Hunton Andrews Kurth LLP | James Henderson | Aaron P Simpson | David Dumont | Anna Pateraki
The EU General Data Protection Regulation (GDPR) became directly applicable in all EU member states from 25 May 2018 and in the other European Economic Area member states (Iceland, Liechtenstein and Norway) in July 2018. The GDPR replaced the EU Data Protection Directive (Directive 95/46/EC) dated 24 October 1995, and established a single set of rules throughout the EU, although EU member state data protection laws complement these rules in certain areas. The EU data protection authorities (DPAs) now gathered in the European Data Protection Board (EDPB) have published a number of guidelines on how to interpret and implement the legal framework. This provides useful guidance to businesses on how to align their data protection practices with the GDPR.
Territorial scope
The GDPR is relevant to both EU businesses and non-EU businesses processing personal data of individuals in the EU. With regard to businesses established in the EU, the GDPR applies to all data processing activities carried out in the context of the activities of their EU establishments, regardless of whether the data processing takes place in or outside of the EU. The GDPR applies to non-EU businesses if they ‘target’ individuals in the EU by offering them products or services, or if they monitor the behaviour of individuals in the EU.
One-stop shop
One of the most important innovations introduced by the GDPR is the one-stop shop. The GDPR makes it possible for businesses with EU establishments to have their cross-border data protection issues in the EU handled by one DPA acting as a lead DPA. In addition to the lead DPA concept, the GDPR uses the concept of a ‘concerned’ DPA to ensure that the lead DPA model does not prevent other relevant DPAs from having a say in how a matter is dealt with. The GDPR also sets forth a detailed cooperation and consistency mechanism, in the context of which DPAs exchange information, conduct joint investigations and coordinate enforcement actions. In the case of a disagreement among DPAs with regard to possible enforcement action, the matter can be escalated to the EDPB for a final decision. Purely local complaints without a cross-border element can be handled by the concerned DPA at member state level, provided that the lead DPA has been informed and agrees to the proposed course of action. In some member states, such as France, businesses must approach the DPA they consider as their lead DPA by filing a specific form for the designation of the lead DPA.
Accountability
Under the GDPR, businesses are held accountable with regard to their data processing operations and compliance obligations, and the GDPR includes a general accountability principle that requires controllers to be able to demonstrate their compliance with the GDPR’s obligations. The GDPR also imposes a number of specific obligations on data controllers and data processors in this respect. Data controllers are required to implement and update – where necessary – appropriate technical and organisational measures to ensure that their data processing activities are carried out in compliance with the GDPR, and to document these measures to be able to demonstrate such compliance at any time. This includes the obligation to apply the EU data protection principles at an early stage of product development and by default (privacy by design/default). It also includes the implementation of various compliance tools to be adjusted depending on the risks presented by the data processing activities for the privacy rights of individuals. Data protection impact assessments (DPIAs) are such tools, which must be conducted in cases of high-risk data processing and certain other specified processing activities, such as those that involve processing of sensitive data on a large scale. Data processors are required to assist data controllers in ensuring compliance with their accountability obligations, including DPIAs, the implementation of appropriate security measures and the handling of data subject rights requests. In addition, data controllers and data processors must implement robust data security measures and keep internal records of their data processing activities. Furthermore, in some cases, data controllers and data processors are required to appoint a data protection officer (DPO), for example, if their core activities involve regular and systematic monitoring of individuals or the processing of sensitive data on a large scale. The accountability obligations of the GDPR therefore require businesses to have comprehensive data protection compliance programmes in place.
Data breach notification
The GDPR introduced a general data breach notification requirement applicable to all industries. All data controllers must notify data breaches to the DPAs without undue delay and, where feasible, within 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Delayed notifications must be accompanied by a reasoned justification, and the information related to the breach can be provided in phases. In addition, data controllers must notify affected individuals if the breach is likely to result in a high risk to the individuals’ rights and freedoms. Businesses must maintain data breach response plans and take other breach readiness measures to avoid fines and the negative publicity associated with data breaches. Data processors are required to notify data controllers of personal data breaches without undue delay after becoming aware of a breach, but do not have an independent obligation to notify DPAs or affected individuals.
Data processing agreements
The GDPR imposes requirements regarding content that must be included in agreements with service providers acting as data processors. The GDPR requires, for example:
- that data processing agreements include documented instructions from the data controller regarding the processing and transfer of personal data to third countries (ie, outside of the EU);
- the processor to implement appropriate data security measures;
- the possibility for the data controller (or a third party mandated by the data controller) to carry out audits and inspections;
- restrictions on the use of sub-processors; and
- an obligation to delete or return personal data to the data controller upon termination of the services.
The EDPB and some DPAs (such as the Danish, French and Spanish DPAs) have developed template clauses to help businesses ensure compliance with those requirements. In June 2021, the European Commission also issued standard contractual clauses that can be used by controllers and processors within the EU and EEA.
