Consequences of the EU General Data Protection Regulation
Article by Dr. Sebastian Kraska (attorney and External Data Protection Officer)
The new EU General Data Protection Regulation is meant to standardize European data protection law. The new regulation, which will enter into force in the first quarter of 2018 based on current planning (while approval of the EU Parliament is still outstanding), will discontinue the previous concept of a European data protection directive (which had established the general principles under data protection law) and the data protection regulations of individual states building on this, and will replace it with an EU General Data Protection Regulation applying directly in all EU member states.
General data protection principles essentially retained
The EU General Data Protection Regulation at its core continues the existing general principles under data protection law. The principles of “data minimisation,” “purpose limitation,” “prohibition with reservation of permission,” and “transparency” are also reflected in the new structure of the regulation (for details see Article 5 “Principles relating to personal data processing” of the new EU General Data Protection Regulation).
The “prohibition with reservation of permission” in particular had recently faced major controversy (now set forth in Article 6 “Lawfulness of processing” of the new EU General Data Protection Regulation). Accordingly, data processing events are permitted only if the individual has consented or the data processing is necessary to perform a contract, or alternatively a different exception stated in the provision takes effect. This regulatory approach in fact limits applications and exploitation opportunities in terms of big data. Here it will be necessary to ensure the use of processing technologies that are amenable to data protection with even greater stringency than before (see also Article 23 “Data protection by design and by default” of the new EU General Data Protection Regulation).
Consequences for manufacturers
For manufacturers in Germany, the consequences of the EU General Data Protection Regulation will remain manageable (albeit the regulatory environment will become more complex and therefore at least at the beginning greater effort and expense are expected for converting to the new legal provisions). Minimum standards already known from the German Federal Data Protection Act for business practices will essentially be continued:
- If data processing events are outsourced, the details must be defined in an accompanying controller-processor agreement (Article 26 “Processor” of the new EU General Data Protection Regulation)
- Central processes must be documented in writing (Article 28 “Records of processing activities” of the new EU General Data Protection Regulation)
- Companies must appoint a data protection officer (the new EU General Data Protection Regulation provides for an appointment obligation if the focus of activity lies on data processing or if member states additionally provide for an appointment duty) (Article 35 “Designation of the data protection officer” of the new EU General Data Protection Regulation)
- Employees involved in data processing are to be trained in data protection by the data protection officer (Article 37 “Tasks of the data protection officer” of the new EU General Data Protection Regulation)
- The company must provide a state-of-the-art IT landscape (Article 30 “Security of processing” of the new EU General Data Protection Regulation)
- In the event of specified data loss scenarios, the affected parties and the data protection regulatory authorities must be notified (Article 31 “Notification of a personal data breach to the supervisory authority” and Article 32 “Communication of a personal data breach to the data subject” of the new EU General Data Protection Regulation)
Relationship to national law
Discussions in upcoming years will also be accompanied by the question of the relationship to national law.
For instance, on an entire series of key points, the regulation provides for the possibility of creating special provisions by means of national law. The EU General Data Protection Regulation therefore will not completely harmonize data protection law in the European Union. This compromise had become necessary most recently in the trilogue negotiations especially with the EU Council, which had introduced into the negotiations on a large scale, opportunities for relevant deviations (the present EU General Data Protection Regulation is a legal construct somewhere between a directive and a regulation).
