The new EU Data Protection Regulation

January 8, 2016

The introduction of a new EU Data Protection Regulation has moved a significant step closer. Scott Sammons highlights the key points.

So readers will no doubt have seen by now in a whirlwind turn of events the European Parliament and LIBE Committee have voted on and approved the European Data Protection Regulation text. This will now be the future of data protection throughout the EU from the beginning of 2018 onwards (two years from now pretty much).

Well most of the big talking points over the last few years have survived in one form or another but with some surprises. In this article I’ll give you an overview of some of these, then over the next few months we’ll start looking at individual areas in subsequent posts and see what this means for us here in the UK.

Scope

The Regulation does indeed apply to any entity offering goods or services (regardless of payment being taken) and entity monitoring the behaviours of citizens residing within the EU. There is still the requirement to establish a representative within the EU but it means that entities are now directly responsible for compliance with this regulation (and not just their EU based entity) if they are processing in any way EU citizen personal data.

Definitions

Pseudonymisation, Profiling, Genetic Data, Biometric Data are all specifically defined in the regulation and very much as you would expect. There is however a new definition for health data that now outlines not only that health data is anything relating to the mental or physical health of a person but also any information that can reveal information about their health status. This means that it is very clear that, for example, if a list of email addresses on a mailing list for people who receive HIV treatment is disclosed that is a definite and clear disclosure of health data and not just personal data.

Principles

There are now six data protection principles which broadly cover the same themes as prevously. Personal data must be:

1. Processed fairly, lawfully and in a transparent manner. Now as previously discussed this transparent manner now requires controllers to provide more information to the data subject at point of collection but also when any changes to that processing occurs as well. For example, if the information is used for a purpose other than that for which it was originally collected (which doesn’t go against other rules of the regulation of course)?

2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with the original purpose. With some exceptions for further processing for archiving, public interest or research purposes.

3. Adequate, relevant and limited to what is necessary in relation to the purposes. This now brings in the talked about “data minimisation” principle which we have already seen, but not quite as explicit as this new regulation lays out.

4. Accurate & kept up to date. No real changes here, this remains the same.

5. Kept in a form that permits identification no longer than is necessary. Again with exceptions for archiving and research purposes.

6. Processed in a way that ensures appropriate security of the personal data. So no major change here except an explicit reference to “integrity and confidentiality” of the personal data.

Consent

Where consent is required in order to legitimise the processing (which is limited under the regulation) then the controller must be able to demonstrate clearly that he has clear and unambiguous consent for each purpose that consent is required.

The regulation now also states that for “Information Services” if information is to be processed on a child of under 16 years of age then consent must be obtained from the parent. The regulation does, however, allow member state laws to lower this threshold where appropriate but not below the age of 13 years.

Special Categories of Personal Data

So the “Sensitive Personal Data” as known under the Data Protection Act as a term has now gone and instead been replaced with the term that a few EU countries use which is “special categories”. These are broadly similar to the current list however the definition is now any data “revealing” racial or ethnic origin, political opinions, religions or philosophical beliefs, trade-union membership, genetic or biometric data (processed for the purpose of identifying someone), data concerning health or sex life and sexual orientation.

Data Subjects Rights

The list of rights that a data subject can exercise has been widened (sort of). There are some new things in here but most of this is a reshuffling of existing rights. It is also worth noting that the controller must also provide clear, transparent and electronic methods of the data subject exercising said rights. The list now includes;

Access;
Rectification;
Erasure;
Restriction of processing;
Data Portability;
Right to object (to marketing, profiling, research);
Right to object to automated individual decision marking (including profiling);
Right to lodge a complaint with a supervisory authority.

Data Protection by design & Data Protection Impact Assessments

Data Controllers are expected to include data protection controls at the design stage and can certify that they have such controls via approved certification schemes.

Where a new technology etc is looking to collect personal data that poses potentially high risks to personal data the controller shall, prior to the processing, carry out a Data Protection Impact Assessment. Supervisory Authorities can then also produce lists as to what sort of processing would warrant such an assessment and what ones would not. These assessments, where appropriate, may also need the input from data subjects and indeed the supervisory authority.

Notification

While notification to a regulator has gone, Article 28 now requires controllers to keep a similar record of all purposes, joint controllers, data categories, recipients (can be categories), transfers to third countries, time limits for erasure and a general description of the technical and organisational measures in place protecting this data.