Consent
Under the GDPR, consent must be based on a clear affirmative action and be freely given, specific, informed and unambiguous. Consent language hidden in terms and conditions, pre-ticked boxes or inferred from silence is not valid. Also, consent is unlikely to be valid where there is a clear imbalance of power between the individual and the data controller seeking the consent, such as in employment matters. Electronic consent is acceptable, but it must be clear, concise and not unnecessarily disruptive. In the context of a service, the provision of the service should not be made conditional on customers consenting to the processing of personal data that is not necessary for the service. Further, the GDPR requires data controllers to make additional arrangements to ensure they obtain, maintain and are able to demonstrate valid consent.
Transparency
Under the GDPR, privacy notices must be provided in a concise, transparent, intelligible and easily accessible form to enhance transparency for individuals. In addition to the information that privacy notices already had to include under the previous regime, the GDPR requires that privacy notices specify the contact details of the DPO (if any), the legal basis for the processing, any legitimate interests pursued by the data controller or a third party (where the data controller relies on such interests as a legal basis for the processing), the data controller’s data retention practices, how individuals can obtain a copy of the data transfer mechanisms that have been implemented, information about data recipients and whether personal data is used for profiling purposes. When personal data is obtained from a source other than the individual concerned, the data controller must also inform individuals of the source from which the personal data originated and the categories of personal data obtained. In light of the volume of information required, DPAs recommend adopting a layered approach to the provision of information to individuals (such as the use of a layered privacy notice in a digital context). These transparency requirements require businesses to review their privacy notices regularly.
Rights of individuals
The GDPR strengthens the traditional rights of individuals, such as the rights of access, correction and erasure, and introduces additional rights. For instance, the GDPR strengthens the right of individuals to object to the processing of their personal data. In addition, the GDPR enhances the right to have personal data erased by introducing a ‘right to be forgotten’. The right of erasure generally applies when personal data is no longer necessary or, more generally, where the processing of personal data does not comply with or no longer complies with the GDPR; however, it is subject to restrictions. The additional ‘right to be forgotten’ requires the data controller to communicate a request for erasure of personal data to other data controllers where the data controller has made the personal data public. Furthermore, the GDPR introduces the right to data portability, based on which individuals can request to have their personal data returned to them or transmitted to another data controller in a structured, commonly used and machine-readable format. The right to data portability applies only with regard to automated processing based on consent or processing that is necessary for the performance of a contract. Individuals may also have a right to restrict the processing of personal data in some circumstances, such as when the accuracy of personal data is verified by the data controller. Businesses need to maintain policies and procedures to give effect to the rights of individuals under the GDPR.
Data transfers
The GDPR maintains the general prohibition of data transfers to countries outside of the EU that do not provide an ‘adequate’ level of data protection, but introduces alternative tools for transferring personal data outside of the EU, such as codes of conduct and certification mechanisms. The previous contractual options for data transfers have been expanded and made easier; regulators may also adopt standard contractual clauses for data transfers to be approved by the European Commission, and it is no longer required to obtain the DPAs’ prior authorisation for transferring personal data outside of the EU and submit copies of executed standard contractual clauses (which was previously required in some member states). In addition, the GDPR formally recognises binding corporate rules (BCRs) – internal codes of conduct used by businesses to transfer personal data to group members outside of the EU – as a valid data transfer mechanism for both data controllers and data processors. As a result of the Schrems II decision, organisations that rely on standard contractual clauses (and other transfer mechanisms, such as BCRs) must assess each data transfer on a case-by-case basis to determine whether there is an adequate level of protection for personal data transferred outside the EU and, where necessary, implement additional technical, contractual and organisational safeguards for the transfer. In addition, the European Commission has issued new standard contractual clauses (SCCs) for international data transfers, which were adopted on 4 June 2021. Furthermore, the UK Information Commissioner’s Office issued an addendum to the EU SCCs and the International Data Transfer Agreement, which was adopted on 2 February 2022. On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework. The EU-US Data Privacy Framework is the successor of the EU-US Privacy Shield Framework that was invalidated as a result of the Schrems II decision. Organisations in the United States participating in the EU-US Data Privacy Framework may freely receive personal data from the EEA on the basis of the adequacy decision.
Administrative fines and right of individuals to effective judicial remedy
In the previous regime, some DPAs (such as the Belgian DPA) did not have the power to impose administrative fines. The GDPR gives this power to all DPAs and introduces high administrative fines that have significantly changed the enforcement landscape. Member state DPAs may impose administrative fines of up to the greater of €10 million or 2 per cent of a company’s total worldwide annual turnover, or the greater of €20 million or 4 per cent of a company’s total worldwide annual turnover, depending on the nature of the violation. In addition, the GDPR expressly enables individuals to bring proceedings against data controllers and data processors, in particular to obtain compensation for damage suffered as a result of a violation of the GDPR. On 4 May 2023, the Court of Justice of the EU issued a decision clarifying that such compensation requires a causal link between the violation of the GDPR and the damage that the individual has suffered.
