GDPR and International Privacy
Key Provisions
1-New requirements for processing data 2-individual rights 3-notification of security breaches 4-designation of data protection officers 5-sanctions of up to 4 percent of worldwide revenue and 6-rules for international transfers. Under the broad definition, companies in the EU are covered under GDPR and companies doing business in the EU have the legal obligations to comply with these comprehensive privacy requirements.
General Principles
7 key principles: 1-Lawfulness, Fairness & transparency 2-Purpose limitation 3-Data minimization 4-accuracy 5-storage limitation 6-integrity and confidentiality 7-accountability More details on these in upcoming slides
Data Subject Rights
A huge part of GDPR is providing individuals with control over their personal data. To allow individuals to exercise such control, the GDPR provides the following 8 rights: 1-The right to be informed of transparent communication and information 2-The right of access 3-The right to rectification 4-Right to erasure 5-Right to restrict processing 6-Right to data portability 7-Right to object 8-Right NOT to be subject to automated decision-making More details on these rights in upcoming slides. Controllers are responsible for facilitating the exercise of these rights and must respond to rights request within one month of receipt of the request (or where necessary, within three months) in writing or if requested, orally.
Complaint Process
An administrative complaint can be initiated by a data subject or by a DPA. A data subject can file an administrative complaint with a DPA. A data subject can file complaints with the courts in EU Member States: where the alleged issue occurred; where they reside or where they work. A DPA can initiate a complaint or can address a complaint filed by a data subject. Once a DPA has a complaint, there must be an assessment to determine whether more than one DPA has a similar complaint. A lead DPA must be determined. After accessing the complaint, the DPA must decide whether to impose an administrative fine. The Data subject has the right to bring the complaint to a national court if: (1) the data subject is not satisfied with the decision of the DPA or (2) the DPA does not inform the data subject - within 3 months - of the outcome of the complaint or of the progress on the complaint. Also, the Data subject has the right to seek a judicial remedy against the controller or processor. The judicial proceeding against the controller or processor should take place in the EU member state (1) where the controller or processor is established or (2) where the data subject has "habitual residence"
(5) Data Subject Rights: Right to Restriction of Processing
As an alternative to the right to erasure, data subjects have the right to restriction of processing, which allows them to limit the way their personal data is processed. The GDPR defines restriction of processing as "the marking of stored personal data with the aim of limiting their processing in the future." Methods of restriction include temporarily moving data to another system, making personal data unavailable to users, or removing data from a website. The right applies where: - The accuracy of the personal data is contested, and the controller is verifying the accuracy - The processing is unlawful and the data subject prefers to have the use of their personal data restricted rather than having it erased. - The controller no longer needs the personal data, but the data subject requires it for the establishment exercise or defense of legal claims. -The data subject has objected to processing pursuant to the GDPR, and the controller is verifying whether its legitimate grounds override those of the data subject. Controllers must communicate any rectification or erasure of personal data to each recipient to whom they have disclosed the personal data, unless this is impossible.
Schrems II
At the writing of this book, there is a pending lawsuit regarding the lawfulness of SCCs - along with pending litigation about Privacy Shield. The outcomes could have a major impact on the future mechanism for data transfers between the EU and the US. Schrems II, is a case where the legality of SCCs has been challenged in the EU (which is pending). The case has been referred to the EU's highest court, the European Court of Justice, to determine whether SCCs may be used to transfer data to the US. This case is again based largely on the fact that the US government can conduct national security surveillance on data that enters the country. The implications of the decision could be staggering if the EU's highest court decides to limit flows of personal data based on the existence of US surveillance practices. In essence, the court's opinion could could invalidate some or all legal bases for transfer of data to the US.
Consent
Consent is foundational to GDPR. For US practitioners, the definition of consent in the GDPR may be much more detailed and elaborate than expected. The term consent is defined as follows: freely given, specific, informed, and an unambiguous indication of the data subject's wishes. For consent to be valid under GDPR, the business must provide the data subject with the following for the consent to be deemed informed: - Controller's identity - Purpose of processing for which consent is sought - Types of data that will be collected - Information about the right to withdraw consent - Information about automated processing - Risk of transfers outside Europe Under GDPR, a data subject may express their consent by statement or by CLEAR affirmative action.
