The EU General Data Protection Regulation (GDPR) represents the biggest change to EU data protection law in more than twenty years. It has grabbed headlines as a result of its extra-territorial reach and the potentially vast fines for non-compliance. (For a general overview of the GDPR, please refer to our Alert Memo.) With the GDPR’s May 25, 2018 effective date rapidly approaching, the Article 29 Working Party (an advisory group made up of representatives from EU data protection authorities as well as the European Commission) recently published its latest wave of GDPR guidance. In this post, we summarize both the prior guidance and the most recent update, which covers critical issues such as data breach notification requirements and the calculation of penalties for non-compliance.
Notably, full compliance with the GDPR is a large undertaking for any organization, but the compliance task may be greatest for non-EU organizations who will now be covered by the EU data protection regime for the first time. For example, the GDPR’s broad reach extends to organizations (i) that process personal data in the context of the activities of an establishment (for example an entity or branch) located in the EU, or (ii) that offer goods or services to, or monitor the behaviour of, individuals in the EU. By way of an example of the extraordinary breadth of the Regulation, an organization that is targeting customers in the EU, offering goods and services (including for free) via a website that is available in a language or currency generally used in the EU, and/or tracking the behaviour of individuals located in the EU via the internet, will be within scope.
The Article 29 Working Party has been issuing regular guidance over the last year which is particularly helpful in navigating the changing landscape created by the GDPR:
- December 2016: data portability, data protection officers (DPO), and lead supervisory authorities.
- April 2017: data protection impact assessments (DPIA).
- October 2017 (consultation open until November 28, 2017): personal data breach notifications, automated decision-making and profiling, and administrative fines.
A summary of each of these key aspects of the Article 29 Working Party guidance, including from the most recent update, is set out below. To access the full text of the guidance, please click on the relevant sub-heading.
The guidance sets out the key elements of the data portability right and the circumstances in which an organization will be required to comply with an individual’s request. Practical information is provided on ascertaining the identity of the individual, the appropriate timing for responding to requests and the format in which data should be provided for onward transfer.
The guidance also clarifies certain key parts of the regulation, as follows:
- a transmitting organization will not be held responsible for the processing of the data by the recipient organization;
- organizations are not required to retain personal data any longer than is necessary, simply in order to fulfill potential future data portability requests;
- organizations must respond to all requests, even if that response is a refusal; they cannot remain silent.
Under the GDPR, certain organizations must designate a Data Protection Officer (“DPO”). The guidance clarifies when designation of a DPO is necessary and what the tasks of the DPO should be (including monitoring compliance with the Regulation, overseeing a Data Processing Impact Assessments (“DPIAs”), cooperating with the relevant supervisory authorities and acting as a first point of contact for all data protection related matters).
With respect to the designation of a DPO, the guidance sets out useful examples and practical information. For organizations which are not a public authority or body, a DPO will be required where:
- The core activities of the organization consist of processing which requires regular and systematic monitoring of individuals on a large scale. “Core activities” should include any processing that forms an inextricable part of the organization’s activity. The processing of patient data by a hospital, for example, will be considered part of its core activities, and is large scale in nature; an individual physician’s similar activities however, would not be large scale. Systematic monitoring could include location tracking, behavioral advertising, or “smart home” devices; or
- The core activities of the organization consist of processing on a large scale of certain special categories of (i.e., sensitive) personal data.
Importantly, irrespective of the criteria for compulsory designation, the guidance strongly encourages the adoption of a DPO on a voluntary basis, describing DPOs as a “cornerstone of accountability”.
Lead Supervisory Authority (“LSA”)
The GDPR introduces a “One-Stop Shop” mechanism, allowing organizations established in multiple Member States (carrying out cross border processing) to deal with a single, “lead” supervisory authority (“LSA”), which will have primary responsibility for dealing with cross-border processing issues.
The guidance sets out the assessment criteria for determination of an organization’s LSA (including information on the initial step of establishing whether cross-border processing of personal data is being conducted). The location of an organization’s main establishment will be determinative in identifying the LSA. A main establishment is usually the place of central administration in the EU. However, the guidance gives additional information for determining borderline cases, notably:
- Group of undertakings: in most circumstances, the main establishment shall be the location of the parent company or operational headquarters;
- Central administration based outside of the EU: such organizations can designate a main EU establishment, but this must be accompanied with a delegation of real decision-making authority to the relevant entity; and
- No central administration, plus decision making taken outside of the EU: The GDPR does not make One Stop Shop available under these circumstances; if organizations want to benefit from the One Stop Shop, they should be prepared to designate an EU-based establishment that will act as its main establishment (with proper authority to implement processing decisions).
