EU’s General Data Protection Regulation

ARE YOU READY?

Call me at 310-570-2399 if you collect any personal data from any EU resident to see how to get prepared. 

• Enforcement Deadline: May 25, 2018
  • Regulatory Bodies: EU Parliament,
  • A regulation is binding legislation across EU
  • Some conflicts remain between Commission language and Parliamentary language – and is still being hammered out
  • Actual text is here: https://www.eugdpr.org/more-resources-1.html

• What is Personal Data:
  • Any info of a natural personal that can identify that person including name, photo, email, bank details, posts, medical info, IP address
  • Potential for abuse: “Think of targeted advertising: the ad network does not need to know who the person that visited a website is, it is enough to know that this person is the same person who earlier visited sites A and B and sometimes clicks on ads for product C. This should be reflected in the definition of data subject by including the aspect of “singling out”. (https://edri.org/files/GDPR-key-issues-explained.pdf)

• Entities covered:  “it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.”
  • Does your entity control or process (ie cloud storage)  “personal Data of EU resident”?
  • Offer goods or services to EU citizens (even for no money) or monitor behavior in the EU?
  • If entity is not EU based must appoint EU representative.
  • Controller: the entity that determines “purposes, conditions and meaning of processing personal data”
  • Processor: entity that processes personal data on behalf of controller

• Citizens covered:
  • Any resident of EU countries
  • UK Citizens covered “Irrespective of whether UK retains the GDPR post-Brexit”
  • But if activities limited to UK, less clear

• Under 16 users:
  • Parental consent required
  • Member states can dictate age of consent down to 13

• Penalty (Article 28): Greater of 4% of annual global turnover or Euro 20 million
  • penalties for not having records in order
  • Not notifying of breach or not conducting impact analysis

• Consent: Must be clear, distinguishable, intelligible and easily accessible with the purpose for clearly defined
  • Consent may be withdrawn
  • Consent is required for collection to be of a lawful purpose

• Notify Requirement: 72 hours of first having become aware or “likely to result in risk to rights and freedoms of individuals”
  • Notice to customers, controllers

• Right to Access: User must be able to obtain confirmation whether or not personal data is being processed, where and for what purpose.  
  • Right to get copy in electronic format for free

• Right to be Forgotten (Article 17):
  • Right to have all data erased, ceased dissemination and have third parties halt processing
  • Reasonable steps (Article 17(2)
  • The right is not absolute however and permits exception for purposes of freedom of expression. For ex, “These exceptions allow Member States to restrict data protection rights in order to reconcile the fundamental rights to data protection and freedom of expression.”) Id.

• Portability:
  • Right to obtain all data in a “commonly used and machine readable format” or transferred to another
  • Note: non-final language
    • Commission: if subject has provided personal data and processing is based on consent or on contract, subject has right to transmit
    • Parliament:
      • If subject provided personal data and personal data is processed electronically, subject has right to obtain a copy
    • Council: No right if disclosing personal data would infringe IP rights  

• Privacy by Design (Article 23):
  • “The controller shall..implement appropriate technical and organizational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects”
  • Out of the box products should be designed with privacy in mind first.
    • Encryption does not appear mandatory
  • Only process data that is absolutely necessary for completion of duties AND limit access of personal info to others during processing
  • Lawful purposes include: “consent, the necessity for fulfillment of contract, legal obligation, necessary for vital interests of the data subject, necessity for the performance of a task in the public interest / official authority”
  • What is necessary?
    • “ For example, it is generally accepted that limited processing of personal data can be carried out for reasons of IT security, to ensure availability of services. On the other hand, incompatible purposes have no relation to the initial purpose. An example is telecommunications data retention: the initial purpose of collection (billing) and the further processing (storage for law enforcement use) are completely unrelated. In some cases, such incompatible use might be justified. The Commission proposal allows incompatible use if the new incompatible use has a basis in one of the grounds for lawfulness, except for legitimate interest. Therefore, the data retention example would be covered under processing that is necessary for compliance with a legal obligation to which the controller (here: telecommunications operator) is subject (Article 6(1)(c)). (https://edri.org/files/GDPR-key-issues-explained.pdf)

• Data Protection Officers (Article 37):
  • Only required appointment if public authority, systematic monitoring of data subjections on large scale or special categories of data or data relating to criminal convictions/offenses
    • Otherwise: internal record keeping requirement
  • Model Contract Clauses proposed
  • Note: Non final language remains
    • Parliament text calls for DPO if:
      • Special category of health, religious or political
    • processing over 5000 data subject in 12 months
    • Commission requires DPO if
      • Over 250 employees
      • Does not mandate DPO unless required by EU or memberstate law

Call me at 310-570-2399 if you collect any personal data from any EU resident to see how to get prepared.