The new (EU) 2016/679 General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. Its scope is broader than that of the current 95/46/CE Directive, which means that more companies headquartered outside of the EU will have to comply with European data protection rules than under the current regime.
The 95/46/CE Directive set up a European body, the Article 29 Working Party, on which representatives of all European Supervisory Authorities (SAs) sit. In order to avoid inconsistencies in the approaches adopted by the national SAs, the Working Party has been publishing opinions and guidelines on key concepts used in the Directive. On 13 December 2016 the Working Party adopted three guidelines and FAQs on three key aspects of the GDPR.
1. The right to data portability
Article 20 of the GDPR creates a new right to data portability. This means that when a data subject has provided personal data concerning him or her to a data controller in a structured, commonly used and machine-readable format, and wishes to switch to a new data controller, the data subject has the right to obtain the data and transmit that data to that new controller. The Working Party Guidelines and FAQs on the right to data portability provide examples and explanations about how this new rule should be interpreted. The right to portability applies not only to information actively provided by the data subject, but also to the raw data generated by the use of a service or device, such as search history, Internet traffic data, location data, or attributes tracked by a fitness or health tracker.
2. Data Protection Officers (DPOs)
Under the 95/46/ CE Directive, there was no obligation for data controllers to appoint a DPO. However, the practice developed in several Member States. Under the new GDPR, a number of organizations will have to appoint a DPO. This is the case, for example, where the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. The Working Party Guidelines and FAQs on DPOs clarify the provisions of the GDPR. “Core activities” are the key operations necessary to achieve the company’s goals. Whether an activity is carried out on a “large scale” will depend on a number of factors, including duration and geographical extent. “Regular and system monitoring” is not confined to online environment and online tracking. It includes the operation of telecommunications network, location tracking and fitness and health data via wearable devices. The DPO does not have to be someone working within the company, but he/she must be able to speak the language of the country where the data is processed in order to communicate efficiently with data subjects and SAs. DPOs are not personally responsible in case of non-compliance with the GDPR.
3. Identifying a controller or processor’s lead supervisory authority
During the negotiation of the GDPR, multinational organizations that are currently supervised by a number of national SAs — taking different approaches to privacy — were in favor of the “one-stop-shop mechanism”. Under the GDPR, data subjects will be able to file complaints that relate to their country only with their local SA. However, the GDPR has introduced a new concept, that of “cross-border processing” which occurs either when the processing of personal data takes place in the context of several establishments in several Member States or where the activity of one establishment substantially affects or is likely to substantially affect data subjects in several Member States. In the GDPR, the general rule is that the supervision of cross-border processing is led by one supervisory authority, called the Lead Supervisory Authority. The Guidelines and FAQs for identifying a controller or processor’s Lead Supervisory Authority explain that SAs will interpret “substantially affects” on a case-by-case basis, taking into account the context of the processing, the type of data, the purpose of the processing and factors such as whether the processing causes or is likely to cause, damage to individuals.
The general principle is that the central administration in the EU will be the main establishment, unless another establishment takes the decision about the purposes and means of the processing, and have the power to have such decisions implemented. There are borderline cases and complex situations, for example where the controller is established in several member States, but there is no central administration in the EU and decisions about the processing are taken exclusively outside the EU. The GDPR does not deal with this and the Working Party suggests that the company designates the establishment which will act as the main establishment. If no such establishment is designated then it will not be possible to designate a lead authority. Forum shopping is not permitted: the relevant SA may decide which SA is the lead authority objectively assessing relevant evidence. The “one-stop-shop” mechanism will not apply to data controllers without any establishment in the EU who will have to appoint one local representative in the EU to deal with local SAs in all Member States where they are active.
Stakeholders have until the end of January to comment on these guidelines. A fourth set of guidelines on Data Protection Impact Assessment and Certification is expected to be issued later in 2017.