EU Has Agreed on Terms of General Data Protection Regulation
Due to the complexity of the biggest data protection reform since the establishment of data protection law, we will only report the most important provisions in detail. The essentials may be summarized as follows:
- Potential fines
are raised up to EUR 20 million or 4 % of the of the total worldwide
annual turnover (Art. 79 GDPR).
- For companies
that operate in different EU countries a national leading supervisory
authority ("one-stop shop") will be the primarily responsible
authorities (Art 51a GDPR).
- Many national
data protection laws will be inapplicable, if they are already covered by
the GDPR´s broad scope. In Germany this applies to many sections in the
Federal Data Protection Act (‘Bundesdatenschutzgesetz’ BDSG) as well as to
the provisions of the German Telemedia Act (Temeldiengesetz – ‘TMG’).
Furthermore national rules regarding personal data in social and welfare
systems as well as healthcare will be inapplicable. The Member States are
only allowed to regulate the data processing in some exempted areas, like
data processing in the employment context (Art . 82 GDPR).
- The appointment
of a Data Protection Officer will be mandatory throughout the EU. However,
it is unclear at what threshold a company must appoint one (Art. 35 GDPR).
- The written form
is no longer a requirement for consent but other requirements will be
stricter, especially regarding the necessary "voluntariness" of
consent. Consents of persons under 16 years must be authorized by the
holder of parental responsibility.
obligations – i.e. the obligation to provide information on data
processing operations - are considerably expanded (Art. 14 GDPR).
- In the context
of data processing the data processor will bear a greater responsibility
and must comply with more formal requirements (Art. 26seq GDPR).
- The obligation
to report security incidents is significantly expanded according to Art.
31 GDPR and will exist alongside the obligation arising from national and
EU IT - security laws.
- There are
significantly more formal requirements before an undertaking is allowed to
process data (so – called “data protection impact assessment”, Art. 33seq.
- The right to
data portability is implemented in Art. 18 GDPR.
- The right to be
forgotten (Art. 17 GDPR) has been implemented in accordance with the
requirements of the CJEU.
- Privacy by design and by default have been established as principles in Art. 23 GDPR.
The most serious change in the data protection legislation is the substantially increase of potential fines. So far, in Germany fines up to EUR 300,000 were a possible sanction for unlawful processing of data. The penalty framework of Art. 79 GDPR now includes fines of up to EUR 20 million or, in the case of an undertaking, 4% of its global annual turnover (Art 79, para. 3a GDPR). Thus, data protection compliance in undertakings should have greater weight in the future. It is remarkable that - by the wording of DPRG - the basis for calculating finds is not the worldwide turnover of a group of companies but the infringing entity’s turnover (maybe a subsidiary with significant lower turnover). This is most likely due to the fact that no general permission or exemption for group internal data transfers exist in European data protection law.
One stop shop
The competent authority for an undertaking which is active in more than one Member States will be the so called “lead supervisory authority” according to Art. 51a DSGVO. The authority, which is responsible for the “main establishment” of a group in Europe, will be the lead supervisor authority for all questions relating data protection in all of Europe. For cross-border cases the lead supervisory authority shall coordinate the activities of the other national data protection authorities (Art. 54a DSGVO). Even in purely national cases, the national supervisory authority must consult the lead supervisory authority and the latter has the right to decide whether it will deal with the case (Art. 51a para. 2c DSGVO). Thus, the forum shopping for international corporations receives a new dimension. Furthermore the concept of “one stop shop” will result in a challenge for the national supervisory authorities, as most of them already have to fight with significant capacity bottlenecks. But new important questions arise also for companies: What is the “main establishment? According to the definition of Art. 4, para. 13 GDPR, not only the administrative headquarters must be taken into consideration, also the seat of the entity or office that has de facto sovereignty over the processing of data in the EU may be the main establishment.
Increase of potential fines
According to GDPR each undertaking shall designate a data protection officer, if its core activities consist in data processing and/or or if the undertaking processes special categories of data pursuant to Art. 9 GDPR like health data or information about religious affiliation. In both cases, however, the data processing must relate to “a large scale” of processed personal data. Obviously, it was not possible during the trialogue to agree on a specific threshold. In the drafts a certain number of employees or a number of processed records or persons concerned had been proposed. However, specific figures can no longer be found in the final text. The resulting legal uncertainty is even more severe, as a violation of the obligation to designate a data protection officer may result in a fine of up to EUR 10 million in accordance with Art. 79 para. 3 DSGVO. It is therefore advisable to appoint a data protection officer for each company just to avoid any risk. German companies - which usually have a data protection officer - should for now retain it to avoid uncertainty.
