The European General Data Protection Regulation envisage severe sanctions
Back in 2012 the European Commission put forward the text of its General Data Protection Regulation (the ‘Regulation’). The objective of this new set of rules is to strengthen the rights of the citizens and to make Europe fit for the digital age. The provisions of the new Regulation were lengthy debated by the European institutions, which were to decide, for instance, how many million Euros should be imposed as a sanction in case of its violation. To date, a political agreement has been reached, the adoption and publication of the new legislation in the EU’s Official Journal are pending, albeit it will be two years’ time (2018) until its practical implementation will commence. The Regulation is directly enforceable in the Member States, it will replace and unify the currently in force legislation in each of them – in Bulgaria this is the Law on Protection of Personal Data. The new Regulation has long been in sight of the large-scale companies, which are already taking actions to comply with the more stringent conditions. However, it will be applicable not to them only, but to every personal data controller, as for instance it is every employer who is processing data regarding his employees. It is time to take a closer look to the challenges that lie ahead for the business.
Extra-territoriality
In today’s digital world data has long been converted into a “currency” for receiving of online services, as without that data being provided, the individuals are unable to have access to those services. The Regulation seeks to protect the values of the European citizens even to companies established outside the Union. The new Regulation will apply to them if they target users in Europe – i.e. if they offer goods or services to EU citizens or track them on the internet, with the aim of making profiles to analyse or predict their personal preferences and behaviour.
The current rules on data protection apply to companies outside the EU as well, however, only if their servers are located in a Member State. It is obvious that the idea is to apply the new strict European rules against giants such as Google and Microsoft, albeit the question is to what extent they will be effectively enforceable.
Consent
In order the processing of information to be lawful, even under the current law, there should be present one of the specifically outlined preconditions such as consent of the person, contract to which the data subject is a party, a legal obligation towards the controller and others. In most cases the data are collected on the basis of consent of the person, and namely in relation to the consent the Regulation sets enhanced requirements – it must be unambiguous and to be given by a clear affirmative action. This ensures that an implied consent will not be considered valid – this would be, for example, the mere use of a website in which the consumer silently agreed to the terms and conditions part of which is the consent to process, or boxes pre-ticked by the controller, or inactivity by the user (such as not changing the security settings). Consent must ensure the awareness of the person that he gives his consent and also the knowledge exactly what he consents to. It shall be possible the consent to be withdrawn at any time and to be as easy to withdraw consent as to give it. Moreover, the consent to process should not be required as a condition to access a service, when personal data is not necessary for its performance.
Enhanced responsibility of the controller
The new regulation stipulates a number of obligations for all data controllers. Such are the requirements for privacy by design and privacy by default. The former states that the privacy risk should be taken into account already in the process of designing a new product or service, by taking proper technical and organisational measures and procedures (e.g. pseudonymisation) for compliance with the Regulation. The latter requires a processing by default of data which is necessary for any specific purpose, i.e., the data should not be collected or stored in volume or storage life greater than the minimum required for those purposes.
All companies processing personal data will be obliged to present significant amounts of information to those whose data is collected, by the moment of their reception and when there is an intention for further handling for different purpose. They will also need to notify the regulator (in Bulgaria it is the Commission for Personal Data Protection) in the event of a breach of personal data no later than 72 hours after its discovery and to implement data protection impact assessment in high risk situations.
Far stricter liability is provided for certain groups of controllers. These are companies whose core activities consist of processing operations and who are conducting large-scale profiling of persons (Facebook), or companies that handle great volumes of sensitive data (this could probably be an insurance company, collecting health data of the insured persons). They will have to appoint a data protection officer with expert knowledge of the law and practices in this area, who can be an employee of the company or externally hired.
There are enhanced requirements for companies with over 250 employees or if the processing leads to risks to the rights and freedoms of the data subject, or when sensitive data is processed. In these cases, controllers are bound to keep records of all processing activities in a minimal amount specified in the Regulation.
Sanctions
The Regulation provides for significantly higher penalties than those which are being currently imposed under the domestic legislations in the EU. In the event of violation of the Bulgarian Law on Protection of Personal Data the fines could be up to 100,000 levs (€ 51,000).
The maximum penalties under the Regulation could reach 20 million euros, or 4 % of the total worldwide annual turnover of the preceding financial year of the company, whichever is higher. The Commission for Personal Data Protection will be competent to impose fines if, for instance, the controller has not complied with the conditions for consent (when the processing is based on a consent) or has violated individuals’ rights under the Regulation (such as the ‘right to be forgotten’, i.e. his data to be erased). It is novelty that data processors (such as cloud service providers) will be directly responsible and, respectively, they will be threatened by sanctions.
European legislators are proud of the reform in the field of data protection and consider that it will not impede the economic activities, but the opposite – it will help Europe to develop innovative digital services . We hope this will be the case. No doubt, however, the risk for business will significantly increase in case of non-compliance with the new rules, which necessitates critical review and adjustment of policies and practices of the companies before the Regulation comes into effect.
The article has been published in Bulgarian, in Capital Daily: http://www.capital.bg/biznes/vunshni_analizi/2016/04/03/2735701_sigurnostta_na_dannite_-_novoto_predizvikatelstvo_za/