European Union: Privacy
The right to privacy emerged after World War II and was initially enacted in the Universal Declaration of Human Rights, before finding expression in the European Convention on Human Rights (ECHR). Later, the right to data protection was recognised by the European Court of Human Rights (ECtHR) as part of the broadly interpreted concept of private life.
In the European Union, the right to data protection was first recognised by the Treaty on the Functioning of the European Union and was given the status of a human right by the Charter of Fundamental Rights of the European Union (CFR).
In 1995, to harmonise data protection laws, ensure a high level of protection and guarantee the free flow of personal data among member states, the European Commission (EC) adopted the Data Protection Directive, which had to be implemented in each member state. In parallel, the ePrivacy Directive was adopted in 2002 to address personal data in the specific context of electronic communication services and adapt the applicable rules to the digital age.
However, confronted with various challenges, in particular the persistent fragmentation of data protection laws throughout the European Union and increasing digitalisation, the European Union decided to review the legal framework. This led to the adoption of the General Data Protection Regulation (GDPR). Adopted in 2016, the GDPR became directly applicable in all member states on 25 May 2018. Reform of the ePrivacy Directive was also initiated, to align the framework for electronic communication services with the new GDPR rules.
Updates and trends
The GDPR, which is directly applicable in the member states, achieved a high degree of harmonisation for the data protection rules in the European Union. However, member states still have ‘margins of manoeuvre’ and can adopt national legislation to specify, restrict or expand the GDPR rules under certain circumstances (eg, for children’s consent or the scope of data subject rights). As at September 2019, 26 member states had adopted specific national laws to supplement the GDPR and two were in the process of doing so.
Originally planned to come into effect on 25 May 2018, the ePrivacy Regulation has still not been adopted. Discussions about key issues relating to electronic communications data or marketing communications continue.
If the United Kingdom were to leave without a deal despite the European Union (Withdrawal) (No. 2) Act 2019 being granted Royal Assent and effectively ruling out a no-deal Brexit, the GDPR would no longer be directly applicable in the United Kingdom. The United Kingdom’s national data protection legislation mirrors the GDPR’s key principles but some parts of the GDPR will no longer be relevant or apply to the United Kingdom. In particular, data transfers from the European Union to the United Kingdom might require specific safeguards; this will also depend on whether the United Kingdom can be considered a country with an ‘adequate level of data protection’ under GDPR.
Focus on the GDPR
In the spirit of the ECHR and the CFR, the GDPR seeks to protect individuals’ personal data as an overarching, fundamental human right. Article 1 states that it shall protect fundamental rights and freedoms of natural persons and reduce barriers for businesses by facilitating the movement of personal data within the European Union. In addition, the GDPR aims to address the data protection risks associated with new technologies and their widespread use by imposing more stringent obligations. Finally, the GDPR aims to ensure effective protection of personal data by strengthening data subjects’ rights and the obligations of those who process personal data, and by establishing authorities to monitor and ensure compliance.
Scope of application
The GDPR applies to the ‘processing’ of ‘personal data’. Both concepts are to be interpreted very broadly. Processing covers every action that can be conducted with personal data, while personal data means any information relating to an identified or identifiable natural person. The fact that a person took part in a meeting or signed a specific document will for instance be considered personal data. Only anonymised data does not fall under the scope of the GDPR. However, anonymisation is quite hard to achieve in practice. In most cases where anonymisation is attempted, data will only be considered ‘pseudonymised’ (eg, identifiers or references to individuals are removed but it is still possible to re-identify data with additional knowledge from other sources). The GDPR fully applies to pseudonymised data.
The GDPR also recognises specific categories of personal data, namely ‘sensitive data’ (or ‘special category’ data) and ‘data relating to criminal convictions and offences’. Sensitive data is:
data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The processing of those categories of data is subject to more stringent requirements. In most cases, the data subject’s consent is required.
Data processed in the course of a purely personal or household activity is explicitly exempted. However, the exemption has to be interpreted rather narrowly. Larger scale or more intrusive activities generally fall under GDPR’s scope, even if the main purpose is personal.
The GDPR defines three ‘data protection roles’, namely:
- the data subject, who is the natural person whose information is being processed;
- the controller, who determines the purposes and means of the processing; and
- the processor, who processes the personal data on the controller’s behalf.
