The new European Data Protection Regulation - Regulation (EU) 2016/679 - came into force on May 25, 2016 though it will take two more years to be fully implemented. We strongly recommend that companies get a headstart in making the necessary adjustments and improvements to comply with the said Regulation, given that it has been passed for the benefit of all.
In this post we analyze the reasoning behind this Regulation and its key aspects: the impact of privacy, the right to information, consent, transparency and security
This post is also available in Spanish.
The reasoning behind the Regulation
The Regulation is the fruit of a years-long debate between organizations, institutions and entities that include governmental bodies, data protection authorities and companies. All of them, given the unrelenting advance of new technologies in the last few decades, had to regulate more in detail the by-products of the tech revolution: the right to privacy and the protection of personal data. Directive 95/46/CE came into force for such reasons, aiming to regulate new use cases sparked by technology launched in the 1990s, such as the increasing processing rate of computerized data and the growth of storage capabilities.
Nowadays, the popularization of Internet usage and social media, the advanced state of data analysis and the advent of the Internet of Things have all completely changed the way in which individual users and companies exchange information. Consuming goods and interpersonal communication are on longer on a comparable level to that of twenty-five years ago and, as a result, the new Regulation seeks to lay down the foundations of a privacy law that suits modern technology. It is perhaps unfortunate, then, that tech is developing at a much faster rate than the legal system.
What impact is this Regulation likely to have?
The new Regulation does not automatically invalidate the previous Directive, precisely because it is a new ruling, not a new Directive, and therefore only modifies or updates certain details of its predecessor. In Spain for instance, it will neither eliminate the national Law 15/1999 of December 13, nor regulate its implementation that was approved by Royal Decree 1720/2007 of December 21, but instead will permit companies a two-year grace period to adapt to the changes it will bring. This will certainly give rise to other laws at a local level, regulating issues that might not be covered in this new Regulation, but they would not contradict it, either.
It must be kept in mind that the Regulation will apply not only to European companies, professionals, data processing controllers and entities catering to the European community, but to all non-EU businesses and professionals who process data as part of any services aimed at European citizens.
Amazon and Google Analytics are two clear examples of companies that the new Regulation applies to, the former through its selling and delivering of products to European homes; the latter by offering monitoring and analytics of web users. Both businesses reside outside of the European Union.
What are the key aspects of the new Regulation?
The Regulation focuses on an analysis of the impact of privacy, the right to information, consent, transparency and security, as well as to guarantee citizens’ rights, namely privacy and data protection.
1. The impact of privacy
This aspect is analyzed by a process known as Privacy by Design, that aims to look at the impact of data processing carried out by companies, professionals and entrepreneurs.
For example, a company developing a new mobile app or an online platform selling products and services should start by doing an analysis of Privacy by Design, among many other things, thus prompting the following questions:
- How is client or user data going to be requested?
- How should the client be informed about the processing of his/her personal data?
- How would the information be stored?
- Is the amount of information on each client sufficient or is it more than is really required?
These concerns should be resolved in the interest of protecting clients against any misuse of their personal data, thus preventing companies infringing upon their privacy.
2. Right to information
Until now, it has been a requirement to provide information about who precisely is behind each instance of data processing as well as how that information is being used. However, with the new Regulation, entities will have to ensure that the information is far more detailed than it has ever been.
In the handling of personal data belonging to natural and legal persons (among others), the following information must be submitted:
- the identity of the controller and of his or her representative, if any;
- the recipients or categories of recipient to whom the data might be disclosed;
- the purposes of the processing for which the data are intended and legal obligation to which the controller is subject;
- the purposes for which the personal data will be used;
- the period during which the personal data may be kept and, where this is not known, the criteria used by the controller to determine the said period.
All the above are some of the informational aspects of the new Regulation that must be carried out to ensure full compliance.
As predicted, necessity for consent has enjoyed particular prominence in the Regulation. The previous Directive had required individual consent in a general, transparent, informed, relevant and unambiguous way; the new Regulation renders it crucial for interested parties to produce an explicit declaration or affirmative action that demonstrates his or her conformity to sharing personal data, ensuring that any consent is indeed “unambiguous.” Consent will no longer be considered valid if it comprises of a silent, passive or omissive act in the case of the interested party.
In this way, several of the practises that have been considered acceptable until now - namely all implicit forms of consent - will no longer exist once the Regulation comes into effect. In any case, online companies and platforms will need to be endowed with systems that easily allow them to prove that explicit consent has been given. Implicit affirmative consent will not suffice: any gesture of consent must be tangible.
When personal data belongs to minors, a general rule states that the official age of consent to allow the processing of minor’s personal data within the scope of information society service providers (such as on social media or mobile apps) is 16 years old.
However, the age is subject to revision by request. Each Member State can establish their own age of consent, as long as it is not below the age of 13: in Spain, for example, the age of consent is currently 14 years of age. If an individual is younger, their parents or guardians must offer consent to organizations that will process the minor’s personal data on their behalf.
As mentioned above, any instance of data processing should come with easily intelligible terms and conditions. In addition, in Spain, any processing should comply with the quality criteria as specified in Law 15/1990, which specifies that any use of private data should be relevant, pertinent, relative and not excessive.
In order to be as transparent as possible, users should be able to exercise their full rights at all times, not only through being able to access, modify, erase or contest any of their information, but also through exercising their right to complain, in line with the well known “right to be forgotten.”
Companies and organizations are required to proactively implement security measures that guarantee that the company’s infrastructure disposes of the correct processing and storage methods for client and user data. The principle measures that should be adopted are:
- establishing secure access to the company’s system or database;
- establishing adequate backup procedures;
- taking measures to avoid data leaks, the installation of malware and any other associated risks occurring, such as attacks by crackers, denial-of-service attacks or system failures, etc.
Companies are always required to report any type of incidents to the authorities and affected users when their privacy or personal data is at risk.
They are also obliged to have a data protection representative among their staff when:
- “the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
-- Section 4, Data protection officer - Article 37, Designation of the data protection officer
For security issues related to data processing between territories outside of the European Union, such as between the U.S. and Europe, it will be necessary to wait for details specified in the forthcoming Privacy Shield agreement (that will replace Safe Harbor).
In any case, it is clear that the new Regulation aims to protect and ensure the correct processing of user data, allowing the free circulation of citizens’ data within the European Union in accordance with all conditions outlined here.
This post is also available in Spanish.
This is a guest post by Vanesa Alarcón Caparrós.
This is a guest post by Vanesa Alarcón Caparrós.