For a number of topics, national deviations are possible, and there is also currently no answer to the question of how applicability of the national provisions will be determined in detail. We have prepared a selection of possible deviations below:
- Details on the definition of the “controller” (Article 4 (5) “Definitions” and Article 24 “Joint controllers” of the new EU General Data Protection Regulation)
- Details on the definition of the “recipient” (Article 4 (7) “Definitions” of the new EU General Data Protection Regulation)
- Structure of separate national elements constituting permission for processing personal data (Article 6 (2a) “Lawfulness of processing” of the new EU General Data Protection Regulation)
- Lowering the age limit for consent by children to up to 13 years old (Article 8 (1) “Conditions applicable to child’s consent in relation to information society services” of the new EU General Data Protection Regulation)
- Structure of separate national elements constituting permission for processing special categories of personal data (Article 9 (2) (4) (5) “Processing of special categories of personal data” of the new EU General Data Protection Regulation)
- National special regulation/restriction of the information claims of the subject (Article 14a (4c) (4d) “Information to be provided where the data have not been obtained from the data subject” of the new EU General Data Protection Regulation)
- Restriction of the right to data deletion of the subject (Article 17 (3b) “Right to erasure (‘right to be forgotten’)” of the new EU General Data Protection Regulation)
- Restriction of the prohibition of automated individual decisions (Article 20 (1 a b) “Automated individual decision-making, including profiling” of the new EU General Data Protection Regulation)
- Application restrictions of all rights of the subjects (according to Articles 12 to 20), including the general data protection principles (Article 5) and the notification duty in the event of data loss (Article 32) (Article 21 “Restrictions” of the new EU General Data Protection Regulation)
- Creation of national data processing specifications for data processors (Article 27 “Processing under the authority of the controller and processor” and Article 30 (2b) of the new EU General Data Protection Regulation)
- Intensification for performing preliminary control processes for new data-processing systems (Article 33 (5) “Processing under the authority of the controller and processor” of the new EU General Data Protection Regulation)
- Expansion of the appointment conditions of a data protection officer (Article 35 (4) “Designation of the data protection officer” of the new EU General Data Protection Regulation)
- Facilitation of data transfers to places outside the European Union (Article 44 “Derogations for specific situations” of the new EU General Data Protection Regulation)
- Creation of national exceptions from regulatory principles with respect to data processing events for the purposes of journalism (Article 80 “Processing of personal data and freedom of expression and information” of the new EU General Data Protection Regulation)
- Specific structure for use of a national identification number (Article 80b “Processing of national identification number” of the new EU General Data Protection Regulation)
- Creation of national special regulations for the processing of employee data (Article 82 “Processing in the employment context” of the new EU General Data Protection Regulation)
- Creation of national exceptions to regulatory principles for data processing events for archiving purposes (Article 83 “Safeguards and derogations for the processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes” of the new EU General Data Protection Regulation)
- Creation of special national secrecy obligations (Article 84 “Obligations of secrecy” of the new EU General Data Protection Regulation)
In addition, the question may be raised in Germany on the relationship between the EU General Data Protection Regulation and the fundamental right established in constitutional law for the right to informational self-determination and on whether the constitutional requirements have been sufficiently heeded in this respect.
The question of whether a constitutional right originally conceived as essentially a defensive right of the individual against government data collection can now yield to a provision intending the regulation per se of private economic data processing in conformity with the constitution likewise appears worthy of discussion.
Given the complexity of the EU General Data Protection Regulation, the question of whether it will satisfy the minimum standard of legal certainty (especially legal clarity) as required by constitutional law is also in play.
Changes especially for data-driven companies and corporations
Relevant adjustments will result especially for data-driven companies. For instance, the following regulatory adjustments in particular will have to be taken into account:
- The principle of territoriality previously applicable in the EU Data Protection Directive (and markedly diluted recently by the European Court of Justice) in effect is replaced by a market location principal. If an offer is directed at a specified national market, then this will therefore also be subject to national data protection supervision (Article 4 (19 a b) “Definitions” of the new EU General Data Protection Regulation).
- It will be possible often to base the conditions for processing personal data on “justified interests” and these conditions therefore will tend to be reduced (this applies similarly to data processing within the corporation, which will be made easier).
- The work of data protection authorities is to be harmonized. The creation of a “European Data Protection Board” is meant to establish a uniform agency to interpret European data protection law (Article 58 “Opinion by the European Data Protection Board” of the new EU General Data Protection Regulation).
- The sanction framework is being drastically increased. In an extreme case, up to 4% of global annual revenues may be taken – a fine which in practice presumably would be rather rare for such an amount in the absence of adequacy, but which has drawn a great deal of attention in public discussions (Article 79 (3a) “The general conditions for imposing administrative fines” of the new EU General Data Protection Regulation).
- Creation of a trans-European obligation to appoint a data protection officer if the business model is essentially based on the processing of personal data or national provisions establish additional appointment duties (Article 35 “Designation of the data protection officer” of the new EU General Data Protection Regulation).
- With respect to controller-processor relationships, the processor will bear responsibility under data protection law much more than was the case under the German Federal Data Protection Act (e.g., Article 30 “Security of processing” of the new EU General Data Protection Regulation; Article 79 “General conditions for imposing administrative fines” of the new EU General Data Protection Regulation).
- Creating legislative provisions for data protection certifications at the European level (Article 39 “Certification” of the new EU General Data Protection Regulation) and the obligation to implement technology that is amenable to data protection from the outset (Article 23 “Data protection by design and by default” of the new EU General Data Protection Regulation).
Next steps
Companies are strongly advised to use the time before the new European data protection law takes effect in 2018 to review their own data processing processes to determine if there is any need to make adjustments. With respect to introducing new systems, the new EU data protection regulations should also be taken into account to the extent possible.
About the author
Dr. Sebastian Kraska, attorney, is an expert in the area of commercial data protection law and together with a team of regional partners, provides services to companies throughout Germany as an external Data Protection Officer.