Controllers and processors are subject to specific requirements under the GDPR, whereas data subjects enjoy extensive rights.
The GDPR is very far-reaching: it applies to entities established in the European Union and to certain others without such an establishment. In the latter case, it applies to the processing of personal data of data subjects who are in the European Union, if the processing is related to offering goods or services or monitoring their behaviour (eg, online tracking) as far as their behaviour takes place within the European Union. Those entities must appoint an ‘EU representative’, which acts as a point of contact for authorities and data subjects.
Principles relating to personal data processing and accountability
Article 5 of the GDPR sets out the general principles with which controllers and processors must comply when processing personal data. These principles serve as the cornerstone of all subsequent GDPR provisions and they guide courts and authorities in their interpretation of the GDPR.
- Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes, must not be used for any purposes other than those notified to the individual and must not be further processed in any manner incompatible with those initial purposes.
- Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy: personal data must be accurate, kept up to date and erased or rectified, if necessary.
- Storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is being processed, and otherwise must be deleted or anonymised.
- Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (TOMs).
In accordance with the new principle of accountability, controllers are responsible for and must be able to demonstrate compliance with these principles. The GDPR therefore puts a particular emphasis on documentation, in particular through the maintenance of a record of processing activities. The principle of accountability also leads to a shift of the burden of proof in certain cases (ie, it is the controller’s responsibility to evidence GDPR compliance).
Lawfulness of data processing
Processing of personal data is lawful only if and to the extent it is based on one of the six legal bases listed in the GDPR. Whether a lawful basis for processing applies, and if so which, is to be determined with regard to the type of personal data and the purpose of the processing.
The most common lawful bases for processing are: (1) processing is necessary for the performance of a contract; (2) consent; and (3) the controller’s overriding legitimate interests, as set out below:
- To rely on the performance of a contract, the processing must be ‘necessary’ to the contract, meaning that if ‘there are realistic, less intrusive alternatives, the processing is not necessary’. For example, the use of a cloud storage application necessarily requires that personal data is stored in the respective cloud so that the controller can rely on the performance of a contract exemption. However, the use of the data for other purposes (eg, analysing data for marketing purposes) is not necessary and requires another legal basis.
- Consent is often regarded as the ‘method of choice’ but in practice it is very challenging to rely on this legal basis. The threshold for obtaining valid consent is very high. Indeed, consent has to be ‘freely given’, ‘specific’ and ‘informed’ and must express the unambiguous indication of the wishes of the data subject. The data subject must also be able to withdraw their consent, at any time, as easily as it was given. In particular, the requirement of freely given consent is sometimes hard to achieve (eg, when an employer asks employees for consent).
- Relying on overriding legitimate interests may also be quite challenging. First, the existence of a legitimate interest must be carefully assessed in each case. The GDPR does not provide a list of interests to be considered as such. However, for instance, the GDPR states that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’. Second, controllers have to balance these legitimate interests against the data subject’s fundamental rights and freedoms. Only when those rights do not override the controller’s legitimate interests is it possible to rely on this legal ground. In light of the ‘accountability principle’, controllers must generally document the balancing test.
The other three lawful bases also require the processing to be ‘necessary’ for a specific purpose, namely compliance with a legal obligation; protecting the data subjects’ vital interests; or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Regarding sensitive data, processing is, in principle, prohibited. To lawfully process this kind of data, the controller needs to both identify a lawful basis under article 6 and fulfil additional requirements under article 9, unless the processing is based on the data subject’s ‘explicit consent’.
The GDPR also regulates specific types of processing, such as automated decision-making, including profiling. Profiling means any form of automated processing of personal data to evaluate certain personal aspects relating to the individual, in particular to analyse or predict certain aspects. Although the GDPR permits this kind of data processing, it imposes certain requirements to ensure additional guarantees to protect personal data.
Rights of the data subject
The GDPR grants a wide range of rights to data subjects regarding the processing of their personal data, giving them more control over their personal data. Data subject rights can be classified into two groups.
The first group covers all information obligations imposed on controllers. These require a controller to:
- give the data subject specific information about the circumstances of the data processing, irrespective of whether the personal data is collected directly from the data subject or not. This information must be given at the time personal data is collected or before it is processed;
- inform the data subject before carrying out changes to the data processing;
- inform the data subject of personal data breaches where relevant; and
- take reasonable steps to inform other controllers of a right exercised by the data subject in some cases, such as if the data subject asks for their data to be erased and the data was made public by the controller.
