The European General Data Protection Regulation will come into force throughout Europe by 2018. It is a major change to EU data protection law and includes a significant increase in sanctions. The Council of The European Union has finished writing its new Regulation – “The Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” commonly known as the General Data Protection Regulation or GDPR. It was circulated in December 2015.
The EU Parliament formally adopted the new regulation on April 14, 2016. It is due to come into force two years and 20 days after being adopted, so will become law automatically in every EU country on or around May 4, 2018.
The project to write the EU GDPR started in 2012, and is a major update to the previous EU Data Protection Directive published in 1995. It is intended to harmonize the laws across the 28 member states, clarify areas that were previously interpreted differently in different countries, increase its scope to include any organization or individual that collects data on EU citizens, and ensure that the regulations are enforced in a similar manner across all states.
Any organization that collects data (a “data controller”) or stores and processes data (a “data processor”) on residents of the EU must conform to this regulation and incorporate appropriate policies and technology to conform.
The full regulation covers many areas. The top ten provisions are:
- Increased fines. Fines can be up to 4% of global turnover or €20M, whichever is higher.
- Opt-in consent. Users must give clear, unambiguous consent for you to use their data and you must only use it for the purpose defined.
- Breach notification. The local supervisory authority (see Supervisory Authorities & Their Responsibilities) must be informed within 72 hours of any data loss and users informed “as soon as possible.”
- Territorial scope. Any organization with data on EU residents has to conform, wherever they are based.
- Joint liability. Data controllers and data processors are jointly liable for data loss incidents.
- Right to removal. Users have the right to demand the removal of their data.
- Removes ambiguity. One law across the EU.
- Data transfer. Transferring data outside the EU is allowed, but the data controller is ultimately responsible if data is lost via a non-EU cloud provider.
- Common enforcement. The enforcement agencies are expected to enforce consistently across all the countries.
- Collective redress. Users can work together to sue using class action lawsuits.
Who does it affect?
GDPR applies to any organization (commercial or governmental) globally that collects, stores, or processes data on EU individuals, including CASB vendors. The law is an expansion of the previous directive which only affected data controllers and could only be enforced on organizations themselves based in the EU. Data processors are now jointly liable with data controllers, so if your organization collects data on individuals and then outsources the processing of that data to another entity, both you and they are jointly liable for that data.
Data controllers outside the EU
Some data controllers based outside the European Union have, in the past, claimed that they are not subject to the directive because they are not based in one of the 28 countries of the EU. The regulation makes it very clear that anyone, wherever the organization is based, is responsible if they are processing data on European data subjects.
An organization does not need to have a legal presence in a particular EU country for the courts to decide that it is responsible there to the supervisory authority. The Weltimmo case has found that the company is responsible in Hungary even though its headquarters was in another country, Slovakia. As it had at least one employee in Hungary and was offering a service to Hungarian customers via its website, it was liable for the Hungarian interpretation of data privacy laws.
Definition of personal data
The law has been written in a way that does not specify everything that is personal data to ensure the law does not become out of date if a new way of identifying people appears. Broadly speaking, any data that identifies a living person is considered personal data.
Consequences of noncompliance
The current data protection directive left the decision on the imposition of fines and the level of fines to the member states, which has resulted in different levels of fines for each country. Over time, these fines have also been modified. For example, the maximum fine that the UK regulator was able to impose in 1998 was £50,000; this was then increased to £500,000 in April 2010. Over the years, the average fine for a data breach has risen with the largest to date at £350,000 imposed in February 2016. The regulation states that fines should be “effective, proportionate and dissuasive” and the maximum possible fine has been increased to ensure that it gets the attention of organizations
The maximum fine is now €20,000,000 or up to 4% of global turnover of an organization, whichever is higher for breaking the key articles of the regulation. The introduction of the regulation states “The protection of natural persons in relation to the processing of personal data is a fundamental right… everyone has the right to the protection of personal data concerning him or her.” This level of fines should leave no one in any doubt that data protection is taken very seriously and anyone misusing or losing data on people living in the EU countries is at risk of serious penalties.