The Changing Data Protection Regime in The EU: Why (and What) India Needs to Know
The General Data Protection Regulation (“GDPR”), approved by the European Parliament on 14 April 2016, has caused a lot of flutter amongst anyone concerned with data protection and privacy regulations. The GDPR comes into force on 25 May 2018, replacing the Data Protection Directive 95/46/EC. The GDPR is especially important due to its increased territorial application. It not only affects establishments within the European Union (“EU”), but also establishments located elsewhere that process the data of data subjects who are in the EU.
Further, the GDPR has brought in stricter sanctions. GDPR imposes some of the highest sanctions for non-compliance including revenue based fines which could go up to 4% of annual worldwide turnover. The power to fine comes coupled with a broad power to investigate, including the power to undertake on-site data protection audits, issue public warnings, reprimands and orders to carry out specific remediation activities.
‘Consent’ of the data subject serves as an exception to the restrictions under the GDPR, as was the case with current legislation, however, GDPR introduces a higher threshold for consent. A summary of the applicability of ‘consent’ as an exception to various restrictions under the GDPR can be seen here. GDPR also makes it considerably easier for individuals to bring private claims against data controllers and processors.
For reason of these changes, the GDPR will require organisations to completely re-think and re-do the manner in which they collect, process, store, share and wipe personal data. These changes are elaborated in detail here below.
I. Key Changes Introduced by the GDPR
1. Wider Territorial Scope: The GDPR applies to ‘processors’ not situated in the EU but also those that process data of individuals who are in the EU, where the processing relates to the offering of goods or services to data subjects, and involves their monitoring by the processor. ‘Processing’ of data is to be understood in its broadest sense, meaning any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Overseas organisations therefore need to take steps to comply with the GDPR, one of which is the appointment of a representative in the EU.
GDPR will apply to your organisation if the answer to any of the below is a “Yes”:
- Is your office or branch or agent located in the EU?
- Are you offering goods or services to the residents in the EU?
- Are you monitoring behaviour of residents in the EU?
- Are you a data processor processing personal data relating to EU residents for another organisation?
Recital 43 of the GDPR presumes that consent is not freely given if there is “a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.” Importantly, a controller may not make a service conditional upon consent, unless the processing is necessary for the service. Further, consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
3. Liability of Processors: Under the GDPR, processors are required to maintain adequate documentation, implement appropriate security standards, carry out routine data protection impact assessments, appoint a data protection officer, comply with rules on international data transfers and cooperate with national supervisory authorities. A written data processing agreement is mandatory at the time of appointment of the processor under Article 28. Processors will be directly liable to sanctions if they fail to meet these criteria and may also face private claims by individuals for compensation. The shift from holding controllers liable to holding controllers and processors liable means that contracting arrangements between controllers and processors will require careful review to ensure GDPR compliance, i.e. to ensure that prospective and existing processors are aware of their duties under the GDPR and act in accordance with them. The controller is responsible for ensuring compliance with the principles of processing, under Article 5 of the GDPR. Therefore, a fault on the part of the processor in adhering to these principles would also result in the controller being held responsible. In order to ensure compliance on these counts, privacy impact assessments must be carried out. These would entail an assessment of the impact of a type of processing which is proposed to be used. This privacy impact assessment must be done prior to the processing of personal data. Prior consultation with the supervisory authority on risky processing involving new technologies must be undertaken to check compliance. These exercises must be done sooner rather than later. Currently engaged, as well as potential processors must be vetted to ensure that they have sufficient capabilities as required under the GDPR. Existing processing activity should be audited by controllers to guarantee that all processors are engaged on legal contracts and satisfy minimum requirements. Further, if a processor’s processing crosses the line and renders them a data controller or joint controller, it would then attract the full burden of GDPR. The bottom line is that controllers now have to be more cautious while engaging processors, first to ensure that they are aware of their responsibilities under the GDPR, and second, to ensure that in the course of processing, the principles of processing are adhered to.
4. Sanctions and Compensation:
The highest fines are up to 20,000,000 Euros, or in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher. The lower category of fines are up to 10,000,000 Euros or in the case of an undertaking up to 2% of total worldwide turnover of the preceding year, whichever is higher.
In case of multinational businesses, it is possible that fines will be calculated on the basis of group revenues rather than the revenue generated by the processor or controller.
Private Claims by Individuals: Individuals can bring private claims against data controllers and processors. Any person who has suffered “material or non-material damage” due to a GDPR breach has the right to receive compensation from the controller or processor. ‘Non material damage’ implies that proving a financial or monetary loss is not necessary; distress and hurt feelings can be raised for compensation claims. Data subjects have the right to mandate a consumer protection body (not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, which has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data) to exercise rights and bring claims on their behalf.