The second group includes rights that must be exercised by the data subject for the controller to act. The data subject has the right to:
- access their personal data processed by the controller (right of access);
- obtain rectification of inaccurate or incomplete personal data (right to rectification);
- request restriction of processing, which means that personal data can still be stored but may not be used in certain situations (right to restriction of processing);
- request erasure of their personal data in particular circumstances (right to be forgotten);
- receive the personal data they provided in a structured and commonly used machine-readable format and request the controller to transmit this directly to another controller (right to data portability);
- object to the processing of their personal data on grounds relating to their particular situation (right to object). This right is not absolute: the controller must stop processing the data only if it cannot show compelling legitimate grounds for the processing that override the individual’s interests (although this does not apply where the personal data is processed for direct marketing purposes); and
- not be subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects for the data subject. This right is also not absolute; it does not apply if automated decision-making is necessary for the performance of a contract between the controller and the data subject.
If a controller or processor breaches the GDPR, the data subject has the right to lodge a complaint with practically any data protection supervisory authority (DPA), including those established in a member state other than where they live, as well as the right to start judicial proceedings. The data subject may also file a claim for damages.
Oversight and enforcement
Each member state has established at least one DPA. The DPA, which must be independent in performing its tasks and exercising its powers, must contribute to the consistent application of the GDPR throughout the European Union. The DPA has a wide range of responsibilities and a broad scope of powers, including investigative and corrective powers. In particular, it can issue warnings, reprimands or fines (up to €20 million or 4 per cent of worldwide annual (group) turnover, whichever is higher); order data to be rectified, blocked or deleted; or impose a ban on processing. A DPA regulates controllers and processors established in its own member state, as well as data processing by those elsewhere if the processing affects data subjects in the member state or is otherwise connected.
If more than one DPA would have jurisdiction for a specific processing activity of a controller or processor established in the European Union (ie, for cross-border processing), the DPA of the entity’s ‘main establishment’ will act as ‘lead supervisory authority’. This ‘one-stop-shop mechanism’ ensures more efficient cross-border proceedings, but there is still some uncertainty over the definition of ‘main establishment’.
All DPAs are members of the independent European Data Protection Board (EDPB), along with the European Data Protection Supervisor. The EDPB is responsible for ensuring the uniform application of the GDPR throughout member states and efficient co-operation among DPAs. The EDPB can issue guidelines and recommendations, and make binding decisions on how DPAs should interpret the GDPR.
Updates and trends
On 25 May 2019, the GDPR celebrated its first anniversary. According to the Commission, 67 per cent of Europeans are aware of the GDPR and there were 144,376 queries and complaints to DPAs in the European Union. DPAs have already started to impose fines, some of which were very high compared to pre-GDPR fines. For example, the French DPA, the CNIL, issued a €50 million fine to Google (although that decision is being appealed).
Privacy activists have made several complaints against the ad tech industry (eg, the Interactive Advertising Bureau, Google and others) in various EU countries. Multi-jurisdictional complaints aimed at particular business practices are becoming a trend that might spread to other sectors. More generally, data subjects have started claiming for damages under the GDPR, usually starting with a data subject access request to collect information to substantiate a claim; these claims have been limited so far, so the risks for businesses here are still hard to predict.
The Court of Justice of the European Union (CJEU) is the highest court with authority to interpret any ambiguity in the GDPR. CJEU case law so far shows a very strict application of the GDPR. For instance, the CJEU considered a Facebook fan page operator or the operator of a website that features a Facebook ‘Like’ button as a joint controller together with Facebook (even though the fan page or website operator have no influence on Facebook’s data processing operations). The CJEU is likely to continue with this strict approach to promoting privacy rights under the GDPR, which might put an extra compliance burden on to businesses.
The role of the data protection officer
The data protection officer’s (DPO) main responsibility is to monitor GDPR compliance and to ensure awareness-raising and training of staff involved in processing operations. The ultimate responsibility to comply with the GDPR lies, however, with the controller and its management.