- Companies with no EU establishment (but nevertheless subject to the GDPR): the One-Stop Shop mechanism will not be available to organizations with no establishments within the EU.
Data Processing Impact Assessment
A Data Processing Impact Assessment (“DPIA”) is a process through which organizations assess the risks associated with a data processing task. Failure to carry out a DPIA (where appropriate under the GDPR) could give rise to fines. The guidance provides helpful clarification on the timing and method of carrying out a DPIA, including the need to ensure its publication (either in full or in part).
A DPIA is required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. The guidance from the Article 29 Working Party suggests that where there is doubt as to a DPIA’s necessity, an organization should conduct one nonetheless.
The guidance suggests that the following are likely to result in a “high risk”:
- Evaluation or scoring: including profiling and predicting. For example, a company building behavioural or marketing profiles based on usage or navigation on its website.
- Automated decision making (with legal or similar significant effect): in particular, it should be borne in mind that this type of processing may result in discrimination or exclusion of individuals.
- Systematic monitoring: which often results in personal data being collected where the individuals are not aware of how their data is collected and used.
- Processing of sensitive personal data: includes special categories of personal data (such as health and medical records data, details or a person’s political affiliations etc.) as well as information relating to criminal convictions.
- Data processed on a large scale: assessed in relation to the number of individuals, volume of data, duration or permanence of data processing and the geographical extent of processing.
- Matching or combining datasets: for example, data originating from several processing operations carried out for a different purpose.
- Data concerning vulnerable individuals: including children, employees or any case involving an imbalance of power between the individual and the organization.
- Innovative use or new technological solutions: for example, finger print and face recognition for improved physical access control.
- Processing that prevents individuals from exercising a right or using a service or a contract: for example, where a bank screens its customers against a credit reference database in order to decide whether to offer them a loan.
The Article 29 Working Party has issued guidance to supervisory authorities on the appropriate administration of fines under the GDPR, with an emphasis of “consistency” between regulators and sanctions being “equivalent” to the infringement, assessed on a case-by-case basis. The guidance provides for administrative fines to be “effective, proportionate and dissuasive”.
The Article 29 Working Party has also provided detailed information to supplement the assessment criteria for administrative fines, set out in the GDPR.
Profiling and automated decision-making
The Article 29 Working Party guidance also attempts to clarify provisions introduced in the GDPR to address the risks that arise from our increased use of profiling and automated decision making, The guidance distinguishes between profiling and associated decision making on the one hand, and solely-automated decision making, on the other.
- Profiling (and associated decision-making) means gathering information about an individual and analyzing it in order to place the individual into a certain category or group, and/or to make predictions or assessments about their interests, abilities, or likely behavior.
- Solely automated decision-making involves decisions made entirely by technological means, without human involvement. This may overlap with, or include, profiling. The guidance explains that fabricated human involvement will not save decision-making from being solely automated; the human intervention must be carried out by someone who has the competence and authority to change the decision.
The GDPR places general safeguards around profiling and automated decision-making, which are explored in more detail in the guidance. However, solely-automated decision-making is prohibited where it would produce a legal or similarly significant effect. The guidance gives as examples of this: impacting entitlement to social benefits, eligibility to enter into particular contracts, and certain types of particularly intrusive or manipulative online advertising. Exceptions may apply, for example, where an individual has given explicit consent, but the guidance emphasizes that this must be an express statement.
The guidance then goes on to consider the various data protection principles, in the context of profiling and automated decision making (including the lawful basis for processing and the rights of the individual).
The guidance details what will amount to a personal data breach, how to assess the associated risk of such a breach and how to comply with the GDPR’s notification requirements, including:
- timing of notifications;
- an organization’s ability to “bundle” notifications in certain circumstances;
- treatment of delayed notifications;
- circumstances where a notification will not be necessary; and
- guidance on communicating breaches to the individual.
Additionally, the guidance covers accountability and record keeping in the context of a data breach.
Future Guidance
The Article 29 Working Party intends to produce further guidance before May 2018, covering consent to data processing and the transparency requirements under the GDPR. Check back here to Cleary Cybersecurity and Privacy Watch for additional updates on the implementation of the GDPR and future Article 29 Working Party guidance.