By Arjun Ahluwalia and Janine de Keersmaecker
Argentum Law recently attended a workshop hosted by the European Commission in Lisbon, reviewing the current state of its landmark data privacy legislation. The workshop’s aims were to take stock of the European General Data Protection Regulation’s (GDPR) first 18 months post-enactment and featured forecasts of the European Commission’s likely next steps in the coming year. The session was led by Isabel Chatelier, DG-Justice of the European Commission.
A Summary of the GDPR
For those unfamiliar with the landmark legislation, key facts to know include:
1. EU Data Subjects. It protects personal data of data subjects (individuals) in the European Union (EU).
2. Extra-territorial Scope. The GDPR not only applies to data processing activities conducted by companies established in the EU, but also to data processing activities of data controllers and processors outside of the EU relating to offering of goods or services (even if for free) to data subjects situated in the EU (not only EU citizens) and to the monitoring of the behavior of such data subjects.
3. Transition Period. Originally proposed in 2012, it took 4 years of intense negotiations to reach adoption in 2016, after which a 2-year transition period applied till enactment on 25 May 2018, giving companies and member states time to adapt.
4. Harmonized and Simplified Framework. The GDPR aimed to provide a harmonized and simplified framework to replace the EU’s 1995 Data Protection Directive. As opposed to a Directive, which requires national implementing measures, a Regulation is self-executing. It was deemed important to have a single set of rules in the EU with a single interlocutor and a harmonized interpretation for consistency, creating a level playing field not only between member states, but also with non-EU based companies targeting EU data subjects. Ultimately the aim was to update the outdated legal framework which was promulgated when the internet was still at its infancy in 1995, cut red tape, abolish burdensome prior notification and authorization requirements previously applying to data processing and international transfers and send a signal to companies that data protection ought to be taken more seriously.
5. New Regulation, Old Principles. While the GDPR broke new ground in many ways, it is important to understand that prior key concepts and principles have not changed with the introduction of the law. Principles of protection of personal data, lawful, fair and transparent processing, purpose limitation, data minimization, rules on further processing, data retention, data accuracy, integrity, confidentiality and accountability - all pre-date the GDPR.
6. Updated Set of Rights. The GDPR clarifies clearer rights for data subjects, mandating transparency, right to clear and accessible language, right to information, right of access, right to object, right not to be subject to automated decision making while also mandating new rights such as the right to portability of data, the right to be provided communication of a data breach without undue delay and the right to secure data erasure.
7. Updated Set of Obligations. A company can only process personal data under certain conditions and based on a limited number of legal grounds. The GDPR escalates these obligations based on the nature and potential risks of a company (instead of imposing a burdensome “one-size-fits-all” set of obligations) using a risk-based approach to assess the need for a data protection officer (DPO) and a Data Protection Impact Assessment (DPIA).
8. Engendering Trust. In all, the GDPR enshrines stronger rights and clearer obligations to enhance trust and legal certainty for individuals and businesses throughout the EU. Through codes of conduct setting out appropriate legal and ethical set of behaviors for a specific sector, which are brought to the European Commission by the Data Protection Authority (DPA) of a member state for evaluation and approval as to compliance with the GDPR and with application of certification and accreditation guidelines, businesses now have operational and practical tools that facilitate compliance with GDPR.
9. International Transfers of Data. The GDPR restricts international transfers of data outside the European Economic Area (EEA), but provides practitioners with a renewed and diversified toolkit for evaluating regulatory treatment of international transfers.
10. Modern Governance System. Ultimately, the GDPR has created a template for a modern governance system around data, better equipping companies and individuals with clearer rights and obligations, providing for better cooperation between national regulators, allowing for a flexible and novel decision making process for cross border regulation, creation of a pan-European data protection board for guidance and dispute settlement, and perhaps most importantly, applying credible and proportional sanctions for violations: 2-4% of global turnover depending on the nature, duration and gravity of the violation.
Taking Stock of the Previous 18 Months
The EU Commission has taken steps to review the first 18 months after enactment by publishing a 24 July 2019 communication based on feedback from expert groups and multi-stakeholder groups representing corporate and civil society. We include the headline takeaways from the survey:
1. Increased Consistent Application. It was reported there was increasing consistent application across the EU. Although the Regulation is directly applicable in the member states, it obliged them to take a number of legal steps at national level. All except one of the EU member states have adopted national legislation implementing GDPR, and application has extended to Norway, Iceland and Lichtenstein. While the European Commission continues to be required to provide guidance on novel aspects of implementation – the EU’s guidelines are helpful for harmonized understanding of enshrined rights of consent, transparency, data breach notification, data portability, DPOs and fines, in particular.
2. Increased Functioning of a New Governance System. The survey found that DPAs are using their powers in a balanced manner and are engaging in dialogue to find the best ways to implement the rules. It was reported that the DPAs are clearly ready to issue fines, however, impositions of such fines are being challenged in national courts, evidencing healthy scrutiny of the law.
3. European Commission Support for SME Implementation. The European Commission is supporting DPAs with education outreach to SMEs having provided two grants of EUR 3 million each to the DPAs.
4. European Data Protection Board is Operational. The EU Data Protection Board provides a mechanism for cooperation amongst member states with the adoption of 20 guidelines on key aspects of GDPR that relate to cross border cases. As of 4 Nov 2019, 726 cross border cases have been managed through the cooperation mechanism, for the purposes of reaching a common view and consensus on GDPR.
5. Increasing Citizen Awareness. More than 67% of EU citizens are aware of GDPR, 57% are aware of their national DPA, and 73% have heard of at least one right. The European Commission views this as a critical objective for the GDPR’s success.
6. Increasing Subjects’ Exercise of Rights. Individuals are clearly making more frequent use of their rights as the European Commission reports increased complaints, queries and information requests, especially in the banking and telecommunication sectors.
7. Corporate and Compliance Housekeeping. Companies are using the GDPR as an opportunity to get their house in working order and in line with best practices, as they map their data processing, improve security, prepare for incidents and generally focus on more trusting relationships with their data subjects and customers. Companies also report that they are increasingly marketing heightened compliance on personal data laws as a competitive differentiator and selling point.
8. Increasing Global Convergence. An ever-increasing number of countries and jurisdictions are adopting overarching laws for enforceable individual rights on data, with independent supervisory authorities, inspired by the GDPR.
9. Intensified Cross-Border Engagement. The European Commission noted the higher frequency of cross-border engagement to agree mutual adequacy findings to help facilitate trade and data transfers based on trust of similar protections enshrined on both sides, as evident from the success of recent EU-Japan negotiations.
While clear that the first 18 months have been largely successful for the GDPR in promoting a common framework across the EU on data protection, the European Commission noted a more fulsome review will be forthcoming in the form of a May 2020 Evaluation Report, which will focus on reviewing application and functionality of the key authorities under the GDPR. While the 2020 evaluation will not re-open any aspect of the GDPR, it will provide a welcome check on whether the institutions and mechanisms are fully operational.
The landmark legislation has indeed changed the way in which personal data is perceived by both individuals and companies. While the first difficult step has been taken by the European Commission, the major challenge for the European Commission in the coming years will be to ensure conformity in the approach of DPAs and a fostering of flexible and risk-based enforcement while maintaining consensus and harmonization. With current data usage practices of Big Tech and large corporations under the spotlight, the GDPR is surely a welcome step in the right direction to a harmonized system of governance around a commodity that is becoming exponentially, increasingly valuable – your very own personal data.
