Supervision and enforcement action to be taken by regulator where main establishment in EU is located
The general rule, that national regulators have competency within their national territory, is added to by the introduction of a “one stop shop” concept. Where a data controller or processor has operations in several Member States, the “lead” regulator (the regulator in the Member State in which the controller or processor has its main establishment) will have competency to supervise and bring enforcement action in respect of all that controller’s or processor’s activities in the EU. The Regulation gives some guidance on what constitutes a “main establishment” and focuses on where processing is directed from rather than where it is undertaken. However, how this one stop shop will operate in practice remains unclear, particularly given the current divergent approaches to enforcement and sanctions between Member States.
Unified rules and consistency of application
The Commission decided to implement the new regime by Regulation as opposed to Directive specifically to reduce divergence in data protection rules between Member States but its application could still become inconsistent through measures and actions taken by national regulators.
The Regulation therefore sets out a consistency mechanism, under which national regulators should submit certain measures, in particular measures that would substantially affect the free movement of personal data between Member States, to the European Data Protection Board (made up of all EU national data protection regulators) for its opinion. The national regulators would then have to take this opinion into account. The Commission may also issue an opinion, which must be taken into account. There are also general obligations of co-operation between Member States.
This unified approach is relaxed in certain areas so that Member States are permitted to legitimise wider processing or restrict the scope of the data subject’s rights on the grounds of public security, the prevention and detection of crime and, where necessary, for regulatory and taxation purposes. Member States are also given the freedom to set out specific rules relating to the processing of personal data in the employment context, which will mean that consistency in this difficult area of cross border data handling is less likely to be achieved.
Further detailed requirements will flesh out the Regulation
The Commission is given delegated powers to issue more detailed criteria and requirements in relation to many of the substantive provisions of the Regulation and the European Data Protection Board is also tasked with issuing guidelines and best practice. In addition, the Regulation encourages associations and representative bodies to draw up sectoral codes of conduct which can be approved by national regulators or the Commission.
It is clear that the Regulation is the starting point for the new regime. These additional measures will resolve ambiguities in the Regulation and hopefully ensure consistency across Member States; however, they will also add another layer of more detailed compliance obligations which data controllers and processors will need to monitor carefully.
Data processors to have responsibilities
The Regulation retains the concept of data controllers and data processors, but introduces direct obligations on data processors. These include that processors must document in writing with the controller the controller’s instructions and the processor’s obligations. Processors must also maintain documentation for all processing operations for which they are responsible, and must make this available to the national regulator on request (the same obligation also applies to controllers). There are also obligations on processors to implement appropriate security measures and to appoint a data protection officer. Giving processors these responsibilities may assist the negotiation of processor arrangements.
Data protection officer appointment mandatory
There is an obligation for an independent data protection officer to be appointed where processing is carried out by a public body, an enterprise employing 250 or more people, or where the core activities of a controller or processor consist of processing obligations which require systematic and regular monitoring of data subjects.
This obligation applies to both controllers and processors and a failure to appoint may attract a top tier fine. The data protection officer must be appointed for periods of at least 2 years and may only be dismissed during that time if they no longer fulfil the requirements to be data protection officers. Such security of tenure is likely to give data protection officers greater influence than they may have had previously.
Abolition of notification regime and formalisation of impact assessments
The requirement to notify the national regulator that processing of personal data is taking place has been abolished, to reduce financial and administrative burdens. An “impact assessment” regime coupled with the concept of “accountability” would replace this. The impact assessment regime would require a controller or processor to carry out an assessment of the safeguards for protecting personal data where processing operations are likely to present a particular risk to data subjects. Where the impact assessments indicate a high risk, the national regulator should be consulted. The controller should seek the views of affected data subjects except where it would prejudice the controller’s security or commercial interests.
Controllers and processors are required to implement specific compliance measures (which capture current best practice) including recording and establishing the details of personal data processing, data retention periods, the grounds on which data are processed and on which export is legitimised; undertaking a risk assessment in order to implement appropriate security; system design that minimises personal data collection and access; and verification of the effectiveness of those measures through independent internal or external audit where proportionate.
These measures need to be documented and made available to national regulators on request.
This part of the Regulation will have a significant impact on day-to-day data handling if effectively enforced and as such will affect all data controllers (although some documentation requirements are relaxed for certain organisations with fewer than 250 employees). The Commission may issue further requirements as to what constitutes best practice and this will set a base standard that must be achieved.
Consent as a ground for processing
The consent provisions have been strengthened. The definition of “data subject’s consent” has been amended to include the requirement that the consent is “explicit” and indicated through clear affirmative action. Consent to processing must be given in a form which clearly relates to the processing, rather than as part of a general consent to a range of matters. Consent will not be valid if there is a significant imbalance in the form of dependence between the position of the data subject and the controller, and consent in respect of a person under 13 years old must be obtained from their parent.
Right to be forgotten and data portability
The Regulation introduces a right for data subjects to be “forgotten”. Data controllers must erase personal data relating to data subjects who have withdrawn their consent (or the storage period consented to has expired) and where there is no other ground available to process the data, or who have raised a legitimate objection to the processing, or where the data is no longer necessary in relation to the purposes for which it was collected, or the processing otherwise does not comply with the Regulation. The right is stated to apply in particular to personal data provided when the data subject was a child.
The right also requires a data controller who has authorised the third party publication of the data subject’s personal information to inform such third parties that the data subject requests them to erase links to or copies of his or her personal information. This obligation is considerably weaker than in the leaked draft Regulation, which required the controller to “ensure the erasure” of such links or copies.
Data subjects would also have the right to data portability where the controller processes them electronically in a structured and commonly used format. In these circumstances, the controller must provide a copy of such data to the data subject in the structured format. Where the data was provided by the data subject him or herself and the controller’s processing was based on the data subject’s consent or “on a contract” the controller must also permit the data subject to transfer the data to another automated processing system “without hindrance”.
The details of these rights (which the Commission has delegated powers to specify) will determine their practical workability but as drafted, they present many questions for businesses as to their scope and the steps that will be required to comply with them.
Mandatory data breach notification
Controllers must notify any data security breach which leads to unauthorised disclosure, access to, or destruction of, personal data to their national regulator and, in certain circumstances, the data subject, as soon as possible and where feasible, within 24 hours of becoming aware of it. The data subject should be notified if the breach is likely to adversely affect the protection of the personal data or privacy of the data subject. This timescale will be challenging for many organisations.
The process and restrictions in respect of data export from the EU have not been modified by the Regulation as much as some had hoped. The basic existing EU restrictions on data transfers to countries that do not offer adequate protection remain in place. However, the Regulation does make it clear that where EU model clauses are used or binding corporate rules approved no further authorisations are required, which will reduce the effort required to implement these types of export solutions. The permitted use of binding corporate rules has been codified in the Regulation, and one area of significant change in this respect is that binding corporate rules will be available for use by data processors’ groups of undertakings, which will better reflect the reality of processor designed security measures in cloud and other geographically distributed outsourced services.
Interestingly, an Article in the leaked draft Regulation which restricted a controller’s compliance with regulatory and disclosure requests and orders from non-EEA authorities and courts (for example under the US Patriot Act) without prior authorisation from the controller’s national regulator has been dropped from the Regulation, leaving the current uncertainty in relation to cross border regulatory and disclosure requests unaddressed.