Each data processor must to a greater extent than before inform the data subjects. Currently, in most contexts, it is sufficient to inform about the identity of the controller the purpose of data processing. Article 14 GDPR now contains a couple of severe further requirements. For example in the event a controller relies on a “legitimate interest” to justify the data processing it is necessary to explain this legitimate interest in detail.
Data protection officer
In addition the retention period, an indication of the right of appeal to the competent supervisory authority and an indication of the right to revoke any consent must be given. In addition, the contact details of the data protection officer have to be given to the data subject.
Requirements for consent
The GDPR does not provide a general requirement regarding declarations of consent to be made in writing, as it is currently the case in Germany according to Sec. 4a of BDSG. Hence in future all declarations of consent may be given by a mere click in the internet or a “touch” on a smartphone. At the same time Art. 7 para 4 GDPR and recitals 32 and 34 demand a high threshold for the voluntary nature of consent. Consent of minors (defined as younger than 16 years) will only be valid in the future, if the consent is authorized or given by a parent or guardian (Art. 8 GDPR).
Broad displacement of national data protection law
National data protection law will not remain applicable where such law is the GDPR´s scope. Excluded are just a handful of special areas defined in Art. 80 et seq. GDPR like data processing in labour context or for the purposes of science (Art. 83 DSGVO). Furthermore, there is a vaguely worded exemption which allows national regulations if the data processing serves public interest (Art. 6 para. 2 in conjunction with Art. 6 para. 1 (e)). However, in Germany a lot of well-established rules, which permit the data processing of credit bureaus, video surveillance, use of personal data for advertising purposes, scoring, and the general permission to generate pseudonymous user profiles for advertising purposes in the online sector (§ 15 para. 3 TMG) will be inapplicable in the future. While in most drafts regulations regarding "health data" and "genetic data" were intended to remain open for Member States (Art. 81f GDPR), in the final text the clauses that allowed national regulations in this area are missing. Probably in many EU Member States now it has to be analyzed in detail which data protection rule in the social law will be replaced by which provision of the GDPR.
The four main permission clauses
In place of the existing detailed national rules the GDPR sets basically six general provisions which determine whether data processing is principally permitted (Art. 6 para. 1 (a) -(f) GDPR). In practice, the following four essential permission clauses will be the most important:
Data processing is covered by consent of the data subject;
Data processing is necessary for the performance of a contract;
Data processing is necessary for compliance with a legal
Data processing is necessary for the purposes of the legitimate
interests of thedata controller.
Many cases will be solved by „legitimate interest“
To assess whether data processing lies in the “legitimate
interest” of the data controller and is not overridden by the interests or
fundamental rights and freedoms of the data subject is a complicated task,
especially since initially there will be no case law available as guidance.
This is even more severe as most of the techniques of the modern world – which
should actually been regulated by the GDPR – like targeting for advertising
purposes, Big Data, Industry 4.0, Smart Home, Connect Car and the Internet of
Things are in the most cases lawful if there is a consent, a respective
contract or – at least – sufficient “legitimate interest” of the data
controller. However this may be an advantage for undertakings after all, as the
important provision of “legitimate interest” opens a broad scope of
interpretation which may be used to justify direct marketing which would not be
allowed under the current national data protection laws. After all, the
recitals contained indications as to when a legitimate interest may exist, such
as in data processing for the purposes of:
- Fraud Prevention
(recital 38 )
- IT Security
(recital 39 )
- Direct marketing
(recital 38 )
management (recital 38a)
While by the latter recital at least an indirect “group
privilege” is implemented in the GDPR, it must be noted, that new technologies,
such as Big Data and Smart Home, are not mentioned as examples of legitimate
interest. It is thus important, to analyze in detail the facts of the case and
carefully balance the interest of the data subjects and the data controller
before apply such technology.
Within the frame of the balancing test, the “reasonable
expectations” of the data subjects have to be taken into account (Recital 38).
The “reasonable expectations” are a new indefinite legal term in this context
which has no example in data protection law.
The two years until the GDPR becomes affective should be used to
analyze which permissions could apply to existing data processing and whether
there are sufficient valid arguments in favor of an overriding interest of the
data processor, where the legitimate interest shall be the basis.
The privacy regulation contains too many new provisions to
address all aspects in this Update in detail. From the presented facts the following
conclusion can be drawn: Given the new high fines and the many changes in
substantive law, undertakings should start early to examine which changes will
be needed in the processing of data. Many of the previous guidance of the
national supervisory authorities cannot be of any help within the course of the
examination. As an exception it is likely that some Opinions of the Art. 29
Data Protection Working Party may be used at least as a landmark, as the
Working Party has usually based its Opinions not on the national law but on the
old Directive 95/46/EC with its very similar wording regarding the permission
clauses. It will be interesting to observe if new guidance papers of the data
protection authorities will be published until the applicability of the GDPR.