Breaches

That highly discussed breach notification point has finally come down to 72 hours. So the regulation now outlines that controllers have 72 hours from being made aware of the breach to notify the supervisory authority. You can however notify later providing you have a “reasoned justification”.

And now the really juicy stuff. Fine amounts. As predicted these are “staggered” so that not all breaches will result in 20 million euros.

For breaches / non-compliance of the following you can receive a fine of up to 2% of global annual turnover (for undertakings) or 10 million euros. The regulation doesn’t outline automatic fines for single breaches but instead allows supervisory authorities (through their cooperation mechanism) to agree a framework for ‘qualification’ for fine amounts based on the extent of the non-compliance.

Consent for children’s data (article 8)
Processing not requiring identification (article 10)
Data Protection by Design (article 23)
Joint Controllers (article 24)
Representatives of the controller within the EU (article 25)
Processors (article 26)
Processing under the authority of the controller and processor (article 27)
Records of processing activities (article 28)
Co-operation with the supervisory authority (article 29)
Security of processing (article 30)
Notification of the breach (article 31)
Communication to data subject of the breach (article 32)
Data Protection Impact Assessment (article 33)
Prior consultation (article 34)
Designation of the Data Protection Officer (article 35)
Position of the Data Protection Officer (article 36)
Tasks of the Data Protection Officer (article 37)
Certification (article 39)

For breaches of the following you can receive a fine of up to 4% of global annual turnover for undertakings or 20 million euros:

Principles of Data Protection (article 5)
Lawfulness of processing (article 6)
Conditions for Consent (article 7)
Processing special categories of personal data (article 9)
Rights of the Data Subject (articles 12-20)
Transfer of personal data to third countries (article 40-44)
Powers of the Supervisory Authority (article 53)

Data Protection Officer

Good news DPOs we have a future! Our future isn’t as “all powerful” as the first text but it does pretty much cement the Data Protection Officer as a key role within a public body and medium to large private enterprises. Key points are;

Controllers can have one appointed to multiple entities taking into account their structure and size.
The officer shall have expert knowledge in data protection law and practices.
They can be a staff member or contractor.
Their contact details must be published to data subjects and the supervisory authority.
They should be involved in all matters affecting personal data.
They shall be protected from being dismissed / coerced while performing their duties under the regulation.
DPOs are to inform staff of the controller of their responsibilities under the regulation and monitor the controller’s compliance with its responsibilities.

International data transfers

So, no major changes here but some key emphasis that is worthy of being aware of. The Commission retains the right to decide on the “adequacy” of third countries and will continue to publish and control the safe list. Standard Model Contract Clauses are also a viable method for transfer and now Binding Corporate Rules are explicitly outlined as a method of transfer too.

Supervisory Authority

The bulk of the wording here is nothing new. They need to be independent, monitor compliance, and be proactive in producing guidance and standards etc. but there are some subtle changes. The authority has the powers to;

Order the controller, processor or representatives of either to provide information in relation to its objective.
Carry out investigations in the form of audits.
Review certifications.
Notify of infringements.
Obtain from the controller / processor access to any personal data in relation to its objective.
Obtain access to premises including access to equipment (in line with local law).
Issue warnings, reprimands, orders to comply, order the controller to inform a subject of a breach, impose a ban on processing, order a rectification, issue a fine and order a suspension of international data flows.

That’s it for this post but there is a lot more content in the DP regulation and I should imagine a few more discussions and blogs to come looking at specific areas and what this means for the future. As always it will be a practical discussion on what this means in real terms.

Scott Sammons is a solicitor and director of Act Now Training. This article first appeared on the Act Now blog.

To find out about Act Now Training's courses, click here.

The new EU Data Protection Regulation

Judge remits FOI case after finding First-Tier Tribunal was wrong to strike out proceedings, amid doubts over reliability of previous evidence from council

Information watchdog publishes guidance on transparency in health and social care

Council loses appeal over FOI request for names of those who submitted consultation responses as part of their public-facing roles

Information watchdog seeks views on accuracy of generative AI models in third call for evidence

Cornerstone on Social Housing Fraud

Essential Law for Cemetery and Crematorium Managers

A guide to UK data protection law with relevant provisions of the Data Protection Act 2018

Information Rights

Cornerstone on Information Law

A Practical Guide to GDPR for Schools

Making Decisions Judicially - A Guide for Decision-Makers

Governance & Contracts Manager

Director of Law and Governance