To avoid such the risk of sanctions, corporations can take the following measures:
- Map current data collection and use and analyse the gap of current compliance against what would be required under the GDPR;
- Create and implement a remediation plan;
- Review of existing contracts to ensure GDPR compliance;
5. Broad Scope of ‘Data’: Personal data is defined as “any information relating to an identified or identifiable natural person”. The threshold for ‘identifiable’ is set quite low. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR sets a broad scope of factors that can identify a person and provides a fairly wide definition of ‘Personal data’. Online identifiers, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags are included within the scope of this definition. The GDPR also discusses the processing of special categories of personal data (sensitive data), and lays down that processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited. The adoption of practices like pseudonymisation and encryption is also encouraged by the GDPR. ‘Pseudonymisation’ is defined as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is also subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Even though pseudonymous data falls within the scope of the GDPR, in the event of a data breach, it is unlikely that pseudonymous data will cause harm to affected individuals, due to the fact that it cannot be attributed to an identified/identifiable natural person. The risk of sanctions thus falls. Corporations processing data would also benefit from rendering personal data completely anonymous, reducing the amount of data that falls under the scope of the GDPR. This would reduce their compliance requirements. Identifiable personal data should be used as a last resort.
6. International Data Transfers: Transfers of personal data to third countries outside the EU are only permitted where the conditions laid down in GDPR are met. Transfers to any of the following countries are permitted: Andorra, Argentina, Canada (with some exceptions), Switzerland, Faero Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguary and New Zealand, and transfers to third countries, territories or specified sectors or an international organisation which the Commission has decided ensures an adequate level of protection do not require any specific authorisation. The GDPR has introduced ‘binding corporate rules’ which are personal data protection policies adhered to by a controller or processor established in EU territory for transfers of personal data to a controller or processor in third countries within a group of companies engaged in a joint economic activity. These binding corporate rules provide a basis for international transfers of data and also ensure broader compliance with the GDPR.
Article 42 further allows for transfers based upon certifications, provided that binding and enforceable commitments are made by the controller or processor to apply the appropriate safeguards. Article 49 provides derogations or exceptions from the GDPR prohibition on transferring personal data outside the EU without adequate protections. These derogations include consent of the data subject to such a transfer, necessity of the transfer for performance or conclusion of a contract, public interest, for the purpose of pursuing legal claims and to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
Although the position regarding transfer of data across borders has not been amended significantly by the GDPR, non-compliance will face a higher fine under it, of up to 20,000,000 million Euros or in the case of undertakings up to 4% of annual worldwide turnover. Processors and controllers therefore have to carefully analyse what data is going where. Currently existing mechanisms of transfer have to be reviewed to guarantee GDPR compliance and the conditions for transfer contained therein.
7. Privacy by Design: In its Recitals, the GDPR states that the controller should adopt internal policies and implement measures which, in particular, abide by the principles of data protection by design and data protection by default. These policies and measures should not be an afterthought, but rather incorporated at the design stage. Such measures could include minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features, among others. While developing or designing an application, service or product, corporations should keep in mind the right to data protection, and make sure that controllers and processors are able to fulfil their data protection obligations. Controllers and processors should implement measures to ensure that only data which is necessary for the specific purpose of processing are processed.
8. Technical and Organisational Measures for Security: As per Article 32 of the GDPR, the controller and processor should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including pseudonymisation and encryption of personal data, the ability to ensure ongoing confidentiality, integrity, availability, resilience of processing systems and services, the ability to restore availability and access to personal data in a timely manner in the event of physical/technical accident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring security of processing.
9. Records of Processing Activities: The GDPR mandates that each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. Such records should contain the name and contact details of the controller, and where applicable the representative of the controller, the joint controller and the data protection officer. They should contain the purpose of processing, the description of the categories of data subjects and their personal data, categories of recipients to whom this personal data has been or will be disclosed, information about transfer to a third country, the time limit for erasure of the data, and a description of the technical and organisational measures taken by the controller and processor. Corporations will therefore have to maintain more detailed records of processing activities they undertake and be prepared to furnish such records if asked to.
10. Rights of Data-Subjects: Data subjects’ rights have been given unprecedented and significant importance under the GDPR:
- Right to Access: The data subject, in certain circumstances, has the right to obtain from the data controller, on request, a copy of all personal data that the controller processes, which the data subject provided. The data controller must provide the data in a commonly used electronic and structured format. This only applies where the processing is carried out by automated means and the personal data was obtained on the basis of consent, or was necessary for the performance of a contract. It is not available where the personal data have been obtained on other grounds, such as to comply with a legal obligation. Requests may be denied by controllers if they are too excessive or unreasonable. But in cases where they are accepted, copies must be provided free of charge. Corporations must analyse whether the personal data processed by them can be readily converted into a structured, machine-readable format. Requests must be complied with within a month and an intention to not comply must be explained to the data subject.
