Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
1. Penalties and Enforcement
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
2. Cross-Border Data Transfers and Safe Harbor 2.0
The GDPR, as with the EU Data Protection Directive, has requirements for the transfer of data to countries outside the EU. Countries still must have an adequate level of protection.
The US was not deemed to provide an adequate level of protection under the EU Data Protection Directive, and the solution of choice for most companies for cross-border data transfer was the Safe Harbor Arrangement. But Safe Harbor was invalidated earlier this year in the Schrems case. A new Safe Harbor will need to be negotiated.
What will Safe Harbor 2.0 look like? The problem Schrems had with the original Safe Harbor — the weak protections against access to personal data by the US government — will still be present. These problems exist not only with Safe Harbor but also with BCRs and model contracts — and they will continue to exist with any means of transfer.
I wonder what concessions the US will make to broker Safe Harbor 2.0 with the GDPR. Nothing short of a repudiation of the third party doctrine or bold new rules limiting government access to personal data will satisfy the logic of Schrems, but this likely won’t happen. What will likely happen is that the US will provide a small hat tip toward the concerns raised in Schrems, add in some additional protections to Safe Harbor, and we’ll get a somewhat more protective Safe Harbor Arrangement for version 2.0. There’s simply no way that the EU can follow the logic of Schrems to its ultimate conclusion.
Ultimately, the GDPR and Schrems will mean something stricter than the existing Safe Harbor will need to be negotiated.
3. Vendor Management
Under Article 26, a “processor shall not enlist another processor without the prior specific or general written consent of the controller.” This means that a vendor handling personal data for an organization cannot subcontract and transfer that data without the approval of the organization originally supplying the data. There are also contractual requirements for controllers providing personal data to processors.
It is interesting to compare this to HIPAA, where there are contractual requirements for covered entities and business associates that transfer data to third party vendors, but there is not a requirement that the covered entity have to consent to every subcontract that a business associate makes with a third party vendor.
4. Role of the Data Protection Officer
Article 37 sets forth the tasks of the Data Protection Officer, which is akin to the Chief Privacy Officer (CPO) role as it is referred to in the US. These tasks are the standard ones, and there are no surprises here.
But the role of the CPO will take on heightened importance given the much higher stakes that the GDPR imposes.
Article 35 imposes a requirement for a CPO for public-sector entities (except courts) and for Big Data.
Near and dear to my heart is the fact that the GDPR requires training. Under Article 37, the GDPR includes among the tasks of the Data Protection Officer “awareness raising and training of staff involved in the processing operations.”
Under Article 43, in connection with Binding Corporate Rules (BCRs), the GDPR requires “the appropriate data protection training to personnel having permanent or regular access to personal data.”
Training is thus a requirement to comply with the GDPR. The quality of an organization’s training is key, too, for how EU regulators will assess a company’s overall commitment to data protection. The general message about privacy and security is not just mere words for EU regulators — they care deeply about the message. This might have an impact on decisions about when to enforce as well as how much to assess in fines.
Under Article 7, it is the burden of organizations to demonstrate that people validly consented to the processing of their data. Consent must be “freely given.”
Article 7 further states: “When assessing whether consent is freely given, utmost account shall be taken of the fact whether, among others, the performance of a contract, including the provision of a service, is made conditional on the consent to the processing of data that is not necessary for the performance of this contract.” This factor is a particularly strong one, and it will be interesting to see what effect it has. Interestingly, a similar type of restriction on making consent conditional exists in HIPAA, where authorization for many uses cannot be required as a condition to receive treatment.
Of particular note is Article 8, which provides that parental consent is required for children under 16 years of age, except that member states may have a lower cutoff for parental consent so long as it is not lower than 13 years.
7. The Right to Be Forgotten
Article 17 provides for an explicit right to be forgotten. Data must be erased “without undue delay” if no longer necessary or if consent is withdrawn, among other things. This codifies a case interpreting the EU Data Protection Directive to contain a right to be forgotten. Article 17 broadens and explicitly codifies that right.
8. Data Breach Notification
Article 31 requires that within 72 hours (3 days) of becoming aware of a breach, the controller shall notify the supervisory authority.” This is a very short time period, and it is not particularly practical.
Under Article 32, notification must be made to data subjects when the breach “is likely to result in a high risk to the rights and freedoms of individuals.” Notification must be “without undue delay.”
A “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
It is interesting that the individual breach notification is tied to a “high risk.” Many US state breach notification laws have a broader trigger. And the HIPAA Breach Notification Rule applies far beyond high risk situations. It will be interesting to see how the EU authorities define “high risk.” Courts in the US are very reluctant to recognize risk or harm; things might be very different in the EU because harm is understood as a violation of rights whereas in the US, harm is a separate concept. In other words, in the EU a violation of rights is a harm unto itself — it is violation of dignity. In the US, a person’s rights can be violated without harm, which is often seen by courts as involving physical, reputational, or monetary injury.
The GDPR has a very wide scope. Under Article 3, the Regulation “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
This means that organizations outside the EU are covered too.
10. Why Does the EU Want Such Strict Regulation?
Why is the EU so interested in adopting strict regulation of privacy and security? Impeding data flow between the US and EU can hurt the economy. In light of the already significant differences between the US and EU approach to privacy, why is the EU pushing even further away from the US?
A cynical view is that the EU is being protectionist, trying to impede US businesses from competing. Indeed, the EU is quite inconsistent in its adherence to principles; the EU is quick to chastise the US for its massive government surveillance yet ignores such surveillance by its own member countries. But there is hypocrisy on all sides of the issue, and I don’t think that the hypocrisy is grounds to conclude that the EU isn’t genuine in its desire to protect privacy. I think that the EU really does care — it just speaks of rights in absolutes even though in practice it never really treats them as such.
I believe that the main reason for the EU’s doubling down on privacy and security protection is that EU is winning this fight. The EU has been leading the debate on data protection. Nobody ignores the EU. It has generated a ton of attention. The EU has established itself as a formidable thought leader in this area, and its regulation really does have a significant impact.
Global companies follow EU privacy law, using EU definitions of personal data more than US definitions. Other countries pattern their laws much more on the EU than on the US.
Over the past two decades, privacy protections in the US and elsewhere have grown stronger. US privacy law has strengthened significantly. Before companies were arguing for mostly self-regulation. That train has long left the station. The baseline for protection is higher now. The gap between the US and EU has closed with the US moving more toward the EU side than vice versa.
It is virtually a non-starter to have any agreement on data transfer that is weaker than Safe Harbor. The starting point is something much more robust. The EU has already won before the negotiations have even begun.
So why not double down on privacy and security? It has been a winning hand thus far for EU regulators.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.