Data Protection Authorities (DPAs)
DPAs are responsible for enforcing data protection laws at a national level, and providing guidance on the interpretation of those laws. DPAs are independent public authorities that investigate and enforce data protection laws. There is one DPA in each EU Member State (which means a country in the EU) with the exception of Germany, which has a federal DPA with jurisdiction over the public sector and 16 Lander (or state-level) DPAs with jurisdiction over the commercial sector.
(4) General Principle: Accuracy
Data must be accurate, kept up-to-date. This principles requires that every reasonable step is taken to ensure that personal data that are inaccurate are erased and rectified without delay.
(4) Data Subject Rights: Right to Erasure ("Right to be Forgotten")
Data subjects have the right to have personal data erased in certain circumstance. This right is known as the right to erasure or the "right to be forgotten." The right applies where: - The personal data are no longer necessary...[for] the purposes for which they were collected or otherwise processed. - The data subject withdraws consent on which the processing is based...and where there is no other legal ground for the processing. - "The data subject objects to processing [based on legitimate interests] and there are NO overriding legitimate grounds for the processing" - "The personal data have been unlawfully processed" - The personal data have to be erased for compliance with legal obligation - The personal data have been collected...[to offer] information society services [to children] Under a valid erasure request, a controller must delete the relevant personal data, including from backup systems, unless an exemption applies such as processing necessary to comply with a legal obligation or for the establishment, exercise or defense of legal claims. Further, where a controller has made the personal data publicly available online, the controller must use reasonable measures to inform other controllers processing the personal data to erase any links to or copies of the personal data.
European Economic Area (EEA)
EU and Norway, Liechtenstein and Iceland
GDPR Fines
Fines for violations of the GDPR can be as much as 4 percent of worldwide revenues. For example, a company with a worldwide revenue of $1 Billion, the maximum fines is $40 million.
Levels of Fines
For companies, it is important to understand that the GDPR has two levels of fines. Higher-level fines can be up to 4 percent of global annual revenues. Lower-level fines can be up to 2 percent of global annual revenues. Higher-level fines: focus on infringements related to basic principles of processing (including conditions of consent, lawfulness of processing, and processing of special categories of personal data), rights of data subjects and transfers of personal data to a recipient outside of the EU. In this higher-level category, the maximum fines are the greater of 20 million euros or 4 percent of global revenue. Lower-level fines: include infringements related to integrating data protection by default or by design , records of processing, cooperation with DPAs, security of processing data, notification to DPAs of a data breach, communication of data breach to data subjects, and designation of a DPO. For the lower-level category, the maximum fines can be the greater of 10 million Euro or 2 percent of global annual revenues. In addition to these fines, member states are permitted to impose criminal sanctions for violation of the GDPR. As of the writing of this book, at least 10 countries have adopted criminal sanctions.
Notice Requirement from Controllers
GDPR requires controllers to report data breaches to the relevant DPA within 72 hours of becoming aware of a breach, where feasible. Controllers are "aware" of a breach when they have reasonable degree of certainty that a security incident has compromised personal data. If they can't make that deadline, they must provide the reason for the delay with the notification. Controllers are NOT required to report a breach if it is unlikely to result in a risk to individuals rights and freedoms, but controllers must still document the details of the breach. If a data breach occurs that is likely to result in a high risk to individuals rights and freedoms, the controller must notify affected data subjects without undue delay. These notifications must be in clear and plain English. They don't need to do this if the risk is low (like encrypted data) or if they have suspended accounts.
Global Data flows
GDPR, has strict rules concerning European data traveling to a 3rd country. US practitioners may be unfamiliar with this concept. Companies should pay close attention to the legal bases needed to move data from Europe to the US. Under GDPR, transfers of personal data from the EU and Norway, Liechtenstein and Iceland (which is known as the European Economic Area or EEA) to non-EEA countries or international organizations are prohibited unless one of the following transfer mechanisms can be relied upon: - An adequacy decision - personal data is permitted to flow freely to countries that have adopted legal protections that EU law deems "adequate." The US and Canada haven't received full adequacy yet. - Appropriate safeguard (eg standard contractual clauses, binding corporate rules) - Or derogation (eg explicit consent). Derogation means an exception. There are exceptions that can happen to to allow data transfer under specific guidelines. A transfer of personal data does NOT include personal data merely in transit from one EEA country to another EEA country via a non-EEA country.