- Right to Erasure: Data subjects have the right to withdraw their consent and have their data erased (right to be forgotten). They may also request deletion where the data is no longer necessary for the purposes for which it was processed, where data was collected unlawfully (in breach of the GDPR) and there are no overriding legitimate grounds for the processing which the controller is able to demonstrate. Data subjects also have the right to request the restriction of processing. Corporations should therefore be prepared to face such requests and develop methods of erasing data that is requested to be removed, and in order to restrict processing, find ways to store data in such a manner that it is not processed further.
- Right to not be subject to Automated Decision Making: Data subjects have the right not to be subjected to decisions based solely on automated processing, including profiling. Profiling is defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects,” in particular performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement. The right does not apply where the decision is based on the explicit consent of an individual or is necessary for a contract with the individual. When companies engage in profiling, they must ensure that the processing is fair and transparent by providing meaningful information about the logic involved in such profiling. Endeavours must be made to implement procedures which minimize errors and correct any that may be found. Corporations processing data therefore need to invest in communicating with customers to fulfil transparency requirements and also to give due attention to data subjects’ rights.
- Right to rectification: Data subjects enjoy a right to require inaccurate or incomplete personal data to be corrected or completed without undue delay.
- Data Breach Notification: In the event of a possible data breach, data processors will also be required to notify their customers (as well as first informing the supervisory authority) “without undue delay”, and where feasible, not later than 72 hours after having become aware of it after first becoming aware of a data breach. Processors are required to notify the controller without undue delay having become aware of the breach. Although the requirement hinges on ‘awareness’, it is important to note that controllers, in any event, are required to implement appropriate technical and organisational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing. Failing to comply with the articles relating to security and data breach notification attract fines of up to 10 million Euros or 2% of annual worldwide turnover, potentially for both the controller and the processor. Organisations that are found to have deliberately not notified can expect the highest fines and damage to corporate reputations. Notifying and building data breach infrastructure to enable prompt, compliant notification will be a necessity under GDPR. A breach response policy should be developed to tackle possible breaches and updating technology and training staff to handle such a situation will become necessary.
11. Data Protection Officers: Public authorities, controllers or processors whose core activities consist of processing operations which due to their nature, scope or purposes require regular and systemic monitoring of data subjects on a large scale and controllers or processors whose core activities consist of processing sensitive personal data on a large scale are required to appoint Data Protection Officers (“DPO”) who must directly report to the highest management level, must not be told what to do in the exercise of their tasks and must not be dismissed or penalized for performing their tasks.
Organisations will have to check whether they fall within the categories mentioned which require a DPO. Businesses that monitor personal data for the purposes of advertising, and social media platforms and the like which monitor the online activity of consumers will also be caught by this provision. The GDPR mandates that a DPO appointed must have necessary professional experience, including expert knowledge of data protection law. They cannot be dismissed or penalised for performing their role.
II. Possible Steps to ensure Compliance
- Review the personal data you collect and process and consider your IT security, data protection policies, consent procedures and notice procedures;
- Put in place or review your existing data protection agreements;
- Review the way in which your data subjects are able to manage their privacy preferences;
- Develop a data breach response plan;
- Appoint and train a data breach response team to assist your business in managing any data breaches; and
- Ensure you understand the key duties and responsibilities of a Data Protection Officer.
Information that should be included in Privacy Policies to comply with GDPR:
- Who you are;
- That you will collect and process personal data fairly and only for specific (and stated) purposes;
- What you are collecting;
- How customers can keep their personal data up to date and accurate;
- Your contact details as well as the details of your DPO;
- Why customer data is being collected, and how long it will be kept for;
- How the customer can access the data, update it or have it removed;
- The contact details of the supervisory authority; and
- Whether the data will be transferred outside of the EU, and if so, where it is going and how well it will be protected.
The GDPR is bringing a sea-change in the existing data protection regime. The requirements for privacy by design and default reflects an unprecedented seriousness towards data protection, as do the strict sanctions. The GDPR has also empowered customers to know what is being done with their data, and to fight for their rights when they are infringed. This should encourage corporations and businesses to reflect on their data collection and use practices and start creating more effective, GDPR-compliant data protection policies. Indeed, the most effective strategy in this regard would be to minimise the amount of data that falls within the scope of the GDPR. At the end of the day, engagement of senior management and appointing competent DPOs and processors would be essential for ensuring that your business is ready to face enforcement of the GDPR. Indian businesses that collect, store and process data of persons from the EU have until May 2018 to spring to action, correct loose practices in this regard and ensure compliance.
 Article 27, GDPR.
 Article 30, GDPR.
 Article 32, GDPR.
 Article 37, GDPR.
 Chapter V, GDPR.
 Article 31, GDPR.
 Article 83, GDPR.
 Article 79, GDPR.
 Article 82(1), GDPR.
 Article 80, GDPR.
 Article 45(1), GDPR.
 Article 4(20), GDPR.