The General Data Protection Regulation (GDPR) and the Way Forward
By Nikolaos Theodorakis
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) was introduced in April 2016 with the intention of strengthening and unifying data protection for individuals within the European Union (EU). It will enter into force in 2018, replacing the outdated data protection directive of 1995. The GDPR is intended to make citizens masters of their personal data, and to simplify the regulatory environment for international businesses. Personal data may range from a name, to a photo, email address, bank details, or a computer’s IP address.
The regulation applies to data controllers, data processors, and data subjects that are based in the EU. It provides for harmonization of data protection regulations throughout the EU and includes a strict data protection compliance regime with severe penalties of up to 4% of global turnover. The proposed EU data protection regime also extends the scope of the EU data protection law to foreign companies that process data of EU residents. The regulation does not extend to the processing of personal data for national security activities or law enforcement, however.
In implementing the GDPR, each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offences, etc. SAs will cooperate to provide mutual assistance and organize joint operations. For businesses that operate in multiple Member States, a business will have a single SA as its “lead authority” based on the location of its headquarters. The lead authority will act as a “one-stop shop” to supervise all processing activities throughout the EU. A European Data Protection Board will coordinate accordingly.
The notice requirements of the prior directive are expanded by the GDPR. Citizens’ automated individual decision-making include profiling, whereas citizens now have the right to question and fight decisions that affect them that have been made on an algorithmic basis. A Data Protection Officer is also given the duty of administering the Regulation.
As for data beaches, the independent Data Protection Officer (DPO) has the legal obligation to notify the Supervisory Authority without undue delay. There is no de minimis standard, and it is likely the GDPR will require that such breaches be reported as soon as possible. In the case of a data breach, the following sanctions may be applicable: a warning in writing in cases of first and unintentional non-compliance; a regular periodic data protection audit; a fine up to 10 million EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise; or a fine up to 20 million EUR or up to 4% of the annual worldwide turnover of the preceding financial year.
The right to erasure replaces the right to be forgotten, and will be somewhat more limited in its scope. Under this right, the data subject has the right to request erasure of personal data related to him on a number of grounds, and if the interests or fundamental rights and freedoms of the data subject override the legitimate interests of the controller.
Data portability recognizes that a person shall be able to transfer their personal data from one electronic processing system to another, without being prevented by the data controller. The data must be provided by the controller in a structured and commonly used electronic format.
The way forward
The proposal has given rise to much discussion and controversy. Thousands of amendments were proposed and GDPR has attracted considerable criticism.
First, the Data Protection Officer is a new concept that several EU countries did not have before. It has been criticized for creating an administrative burden. The GDPR has also been criticised for not sufficiently considering requirements for handling employee data.
Data portability is also not seen as a key aspect for data protection, but rather as a functional requirement for social networks and cloud providers. Language problems may occur here, since there is not a single DPA that can be contacted, but rather the DPA that a company chooses.
In any event, the GDPR must be examined vis-à-vis the EU-US Privacy Shield that has aimed to replace the Safe Harbor agreement and has still attracted considerable criticism.
It remains to be seen how the GDPR will be implemented in practice since it requires comprehensive changes of business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force. Naturally, the European Commission and DPAs will have to provide sufficient resources to enforce the implementation and a certain level of data protection must be agreed to by all European DPAs.