The text of the new EU General Data Protection Regulation has now been finalised. When it comes into force it will replace all data protection legislation in EU member states (including the UK's Data Protection Act 1998 (DPA)) without the need for further national legislation.
The Regulation will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens' personal data.
No one can afford to ignore it. Here are the key provisions.
Currently the Information Commissioner’s office (ICO) can issue a Monetary Penalty Notice of up to £500,000 for serious breaches of the DPA. The Regulation introduces much higher fines.For some breaches of the Regulation (e.g. failing to comply with Data Subjects’ rights) Data Controllers can receive a fine of up to 4% of global annual turnover for the preceding year (for undertakings) or 20 million Euros. For other breaches (e.g. failing to comply with security obligations) the fine can be up to 10 million Euros or 2% of global annual turnover.
Consent and Children's Data
Like the DPA, the Regulation will require Data Controllers to have a legitimate reason for processing personal data. If they rely on the consent of the Data Subject, they must be able to demonstrate that it was freely given, specific, informed and unambiguous for each purpose for which the data is being processed. Consent can be given by a written, including electronic, or oral statement. This could include the Data Subject ticking a box when visiting a website, choosing technical settings for social network accounts or by any other statement or conduct which clearly indicates his/her acceptance of the proposed processing of personal data. Silence, pre-ticked boxes or inactivity will no longer constitute consent.
Article 8 requires that where the personal data of a child under 16 is being processed to provide "information society services" (e.g. online businesses, social networking sites etc.) consent must be obtained from the holder of parental responsibility for the child. Member states are allowed though to lower this threshold where appropriate but not below the age of 13.
Data Subjects' Rights
The list of rights that a Data Subject can exercise has been widened by Section 2 of the Regulation. The subject access right, rectification and being able to object to direct marketing remain. The right to have personal data processed for restricted purposes and the right to transfer data/have it transferred to another Data Controller (data portability) are new rights.
In addition Article 17 introduces a "Right To Be Forgotten" which means that Data Subjects will be able to request that their personal data is erased by the Data Controller and no longer processed. This will be where the data is no longer necessary in relation to the purposes for which it is processed, where Data Subjects have withdrawn their consent, where they object to the processing of their data or where the processing does not comply with the Regulation. However, the further retention of such data will be lawful in some cases e.g. amongst others, where it is necessary for compliance with a legal obligation or for reasons of public interest in the area of public health or for the exercise or defence of legal claims.
To strengthen the "Right To Be Forgotten" in the online environment, the Regulation requires that a Data Controller who has made the personal data public should inform other Data Controllers which are processing the data to erase any links to, or copies or replications of that data.