
With the very significant fines for non-compliance and the new requirements to report data breaches under the GDPR, businesses should consider not only how to minimise the risks of a data breach but also plan how to deal with a breach should one occur.
With the proposed regulation expected by many to be adopted by the end of 2015, businesses should start to consider now its impact and what steps they will need to take to deal with its new requirements.
William Long is a partner at law firm Sidley Austin.
