LEGAL FORUM - 20 April
Data protection compliance: taking your first steps With the date set for the General Data Protection Regulation to come into force, John Halton, Assistant General Counsel for the Financial Times outlines steps businesses need to take to prepare and Laurie-Anne Evra-Ancenys, Senior Associate at Gide Loyrette Nouel Paris, considers where things stand with the Privacy Shield, given recent European Court of Justice rulings
A
fter years of discussion and debate, we now finally have a date
The future of the Privacy Shield
for when the General Data Protection Regulation (GDRP) comes
The ‘Safe Harbour’ adequacy decision was invalidated by the
into force: 25 May 2018. From that date, national data protection
European Court of Justice (ECJ) on 6 October 2015, in the
laws will be replaced by a single, EU-wide regulation.
Maximilian Schrems case, as it allowed the Safe Harbour
That may seem a long way off, but for most businesses this is
principles to be limited ‘to the extent necessary to meet
going to set a challenging timetable, with early action required to
national security’ of the US without showing how US law may
be ready in time. The new law tightens up the rules for processing
limit such interference to what is strictly necessary. Thus,
personal data, and imposes swingeing fines (up to €20 million or 4%
the Commission’s purpose was to draft a new adequacy
of global turnover, whichever is the greater) for non-compliance.
decision explaining how personal data transferred to the US is protected from undue surveillance under US law and
The changes are wide-ranging, but include: • Tighter rules on when consent is needed and how it can be given
showing that such protection meets the EU’s standards. On 29 February 2016, the Commission issued a draft
• Rules to ensure data protection risks are assessed and documented
adequacy decision, along with 7 annexes, intended to form
• An obligation for many businesses to appoint a data protection
the future Privacy Shield. These annexes mainly contain
officer
letters from the US administration explaining how national
• Scrapping the £10 fee for subject access requests, which is likely to
surveillance is limited by law and internal mechanisms,
lead to an upsurge in requests
and how a new Ombudsman will handle enquiries and
• ‘Data portability’, enabling users to transfer their data between
complaints from EU authorities and citizens. However, these
different service providers
letters mainly explain US law and do not correct what may
• A requirement to report all data breaches within 72 hours
fail to meet EU’s standards. Thus, the Commission admitted
• Parental consent for processing data relating to children (defined
in its draft decision that US agencies still intend to conduct
as those aged under 16, though individual states can lower this to 13)
bulk collection of personal data and that Europeans’ right to
• Direct obligations on data processors as well as data controllers.
access data held by such agencies may actually be ineffective.
The new law will also apply to non-EU companies that provide goods
As such, on 13 April, the Article 29 Working Party
or services to EU residents or monitor EU residents’ behaviour within
(comprising the Data Protection Authorities of each EU
the EU.
member state) issued a mitigated (but non-binding) opinion on the draft decision. It outlines that US law does
So what are the immediate priorities?
not fully exclude collection of massive and indiscriminate
This will vary according to your business, but here are some steps
data, while both the Article 29 Working Party and the ECJ
to consider:
have consistently held that such collection is an unjustified
• Ensure your senior decision makers are aware of the GDPR and its
interference with the fundamental rights of individuals. It also
potential impact
expressed concerns as to whether the new Ombudsperson
• Start to assemble the teams and working parties you need to
will have sufficient powers to work effectively. On 26 and
prepare for the GDPR
30 May, the European Parliament and the European Data
• Consider appointing a data protection officer – there is likely to be
Protection
a severe shortage of candidates by May 2018
concerns. Currently, the Privacy Shield is being discussed
• Start mapping your personal data so you know what you have,
by the Article 31 Committee, comprising ministers of each
where you hold it, which suppliers are processing it for you, and what
member state; such process may delay the European
your legal basis for processing the data is
Commission’s decision.
Supervisor
respectively
expressed
similar
• Start to update your privacy policies and data capture notices:
The future of the Privacy Shield is therefore uncertain: if
failure to do so now could mean you lose your ability to use the data
the Commission finally enacts its adequacy decision despite
in future, if you can’t show you have clear consent where required.
numerous criticisms, such decision may still be challenged
• Ensure that contracts with data processors are ‘GDPR-ready’
before the ECJ and invalidated just as the Safe Harbour was.
• Ensure that new products are GDPR-ready, with data protection
Considering such risks, companies intending to transfer
impact assessments, data protection by design and default, and data
data to the US may choose alternative legal basis such as
portability where required
contractual terms or binding corporate rules.
• Establish procedures for detecting and reporting data breaches. I
78 - info - july / august 2016