The EDPB GDPR guidance
The former Article 29 Working Party (WP29), composed of representatives of DPAs, has ceased to exist and was replaced by the EDPB as of 25 May 2018. During its first plenary meeting on 25 May 2018, the EDPB endorsed all the GDPR guidelines adopted by the WP29. In total, the WP29 adopted 16 GDPR guidelines and related documents clarifying key concepts and new requirements of the GDPR, including:
- guidelines on the right to data portability;
- guidelines on DPOs;
- guidelines for identifying a data controller or processor’s lead DPA;
- guidelines on DPIA and determining whether processing is likely to result in a high risk to the individuals’ rights and freedoms;
- guidelines on automated individual decision-making and profiling;
- guidelines on data breach notifications;
- guidelines on administrative fines;
- a BCR referential for data controllers;
- a BCR referential for data processors;
- an adequacy referential;
- guidelines on transparency;
- guidelines on consent;
- an updated working document on BCR approval procedure;
- a revised BCR application form for controller BCRs;
- a revised BCR application form for processor BCRs; and
- a position paper on the derogations from the obligation to maintain internal records of processing activities.
In addition, the EDPB also has adopted guidelines under the GDPR that relate to the following:
- consent under the GDPR;
- the processing of personal data through video devices;
- processing in the context of the provision of online services to data subjects;
- the accreditation of certification bodies under article 43;
- territorial scope;
- derogations from the prohibition on data transfers;
- the use of location data and contact tracing tools in the context of the covid-19 outbreak;
- the processing of data concerning health for the purpose of scientific research in the context of the covid-19 outbreak;
- criteria of right to be forgotten in search engines;
- concepts of controller and processor in the GDPR;
- data protection by design and by default;
- European Essential Guarantees for surveillance measures;
- measures that supplement transfer tools;
- the interplay of the Second Payment Services Directive and the GDPR;
- (member state) restrictions under article 23 (national and public security, etc);
- examples regarding data breach notification;
- connected vehicles and mobility-related applications;
- virtual voice assistants;
- relevant and reasoned objection under the GDPR;
- certification criteria;
- the application of article 65(1)(a) of the GDPR (ie, dispute resolution);
- the targeting of social media users;
- the legal basis for storage of credit card data for the sole purpose of facilitating further online transactions;
- codes of conduct as tools for transfers;
- the interplay between article 3 (ie, territorial scope) and international data transfers;
- right of access;
- the application of article 60 of the GDPR (ie, cooperation procedure);
- deceptive design patterns in social media platform interfaces;
- the calculation of administrative fines;
- the use of facial recognition in the area of law enforcement;
- practical implementation of amicable settlements;
- certification as a tool for transfers;
- identifying a controller or processor’s lead supervisory authority;
- personal data breach notification under the GDPR (update to previous guidelines);
- application for approval and elements and principles to be found in controller BCRs;
- the application of article 37 of the Law Enforcement Directive; and
- the technical scope of article 5(3) of the ePrivacy Directive.
EU member state complementing laws
Although the main objective of the GDPR is to harmonise data protection law across the EU, EU member states can and have introduced additional or more specific rules in certain areas; for example, if processing involves health data, genetic data, biometric data, employee data or national identification numbers, or if processing personal data serves archiving, scientific, historical research or statistical purposes. In addition, EU member state laws may require the appointment of a DPO in cases other than those listed in the GDPR. The German Federal Data Protection Act (as revised in 2019), for example, requires businesses to appoint a DPO if they permanently engage at least 20 persons in the data processing, if they carry out data processing activities subject to a DPIA, or if they commercially process personal data for market research purposes. EU member states may also provide for rules regarding the processing of personal data of deceased persons. The French Data Protection Act, as updated on 21 June 2018, for example, includes such rules by granting individuals the right to define the way their personal data will be processed after their death, in addition to the GDPR rights. In the context of online services directed to children, the GDPR requires parental consent for children below the age of 16, but EU member state law may prescribe a lower age limit, provided it is not lower than the age of 13. This limit is lowered to the age of 13, for example, in the Belgian Data Protection Act and the age of 14 in the Austrian Data Protection Amendment Act 2018. All EU member states have adopted their new national data protection laws (the most recent law adopted was Slovenia’s Data Protection Act, which entered into force on 26 January 2023). This creates additional layers of complexity for businesses, which should closely monitor these developments in the relevant member states and assess the territorial scope of the specific national rules, where applicable.
In summary, it is fair to say that the GDPR constitutes a robust and mature data protection framework in the EU, while EU member state laws complement that framework. The data protection rules affect virtually any business dealing with personal data relating to individuals in the EU. In addition, the GDPR influences data protection laws in different jurisdictions around the world.
This article first appeared on Lexology. You can find the original version here.