The controller or the processor must appoint a DPO if their ‘core activities’ consist of the regular, systematic and large-scale monitoring of data subjects; or the large-scale processing of sensitive data or data relating to criminal convictions and offences. Member states can stipulate further cases where a DPO must be appointed.
Businesses must appoint the DPO on the basis of the person’s professional qualities, their expert knowledge of data protection, and their ability to fulfil the assigned tasks. Businesses may appoint an employee or an external provider (although, off the record, certain DPAs have expressed concerns over the appointment of external DPOs by businesses that process a significant amount of personal data). In both cases the DPO must be able to perform their tasks independently and without any conflict of interest.
Once designated, the DPO’s contact details must be published and communicated to the DPA. The DPO serves as a contact point both for data subjects and the DPAs.
Ensuring GDPR compliance of data processing operations
Data protection by design and by default
The controller must do the following:
- Implement appropriate TOMs to satisfy the general data protection principles under the GDPR and to integrate necessary safeguards in order to meet the GDPR’s requirements throughout the whole processing, from the initial to the final stages. For example, when a controller builds a new product, it must ensure that the product is developed with privacy in mind; this can, for example, be documented and achieved by adding ‘privacy gates’ into the product development cycle. TOMs must be implemented considering the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of individuals.
- Implement appropriate TOMs ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed (eg, some applications may require the functionality to turn certain data collection on and off, and the default setting should be ‘off’).
The controller must also regularly review and update the TOMs, to consider privacy by design and by default.
Appropriate TOMs to ensure data security
To keep personal data secure, controllers and processors must implement appropriate TOMs. Technical measures are precautionary measures relating to the processing itself, like a backup system or User-ID policy. Organisational measures cover the external framework conditions surrounding the processing, like employee training, policies or a safety plan.
The GDPR does not specifically define what security measures must be taken, but it does list criteria for the measures, to ensure a level of security appropriate to the risk. There is neither a one-size-fits-all solution, nor an ideal one, so controllers and processors must carry out a ‘balancing test’. The controller or processor has quite a broad margin of discretion, but its decision to implement certain TOMs might be closely scrutinised – for example, if there is a personal data breach investigation. So controllers and processors should assess the specific risks raised by their different processing and the protective effects of individual TOMs.
When assessing a risk, relevant factors are:
- the nature of the risk (eg, data destruction, unauthorised disclosure or unauthorised access);
- its likelihood, taking into account, for example, the data transfer method (eg, in the cloud, abroad) or the storage method (duration, location); and
- its severity, taking into account, for example, the importance of the data or the type of likely damage.
When assessing individual TOMs, the controller or processor must assess whether and how it can prevent the risk from occurring, given the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. It should focus on measures such as encryption and pseudonymisation, which may be considered state of the art in certain cases and for certain types of data. It must take measures that can ensure the ongoing confidentiality, integrity, availability and resilience of the processing, and restore the availability of and access to the data if there is an incident.
Data protection impact assessments
If data processing poses a high risk to the rights and freedoms of individuals, the controller must first carry out a data protection impact assessment (DPIA). A DPIA is an internal risk assessment to document any risks identified and any measures taken to mitigate the risks (eg, implementing TOMs or adding contractual safeguards with third parties).
In particular, a DPIA is required when: new technologies are used; there is a systematic and extensive evaluation of personal aspects based on automated processing; sensitive personal data is processed on a large scale; or there is systematic monitoring of a publicly accessible area on a large scale. There may be other cases where the processing is likely to result in a high risk.
EU guidelines suggest that a controller must consider the following criteria to determine the risk of processing, and a DPIA is generally required if two of these criteria are met:
- evaluation or scoring;
- automated decision-making with legal or similar significant effect for data subjects;
- systematic monitoring;
- sensitive data or data of a highly personal nature;
- data processed on a large scale;
- matching or combining data sets;
- data concerning vulnerable data subjects (eg, children);
- innovative use or applying new technological or organisational solutions; and
- when the processing in itself prevents data subjects from exercising a right or using a service or contract.
Finally, DPAs may establish non-exhaustive ‘blacklists’ or ‘whitelists’ of those activities that always require a DPIA and those that do not.
In the rare event that the risks identified in a DPIA cannot be mitigated, the controller must consult with the relevant DPA before processing.