GDPR May 2018
General Data Protection Regulation
Notice to Data Subjects
If a data breach occurs that is likely to result in a HIGH risk to individuals rights and freedoms, the controller must notify affected data subject without undue delay. At a minimum, the notification must be in "clear and plain language" and must include: - The name and contact of the DPO (or appropriate person) - The likely consequences of the data breach - Any measures taken by the controller to mitigate the breach Note that the controller is exempted from notifying data subjects when (1) the risk of harm is low because the affected data is protected (such as encrypted data) (2) the controller has taken steps to protect the data subject from harm (such as suspended accounts0 and (3) the notice would impose disproportionate effects on the controller (and would still require public notice of the breach)
Key Terms in the GDPR
Include: - Personal data - Sensitive personal data - data subject, - controller - processor - consent - data protection authority (DPA) - Data protection office (DPO) More details on these in following slides
Examples of different Privacy Notices
Layered approach - short overview of key information linking to additional layers of detailed information. Just in Time notices - information relevant to the personal data about to be collected. Privacy Dashboards - information and privacy preferences management in one centralized area.
(3) General Principle: Data Minimization
Only collect and process what is REALLY needed! Also, data that is no longer needed - must be deleted or anonymized and that any data retention period be limited to a strict minimum.
Personal data definition under GDPR
Personal data is defined under GDPR broadly as any data that relates to "an identified or identifiable natural person." This means a person who can be identified directly or indirectly. If data can be grouped together and lea to an identification, the pieces constitute personal data. Data that has been deidentified, encrypted, or pseudonymized remains personal data if it can be used to reidentify the person. Data is ONLY considered "anonymized" if the process used is irreversible. Examples of Personal data include: - First and last name - Home address - Email address including a first and last name - identification card number - Location data - IP Address (often NOT PII in the US) - Cookie ID (Often NOT PII in the US) - Advertising identifier on phone - Data held by doctor or hospital, even separated from the patient's name
(2) General Principle: Purpose limitation
Personal data must be collected for specified, explicit and legitimate purposes and comply with all applicable laws. The purpose limitation principle also requires that personal data not be further processed - any processing activity following collection such as storage - in a manner that is incompatible with the original purpose for which it was collected. Whether further processing is incompatible will need to be assessed on a case-by-case basis considering the following key factors: - the relationship between the purposes of collection and the purposes of further processing. - The nature of the personal data and the safeguards adopted to ensure fair processing - The reasonable expectations of the data subjects and the impact of the further processing on the data subjects. The GDPR makes it clear that further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purpose is NOT considered to be incompatible with original purposes.
(5) General Principle: Storage Limitation
Personal data must be kept for no longer than is necessary for the purpose of processing (interlinked with data minimization). Companies should set time limits for data retention and this should reflect the purposes of processing, legal obligations, and industry best practices. It is important to note: The GDPR does allow the storage of personal data for longer periods if processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
(1) General Principle: Lawfulness, Fairness & transparency
Processing of personal data must be lawful and fair. This means that companies should have a legal basis for processing personal data and that data subjects should be made aware of the rules and safeguards as well as the risks associated with their data. In addition, processing of personal data must be made transparent to data subjects so that they understand to what extent personal data concerning them are or will be processed. This requires transparency - any communication (such as privacy notices) be concise, easily accessible, and written using clear and plain language that is easy to understand (especially when providing information to children).
Notice Requirements for Processors
Processors are required to notify controllers "without undue delay" after discovering a breach. Controllers should strongly consider including specific instructions for how to handle this notice requirement in the contract between controller and processor.
(1) Data Subject Rights: The right to be informed of transparent communication and information
Providing individuals with control over their personal data is only possible when they understand what a company is doing with their personal data. To help ensure that data subjects are properly informed, and as part of the principle of transparency, the GDPR requires that controllers provide certain information on their processing and handling of personal data to data subjects when they collect personal data. This is commonly refereed to as a privacy notice. Where personal data is not collected directly from data subjects, the data subjects must be informed of details they would not be aware of such as the source of personal data concerned.
