The future of Data Protection throughout the EU has now been decided. The text of the new EU Data Protection Regulation has been finalised. This will be formally adopted by the European Parliament and Council at the beginning of 2016. It will come into force two years thereafter.
Most of the big talking points over the last few years have been survived in one form or another but with some surprises. In this blog post I’ll give you and overview of some of these, then over the next few months we’ll start looking at individual areas in subsequent posts and see what this means for us here in the UK.
The Regulation does indeed apply to any entity offering goods or services (regardless of payment being taken) and entity monitoring the behaviours of citizens residing within the EU. There is still the requirement to establish a representative within the EU but it means that entities are now directly responsible for compliance with this regulation (and not just their EU based entity) if they are processing in any way EU citizen personal data.
Pseudonymisation, Profiling, Genetic Data, Biometric Data are all specifically defined in the regulation and very much as you would expect. There is however a new definition for health data that now outlines not only that health data is anything relating to the mental or physical health of a person but also any information that can reveal information about their health status. This means that it is very clear that, for example, if a list of email addresses on a mailing list for people who receive HIV treatment is disclosed that is a definite and clear disclosure of health data and not just personal data.
There are now six Data Protection principles which broadly cover the same themes as previously. Personal data must be:
1. Processed fairly, lawfully and in a transparent manner. Now as previously discussed this transparent manner now requires controllers to provide more information to the data subject at point of collection but also when any changes to that processing occurs as well. For example, if the information is used for a purpose other than that for which it was originally collected (which doesn’t go against other rules of the regulation of course)?
2. Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with the original purpose. Which some exceptions for further processing for archiving, public interest or research purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes. This now brings in the talked about “data minimisation” principle which we have already seen, but not quite as explicit as this new regulation lays out.
4. Accurate & kept up to date. No real changes here, this remains the same.
5. Kept in a form that permits identification no longer than is necessary. Again with exceptions for archiving and research purposes.
6. Processed in a way that ensure appropriate security of the personal data. So no major change here except an explicit reference to “integrity and confidentiality” of the personal data.
Where consent is required in order to legitimise the processing (which is limited under the regulation) then the controller must be able to demonstrate clearly that he has clear & unambiguous consent for each purpose that consent is required.
The regulation now also states that for “Information Services” if information is to be processed on a child of under 16 years of age then consent must be obtained from the parent. The regulation does however allow member state laws to lower this threshold where appropriate but not below the age of 13 years.
Special Categories of Personal Data:
So the “Sensitive Personal Data” as known under the Data Protection Act as a term has now gone and instead been replaced with the term that a few EU countries use which is “special categories”. These are broadly similar to the current list however the definition is now any data “revealing” racial or ethnic origin, political opinions, religions or philosophical beliefs, trade-union membership, genetic or biometric data (processed for the purpose of identifying someone), data concerning health or sex life and sexual orientation.
Data Subjects Rights:
The list of rights that a Data Subject can exercise has been widened (sort of). There are some new things in here but most of this is a reshuffling of existing rights. It’s also worth noting that controller must also provide clear, transparent and electronic methods of the data subject exercising said rights. The list now includes;
Restriction of processing,
Right to object (to marketing, profiling, research)
Right to object to automated individual decision marking (including profiling).
Right to lodge a complaint with a supervisory authority
Data Protection by design & Data Protection Impact Assessments:
Data Controllers are expected to include data protection controls at the design stage and can certify that they have such controls via approved certification schemes.
Where a new technology etc is looking to collect personal data that poses potentially high risks to personal data the controller shall, prior to the processing, carry out a Data Protection Impact Assessment. Supervisory Authorities can then also produce lists as to what sort of processing would warrant such an assessment and what ones would not. These assessments, where appropriate, may also need the input from Data Subjects and indeed the supervisory authority.
While notification to a regulator has gone Article 28 now requires controllers to keep a similar record of all purposes, joint controllers, data categories, recipients (can be categories), transfers to third countries, time limits for erasure and a general description of the technical & organisational measures in place protecting this data.