Although the GDPR has increased the data processor’s responsibilities, the controller remains primarily responsible. The controller must only use processors that provide sufficient guarantees to ensure GDPR compliance; this requires appropriate processes for vendor management to document that the selection of processors is based on reasonable criteria. The controller must also conclude a binding contract with the processor setting out all the elements of the processing and certain restrictions, including that the processor may process data only upon the documented instructions of the controller, the controller has certain audit rights, and the processor must support the controller to ensure GDPR compliance.
Joint controllers must determine their respective responsibilities for GDPR compliance in a transparent manner, in particular as regards the exercise of data subject rights and the controllers’ respective duties to provide information to data subjects.
The GDPR includes restrictions regarding data transfers to countries outside the European Economic Area (EEA). Safeguards must be used to ensure an ‘adequate level of data protection’, unless the personal data is transferred to a country covered by an ‘adequacy decision’ – that is, where the Commission has found that the country has an adequate level of data protection.
If the recipient country is not covered by an adequacy decision, the transfer must be subject to ‘appropriate safeguards’, namely:
- binding corporate rules (ie, group internal data protection frameworks approved by the relevant DPA);
- standard contractual clauses adopted by the Commission or by a DPA;
- an approved code of conduct;
- an approved certification mechanism; or
- individual contractual clauses authorised by the DPA.
If the transfer is not covered by these safeguards, an exemption might apply, such as where the data subject has given explicit consent or where the transfer is necessary for the performance of a contract with the data subject.
Personal data breaches
Under the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. Any security incident affecting the confidentiality, integrity or availability of personal data is therefore a personal data breach. This could include, for instance, a lost USB stick, an intrusion by a hacker or the sending of an email to the wrong recipients.
If a controller suffers a data breach, it must implement certain remediation measures. If the breach poses a risk to data subjects, it must notify the relevant DPA without delay, and, where feasible, within 72 hours of becoming aware of the breach. Where there is a high risk, the affected data subjects must also be notified. In practice, these tight deadlines will be challenging for many businesses and the emphasis is often on assessing when a business can reasonably be said to be ‘aware’, bearing in mind the complexities of many data breach investigations.
A wide range of factors will be relevant to assess the level of risk, namely the type of breach; the nature, sensitivity and volume of personal data; the consequences for affected individuals; the number of affected individuals; and the likelihood and severity of the consequences on affected individuals, such as discrimination, identity theft or financial loss.
If the threshold for notifying or communicating has not been met, documentation about the breach and the reasons for not notifying or communicating must be retained.
Focus on specific requirements
In sectors like banking, healthcare, social security, post, telecoms and gambling, specific data protection requirements may apply that stipulate particular requirements or exemptions beyond the GDPR.
In 2016, the European Union adopted the Directive on Security of Network and Information Systems (the NIS Directive) in order to enhance cybersecurity standards for certain businesses with IT infrastructure in the European Union. The NIS Directive has not yet been implemented in all member states. The directive generally applies only to certain critical infrastructure where specific thresholds are met (eg, energy, health, transport, banking and digital infrastructure). Entities regulated under the NIS Directive must implement state-of-the-art cybersecurity measures and report breaches to national cyber regulators.
Communications and marketing
The 2002 ePrivacy Directive, which has been implemented into domestic member state law, applies to electronic communications in addition to the GDPR. It covers a wide range of issues, such as collection of traffic data, cookies and unsolicited communications. It goes beyond the GDPR; for example, certain cookies may be used only if the user has given consent, and certain marketing communications require that recipients have explicitly opted in to receive them. EU discussions to replace the directive with a regulation continue.
The GDPR has established a stringent and far-reaching data protection framework with a significant extraterritorial reach. As it is principles based and there is still very little guidance from courts or regulators, this shifts a lot of responsibility to businesses that process personal data. As a best practice, many businesses have set up privacy governance committees to manage their GDPR risk. This approach is now slowly extending to businesses that are not subject to the GDPR, because many countries have adopted or are in the process of adopting similar comprehensive privacy frameworks. Aligning different national requirements is difficult for businesses, not only because EU member states still have leeway to enact country-specific rules, but also because the approach taken in countries outside the European Union sometimes conflicts with the GDPR. That said, for those looking to implement global compliance programmes, developing principles-based policies and procedures with the GDPR as their bedrock is often a pragmatic solution.