Sensitive Personal Data definition under GDPR
Sensitive personal data is a special category of "personal Data" that receives additional protections under the GDPR. Sensitive personal data includes: - Race or ethnic origin - Political opinions - Religious or philosophical beliefs - Trade union membership - Genetic data - Biometric data - Health data - Sex life or sexual orientation Unless an exception applies under the GDPR, sensitive personal data requires the business to obtain "explicit consent" from the person to process the data for a specified purpose.
(8) Data Subject Rights: Right Not to be Subject to Automated Decision-Making
Similar to the right to be informed, the right not to be subject to automated decision making applies without any action by data subjects. This right is in the form of a general prohibition on fully automated decision-making, including profiling, that has a legal or similarly significant effect (eg cancellation of a contract, entitlement to or denial of a social benefit, or denial of citizenship). A controller cannot carry out such processing unless the decision is (1) necessary for the performance of a contract between the data subject and controller (2) authorized by law (eg, monitoring and preventing fraud) or (3) based on the data subject's explicit consent.
Enforcement
Some people think that the major difference between the 1995 Data Protection Directive and the GDPR relates to fines. EU Data protection law in the US 1990's was often aspiration. Today, with significant fines part of the picture, EU data protection law is a compliance regime. With fines as large as 4% of worldwide revenues, it is important for companies to understand the complaint process, liability for compensation and levels of fines.
Data Protection Office (DPO)
The DPO is the primary point of contact on data protection issues within a business that is based in the EU. The DPO facilitates and reviews the company's GDPR compliance. With regard to qualifications, the DPO must have expertise in data protection law relevant to the data processing of the company. Critically, the DPO must NOT have any conflicts of interest - meaning the DPO must NOT have duties related to processing personal data that conflict with duties related to monitoring. Which entities must appoint a DPO? The answer is NOT based on the entity being a controller or a processor. Several key factors in determining the need for a DPO: - Are the data subjects from the EU? - Is the data in/from the EU? - Is there large-scale monitoring of data subjects? - Is there large-scaled processing of sensitive personal information? - Where is the company based. Importantly, the term Data Protection Office (DPO) is used to refer to the representative for companies BASED in the EU. For companies that do NOT have a physical presence inside the EU, the company must appoint an "EU representative" - notably someone who is subject to enforcement proceedings pursuant to the GDPR. For non-EU companies with subsidiaries in the EU, the picture is somewhat complex.
Breach Notification and Response
The GDPR defines a data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. Since the GDPR definition of personal data is broader, the concept of data breach is also broader under the GDPR (rather than for US laws). Fines for data breaches can result in up to 4 percent of a company's worldwide revenues.
(6) Data Subject Rights: Right to Data Portability
The GDPR further strengthens data subjects' control and access to their personal data with the right to data portability. This right allows data subjects to port data to themselves or to another controller. Data subjects may request that the data is provided in a structured, commonly used, and machine-readable format such as CSV or Excel files. The right only applies: (1) to personal data provided by the data subject (actively and knowingly provided by the data subject or observed data provided by the data subject through the use of the service or device such as search history or location data) (2) where the processing is based on consent or the performance of a contract, and (3) the processing is carried out by automated means. The right to data portability cannot adversely affect the rights and freedoms of others, including trade secrets or intellectual property rights.
(2) Data Subject Rights: Right of Access
The GDPR provides data subjects with the right to obtain the following from controllers: confirmation as to whether they are processing the data subject's personal data, a copy of the personal dat, and other information that should already be provided in a privacy notice. When data subjects exercise their right of access, the request is often called a "subject access request." A subject access request allows data subjects to understand the what, why and how regarding a controller's personal data processing activities, which in turn allows them to verify the lawfulness of processing. Given the scope of information a controller may have to provide to data subjects under this right, the right of access is often the gateway to data subjects exercising other rights under the GDPR.