That highly discussed breach notification point has finally come down to 72 hours. So the regulation now outlines that controllers have 72 hours from being made aware of the breach to notify the supervisory authority. You can however notify later providing you have a “reasoned justification”.
And now the really juicy stuff. Fine amounts. As predicted these are “staggered” so that not all breaches will result in 20 million Euros.
For breaches / non-compliance of the following you can receive a fine of up to 2% of global annual turnover (for undertakings) or 10 million euros. The regulation doesn’t outline automatic fines for single breaches but instead allows supervisory authorities (through their cooperation mechanism) to agree a framework for ‘qualification’ for fine amounts based on the extent of the non-compliance.
- Consent for children’s data (article 8)
- Processing not requiring identification (article 10)
- Data Protection by Design (article 23)
- Joint Controllers (article 24)
- Representatives of the controller within the EU (article 25)
- Processors (article 26)
- Processing under the authority of the controller and processor (article 27)
- Records of processing activities (article 28)
- Co-operation with the supervisory authority (article 29)
- Security of processing (article 30)
- Notification of the breach (article 31)
- Communication to data subject of the breach (article 32)
- Data Protection Impact Assessment (article 33)
- Prior consultation (article 34)
- Designation of the Data Protection Officer (article 35)
- Position of the Data Protection Officer (article 36)
- Tasks of the Data Protection Officer (article 37)
- Certification (article 39)
For breaches of the following you can receive a fine of up to 4% of global annual turnover for undertakings or 20 million euros.
- Principles of Data Protection (article 5)
- Lawfulness of processing (article 6)
- Conditions for Consent (article 7)
- Processing special categories of personal data (article 9)
- Rights of the Data Subject (articles 12-20)
- Transfer of personal data to third countries (article 40-44)
- Powers of the Supervisory Authority (article 53)
Data Protection Officer:
Good news DPOs we have a future! Our future isn’t as “all powerful” as the first text but it does pretty much cement the Data Protection Officer as a key role within a public body and medium to large private enterprises. Key points are;
- Controllers can have 1 appointed to multiple entities taking into account their structure and size.
- Officer shall have expert knowledge in Data Protection law & practices.
- Can be a staff member or contractor.
- Their contact details must be published to data subjects and the supervisory authority.
- Should be involved in all matters affecting personal data.
- Shall be protected from being dismissed / coerced while performing their duties under the regulation.
- DPOs are to inform staff of the controller of their responsibilities under the regulation & monitor the controller’s compliance with its responsibilities.
International Data Transfers:
So, no major changes here but some key emphasis that is worthy of being aware of. The Commission retains the right to decide on the “adequacy” of third countries and will continue to publish and control the safe list. Standard Model Contract Clauses are also a viable method for transfer and now Binding Corporate Rules are explicitly outlined as a method of transfer too.
The bulk of the wording here is nothing new. They need to be independent, monitor compliance, and be proactive in producing guidance and standards etc. but there are some subtle changes. The authority has the powers to;
- Order the controller, processor or representatives of either to provide information in relation to its objective.
- Carry out investigations in the form of audits.
- Review certifications
- Notify of infringements
- Obtain from the controller / processor access to any personal data in relation to its objective
- Obtain access to premises including access to equipment (in line with local law)
- Issue warnings, reprimands, orders to comply, order controller to inform a subject of a breach, impose a ban on processing, order a rectification, issue a fine and order a suspension of international data flows
That’s it for this post but there is a lot more content in the DP regulation and I should imagine a few more discussions and blogs to come looking at specific areas and what this means for the future. As always it will be a practical discussion on what this means in real terms.
All that’s left is to wish you a peaceful and restful festive period and I very much look forward to discussions and working with you as we go into 2016 and ever closer to the regulation being here!
Scott Sammons is an Information Risk and Security Officer in the Medico-Legal Sector and blogs under the name @privacyminion. Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate.