Background
This article provides an update on the new EU-US Privacy Shield agreement (click here for our earlier piece on this subject) as well as a summary of the EU General Data Protection Regulation.
To recap, in October 2015 the Court of Justice of the European Union ("CJEU") declared the EU-US Safe Harbour agreement invalid. This ended, albeit temporarily, a 15 year old agreement whereby American companies could self-certify that they had sufficient procedures in place to ensure that any data transferred to them from within the EEA would have the benefit of 'adequate protections'. This, it was hoped, would ensure that the fundamental rights of EU citizens were not breached. In return, the self-certifying American companies would be protected from claims against them from data subjects in the EU that their personal data was not being adequately protected when transferred to the US.
The CJEU cited two main areas of concern, the first being over US government access to personal data and the second being the lack of judicial redress available to EU citizens for breaches.
The New Ruling
In February 2016, a new agreement was reached between the EU and US. The EU-US Privacy Shield. Whether or not this new agreement is effectively a 'Safe Harbour MKII' or an entirely new agreement has been a matter for debate.
Who Should Take Note?
Any company, whether situated in the EU or US, which handles EU citizen's data or transfers that data between the EU and US. Online companies in particular should take note, especially those which are 'cloud-based'.
What are the Changes?
The new EU-US Privacy Shield agreement aims to ensure that standards of protection given to EU citizens' personal data in the US, is the same as that in Europe. It seeks to achieve this by:
1. Imposing strong obligations on US companies who process the data of EU citizens and making compliance with European Data Protection Authorities' decisions mandatory.
2. Arranging for the US Department of Commerce to monitor US companies' data protection obligations and making these obligations enforceable under US law.
3. Requiring written assurances from the US Government that it will end indiscriminate mass surveillance of EU personal data and that its access to EU personal data will be subject to clear limitations. To monitor this there will be an annual joint review between the European Commission and the US Department of Commerce.
4. Ensuring greater access to redress for EU citizens over any misuse of their data. This will include referrals to the US Department of Commerce, free Alternative Dispute Resolution and the appointment of a new Ombudsman.
What Should Business Leaders Do in Light of the EU-US Privacy Shield?
We are currently in a period of transition between the overruling of Safe Harbour and the implementation of the Privacy Shield, which could take many months or even years. As such, there is a degree of uncertainty and it would be foolhardy to advise a guaranteed step-by-step method of compliance. The following provide some general considerations to keep in mind when handling or transferring data subject to the Privacy Shield.
1. The Privacy Shield should be treated, at least until further codification and revision occurs, as a completely new agreement and not as a Safe Harbour MKII.
2. It is currently unknown whether companies registered under the old Safe Harbour agreement will be 'grandfathered' across to the new Privacy Shield or whether these companies will need to completely reregister. Further, it could be several months or even years before the Privacy Shield is fully implemented and residual distrust after the failure of Safe Harbour may make this road to implementation an arduous one. It would, therefore, be prudent not to make any drastic company policy changes until the position is clearer.
3. In the meantime, companies should resort to putting in place alternative legal mechanisms such as recognised EU model clauses for transferring data overseas and for group companies, Binding Corporate Rules governing international company policy as per the Article 29 Working Party guidance.
The General Data Protection Regulation ("GDPR")
The GDPR will, when it comes into force, replace all current data protection legislation within EU member states, including the UK Data Protection Act 1998 ("DPA").
The GDPR was adopted by the European Parliament on 14th April 2016 and will be published shortly. It will come into force 20 days following publication. Businesses will then have a two year grace period following which they must be in compliance with the GDPR as it will become directly applicable in every member state.
The GDPR will apply to any entity offering goods and services within the EU which processes the data of UK citizens.
Will the GDPR Change the Current Fundamental Data Protection Principles?
Not in substance. The GDPR consolidates the eight data protection principles contained in the DPA into the following six:
Personal data must be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
(c) adequate, relevant and not excessive in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
(f) processed in a manner that ensures appropriate security of the personal data.
Consent
Data controllers must have a legitimate reason for processing data under the GDPR. This mirrors the position under the DPA. Consent of the data subject can be relied on as a legitimate reason, provided it is freely and actively given as well as specific for the purpose in which the data is being processed. Silence and pre-ticked boxes can no longer be relied upon.
Internal Record Keeping
Many of the requirements for data controllers to notify or obtain approval under the current DPA regime will be removed by the GDPR. Instead, data controllers will be required to maintain an internal record to include such details as the reason for processing the data as mentioned above.
Data Subjects' Rights
These have been widened under the GDPR and include new rights for data subjects, such as the right to have their data transferred to another data controller.
Perhaps the most widely publicised area is the newly codified 'right to be forgotten'. This means that data controllers will be required to remove personal data relating to data subjects at their request. The GDPR therefore codifies the 2014 Google v Spain case.
Incorporating Data Protection
The GDPR expects data controllers to incorporate, by default, data protection controls into any new product or company policy from its inception. This includes the creation of impact assessments when processing high risk data, such as a data subject's race or medical records.
Reporting Breaches
The GDPR requires that data controllers notify the relevant DPA as soon as they become aware of any data breaches. Data subjects should also be notified where there is a high risk to their rights and freedoms. There are also additional requirements under which data controllers should notify the Information Commissioner's Office of any breaches.
Data controllers may not need to notify the relevant DPA where they can show that the data breach is unlikely to cause risk to the data subject's rights and freedoms.
Sanctions
The level of potential fines for data protection breaches has been increased to up to 4% of annual global turnover or €20 million. This is much greater than the ICO's current penalty limit of £500,000.
Data Protection Officer ("DPO") Requirement
The GDPR introduces the requirement for companies to appoint a DPO (subject to a number of de minimis thresholds) who will be responsible for ensuring compliance with the GDPR. The DPO can be a member of staff or a contractor and several undertakings may appoint a single DPO.
Binding Corporate Rules
Binding Corporate Rules ("BCR") are given recognition under the GDPR. Data controllers will be able to use BCR as a way of carrying out data transfers within international organisations provided the BCR being relied upon have been approved in accordance with the terms of the GDPR. This will make transferring data far more efficient, as specific authorisation from the relevant DPA will not need to be obtained for every transfer as long as these requirements are met.
What Should Businesses Do in Preparation?
There is a lot to do in the next two years before the GDPR comes into force. All businesses should familiarise themselves with the GDPR and consider its impact on their organisations and the data handling practices which they currently have in place.
Staff, at all levels, should be made aware of the new requirements and given appropriate and thorough training so that data-handling and breach-reporting methods are perfected well in advance of the GDPR's implementation.
New products, services, policies or any other company developments should take into account the new GDPR requirements from the commencement of their design.
Companies should be able to pinpoint a legitimate reason for processing each and every piece of data they handle. If a company relies on consent, as mentioned earlier, this consent should be expressly and actively obtained, with appropriate internal records updated to reflect this.
Finally, companies should ensure that their documentation and policies relating to data processing and privacy are clear and readily accessible.
This article was written by Paul Herbert, Partner, Corporate, with assistance from Alasdair McKenzie, Trainee Solicitor.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
