Eye on Discovery – Five Steps to Take Now to Prepare for the General Data Protection Regulation
Once the European Court of Justice issued its decision in Schrems v. Data Protection Commissioner, businesses began scrambling to figure out how to cope with the vacuum created by the demise of the U.S.-EU Safe Harbor Framework. Many of these companies are focused purely on the potential replacement for the Safe Harbor—the Privacy Shield—instead of looking to the next, much more difficult hurdle on the horizon: the EU General Data Protection Regulation (GDPR). Unlike the Privacy Shield, which governs only data transfers between the EU and U.S., the GDPR addresses a host of issues, imposes harsh sanctions for noncompliance, and it is even stricter than its predecessor, the Data Protection Directive (Directive 95/46/EC).
It should be noted that the GDPR is extraterritorial; it applies to all organizations that collect or process personal information pertaining to EU citizens. With less than two years before it goes into effect on May 25, 2018, now is the time for organizations to consider the changes they may need to make to be compliant with the new law, from both a business and an eDiscovery perspective. Here is a brief overview of five aspects of the new law that are most likely to affect U.S. organizations.
Although consent is still a viable basis for transferring personal data under the GDPR, the new law refines—and restricts—what constitutes consent. Consent must be “freely given, specific, informed and unambiguous” for each data processing operation, and data subjects can withdraw their consent at any time. Instead of the “opt-out” or implicit consent allowed under the Data Protection Directive, the GDPR requires “a statement or a clear affirmative action.” The law makes clear that “[s]ilence, pre-ticked boxes or inactivity” do not constitute adequate forms of consent. Moreover, consent is not considered “freely given” where there is “a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.” This language also applies to employees, and employee consent to processing of their personal information must be both distinct from an employment contract and demonstrate the employee has a genuine choice regarding the processing of their personal information.
As under the Data Protection Directive, the GDPR also requires data controllers to obtain “explicit” consent—a higher level of clear, detailed consent—when they plan to process sensitive personal data. Sensitive data is defined as any information that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
Interestingly, though the law is designed to harmonize laws among the EU nations, the GDPR sets a standard for the age of consent for minors of 16 years old, but it allows member states to set a lower age between 13 and 16.
What to do now: Companies should evaluate how they have obtained data subjects’ personal information. Many organizations have relied on opt-out procedures and may need to re-obtain consent to comply with the GDPR’s requirements. Going forward, businesses will need to revisit how they obtain and record consent, as they will have the burden of showing that consent was freely given, specific, and informed.
2. Data Protection Officers (DPOs)
Many U.S. firms have not yet invested in a privacy professional, but they may need to with the advent of the GDPR. The new law requires organizations to appoint a DPO (either in-house or from a service provider) if they regularly and systematically monitor EU data subjects “on a large scale” or if they process significant amounts of sensitive personal data. The DPO will need to have “expert knowledge of data protection law and practices.”
What to do now: Businesses should seek legal advice as to whether they will be required to appoint a DPO. If so, they should hire a qualified candidate. Alternatively, the GDPR allows companies to outsource the role to an experienced consultant or legal counsel. A next step is to draft policies and procedures to ensure the DPO is equipped to monitor compliance with the new law.
3. Cross-Border Transfers of Personal Data
The GDPR export regime largely remains the same as under the Directive. The new law still permits transfers to countries that have been deemed to have an “adequate” level of data protection and to other nations through standard contractual clauses and binding corporate rules. When the GDPR goes into effect, standard contractual clauses will no longer require prior notice to or approval by a data protection authority (DPA). The GDPR also approves two other safeguards that enable transfers: codes of conduct and certification. A code of conduct is a self-regulatory mechanism that demonstrates adherence to information privacy standards, including international data transfers; the code may be drafted by a DPA, member state, European Data Protection Board, the European Commission, or other associations or bodies that represent data controllers or data processors. Certifications, as well as marks and seals, may be developed at the Union level by the European Data Protection Board. These alternate mechanisms for international data transfer may open the door to alternatives to Safe Harbor/Privacy Shield, as well as allowing for sector-specific adequacy (e.g. a country may be considered adequate for financial information, but not health information).
What to do now: Businesses should determine what data they have collected about EU residents. Next, they should trace the flow of this data, both inside the company and to third-party data processors, including their law firms and vendors. They should also evaluate their current data transfer mechanisms and ensure they are compliant. Finally, they should evaluate—or develop, if necessary—their procedures for managing queries about the handling of personal data. And keep in mind that transfers of employee data within a corporate group are not exempt for international data transfer rules.
4. The Right to Be Forgotten
The GDPR affords data subjects a new right: the right to be forgotten. This right allows data subjects to ask companies that have collected their personal data to erase it, and, if the data is public, to require other data controllers to do the same.
What to do now: Review information flows and determine how difficult it might be to delete a data subject’s information. Some companies disperse personal data among various applications, systems or vendors, and it can be difficult to trace. Affected organizations should take time now to map out their data storage, including data stored in the cloud and sent to third parties such as eDiscovery specialists. They should also create a procedure for searching for, segregating and deleting this information upon request.
5. The Duty to Supervise Third Parties
The GDPR sets forth new responsibilities that could turn into liability for companies that work with data processors. Data controllers—defined under the GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”—now have an obligation to supervise the activities of their data processors; before, under the Data Protection Directive, supervision was merely recommended.
What to do now: Review your contracts with any third-party data processors, including legal service providers. Ensure these contracts mirror—and promise adherence to—the requirements of the GDPR and any data transfer mechanisms that you use. Also, be sure to include data privacy and transfer considerations in your vendor selection process.
What About Brexit?
The UK’s referendum in favor of leaving the EU has raised questions as to the effects on data privacy. Following the vote, a representative from the British Information Commissioner’s Office stated that “the Data Protection Act remains the law of the land irrespective of the referendum result.” He went on to say that the UK would need to adopt adequate privacy controls to meet GDPR standards to maintain equal trade practices with the EU. As the UK was one of the key architects of the GDPR, it is likely that it would adopt most of the provisions.
However, there will likely be some changes in the form of data transfer agreements, both between Britain and the EU and between Britain and the U.S. Much like Switzerland, the UK will likely adopt a framework similar to Safe Harbor or Privacy Shield to support transfers of personal information to the U.S. To simplify compliance and avoid cross-border transfers, some companies may also opt to use data centers in the EU instead of in the UK.
What to do now: Companies should identify the personal information collected and stored in the UK, both for UK citizens and the citizens of other EU nations. Understanding which country personal information comes from will be a critical step toward compliance as the ramifications of Brexit unfold.
Given the GDPR’s breadth, it is imperative for organizations, regardless of where they are located, to take stock of their data flows and data transfer protocols as the foundations for a sustainable, compliant data protection program. Those who hesitate to take steps now toward compliance could well find themselves record penalties of up to 4 percent of annual global turnover or 20 million euros, whichever is higher.