Data Subject under GDPR
The concept of "data subject" is critical to understanding the regulation. Basically, a data subject is the person whose data is being processed. According to one of the official comments to the GDPR, known as Recital, a data subject is any natural person whose data is being collected, stored or processed. To understand which data subjects have rights under GDPR, it is important to consider the meaning of data subject in conjunction with the definition of personal data and the territorial scope of the law. When EU-based establishments are processing the personal data of data subjects located outside of the EU, GDPR rights apply. Similarly, when establishments based outside of the EU are monitoring the behavior of or targeting goods or services to data subjects in the EU, GDPR rights apply.
Controller
The term Controller means an individual or entity that "determines the purposes and the means of the processing of personal data." In simple terms, the controller is the company that directs the processing of data to further its business objectives. Under the GDPR, the obligations of controllers include the following: - Implement data protection by default and by design - Provide instructions to processors - Ensure data security - Report data breaches - Cooperate with DPAs - Appoint a DPO for the business - Identify legal basis for processing - Maintain data processing records - Conduct data protection impact assessment (DPIAs)
(7) Data Subject Rights: Right to Object
This allows data subjects to require controllers to stop processing their personal data. When a data subject objects to the processing of their personal data from direct marketing purposes, a controller must cease all such processing, including any related profiling activities. Data subjects may also object to the processing of personal data based on one of the following legal bases: (1) a task carried out in the public interest (2) the exercise of official authority, or (3) legitimate interests; however these objections do not trigger an absolute right. In these circumstance, data subjects must provide reasons as to why they are objecting to the processing, and controllers may refuse to act on the request if (1) they have compelling legitimate grounds overriding those of the data subject or (2) the processing is necessary for the establishment, exercise or defense of legal claims.
Data Transfer from Europe to the US
This is constantly in flux. Until 2015, many us companies that did business in the EU Participated in the US-EU Safe harbor program to provide a lawful basis for EU data to be transferred to the US. The primary lawful basis for transfer of data between these countries include: - The Privacy Shield (EN-US Privacy shield) In July 2016, after extensive negotiations, this was finalized. The agreement sets forth commitments by US companies, detailed explanations of US law and commitments by US authorities. US companies wishing to import personal data from the EU under the Privacy Shield accept obligations on how that data can be used, and those commitment's are legally binding and enforceable. - Standard Contractual Clauses (SCCs) - In addition to the EU-US Privacy shield, SCCs are widely used. With these a company contractually promises to comply with EU Law and to submit to the supervision of a DPA. - Binding corporate rules (BCRs) - Another mechanism that exists for lawful transfer of personal data from the EU to the US are BCRs. BCRs provide that a multinational company can transfer data between countries after certification of its practices by a DPA.
(6) General Principle: Integrity and Confidentiality
Through appropriate technical or organization measures, personal data must be processed in a way that ensures a level of security appropriate to the risk of processing the personal data.
Liability for Compensation
Under GDPR, both the controller and the processor can be liable to data subjects for harm caused by unlawful processing of personal data. Controllers are liable for any damages cause by unlawful processing. Processors are liable for processing in violation of the GDPR obligations on processors and for processing in violation of instructions given by the controller. If both the controller and processor are involved in the same processing, where damage occurred, each is liable for the entire damage. The GDPR provides that both controllers and processors are exempt from liability when they are "not in anyway responsible for the event giving rise to the damage."
Processor
Under GDPR, this means an individual or entity that "processes personal data on behalf of the controller." The GDPR requires the processor to be governed by instructions provided by the controller in a contract. Generally speaking, the controller should bear more of the legal responsibility under the GDPR than the processor. Requirements flow downstream to a sub processor (like a subcontractor).
(7) General Principle: Accountability
Under this, a controller is responsible for and must be able to demonstrate compliance with the 6 principles mentioned above. This principle aims to move privacy from theory to practice by requiring that the processes underlying privacy policies and procedures are implemented appropriately and effectively. Accountability measures include documenting personal data breaches (including those not requiring notification), maintain a record of processing activities, and conducting DPIAs.
(3) Data Subject Rights: Right to Rectification
While the accuracy principle requires that personal data must be accurate, the right to rectification supplements this principle by allowing data subjects to require controllers to confirm the accuracy of their personal data. The GDPR provides data subjects with the right to have inaccurate personal data corrected and, taking into account the purposes of processing, to have incomplete personal data completed. Personal data may be completed via a supplementary statement.
