Three quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. I find that shocking!
—Elizabeth Denham, Information Commissioner, January 17, 2017
Even if your firm doesn’t do much business in Europe, you need to understand their privacy legislation anyway. Why? Because their General Data Protection Regulation (GDPR) has set the standard for privacy regulations all across our planet.
The European Union consists of 27 countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden. There are a number of additional countries in negotiations to join, including Albania, Bosnia and Herzegovina, Montenegro, Turkey, and others. But EU expansion happens extremely slowly—people have been arguing about Turkey’s potential membership since it first applied in 1987.
In 2018, the United Kingdom (England, Scotland, Wales, and Northern Ireland) voted to leave the European Union. As of this writing, the UK remains in a difficult transitional period in terms of its relationship to the EU. But for our purposes, it’s essentially a “tomato/tomahto” question because the regulations are the same. The British government describes their Data Protection Act as “the UK’s implementation of the General Data Protection Regulation (GDPR).”
Brussels, Belgium, is the capital of the European Union (EU), home to 60 percent of EU civil servants. It was here that in 1995 the first data protection directive was born, out of concern for EU residents personal data trafficking. To put this in perspective: in 1995, Google.com was not a registered domain name.
The history of data protection in Europe goes even further back, and it is worth a quick overview. European sensitivity, and German sensitivity in particular, to data collection goes all the way back to before World War II. After taking power in 1933, the Nazi party collected an enormous amount of personal data, both during the census and when seizing various registries in occupied countries. They used this data to oppress and murder millions of people. The practice even continued after the war, when the Stasi, the East German “secret” police, continued to harvest data on East German citizens (and anyone else of interest).
The United Nations was formed after World War II, and the Universal Declaration of Human Rights was adopted in Paris on December 10, 1948. Article 12 reads:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attack.
Two years later, Article 8 of The European Convention on Human Rights, took privacy concerns a step further:
Everyone has the right to respect for his private and family life, his home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
That was the beginning of integrating privacy rights into European legislation, but it would take another 30 years for things to get really interesting! In 1981, in Strasbourg, Treaty 108 was brought forth for signature by the member States of the Council of Europe. The treaty, known as the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” built on the Organisation for Economic Co-operation and Development (OECD) guidelines of 1980, was the first binding instrument protecting PII, the first to outlaw the collection of sensitive PII (e.g. race, politics, health, sexuality, etc.), the first to introduce a redress method for the individual, and the first to regulate transborder data trafficking. This treaty became the foundational document for the many European regulations that follow.
Two short years later, in 1983, Germany’s Supreme Court struck down the PII-collection component of that country’s proposed census; this decision is widely acknowledged as the precedent-setting victory for data privacy advocates. A few key points from the abstract submitted to the Venice Commission are worth noting:
- The proceedings concerned several constitutional complaints lodged by citizens who directly challenged the 1983 Federal Census Act. The Act provided for a comprehensive data collection that went far beyond a population count, including personal information such as name, address, and religious affiliation, as well as information on the census subjects’ educational background, professional occupation, and housing situation.
- The Federal Constitutional Court found the constitutional complaints to be for the most part admissible; in part, the complaints were also well-founded.
If individuals cannot, with sufficient certainty, determine what kind of personal information is known to their environment, and if it is difficult to ascertain what kind of information potential communication partners are privy to, this may seriously impair the freedom to exercise self-determination. In the context of modern data processing, the free development of one’s personality therefore requires that the individual is protected against the unlimited collection, storage, use and sharing of personal data.
Scroll forward to 1995, and the ancestor to the General Data Protection Regulation (GDPR) is born as the seductively named “Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” aka the Data Protection Directive. It was the first comprehensive legislation in the EU, setting forth several principles that survive in subsequent versions. It laid out definitions for PII, and processing transparency requirements, established a country-by-country supervisory authority, as well as a public register for data processing operations, and regulated the cross-border trafficking of data to “third countries,” that is, countries outside the European Union.
The data transfer entries were particularly restrictive. The Directive prohibited the transfer of PII to any country that did not demonstrate that it had an adequate level of protection, and established via Article 29 the “Working party on the Protection of Individuals with regard to the Processing of Personal Data” commonly referred to as the “Article 29 Working Party” or the “Data Beastie Boys” depending on who you talk to.
Needless to say, many American companies took a rather dim view of the legislation. In response, the United States and the folks from the Article 29 Working Party came up with the “Safe Harbour Principles.” They revolved around seven principles: notice, choice, third-party transfer, cybersecurity, integrity, access, and enforcement. It may come as no surprise that a 2002 review found that a “substantial” number of companies that promised to adhere to the Safe Harbour Principles did not. The finding was confirmed in 2008.
Just as people were trying to make sense of who’s doing what to who’s data, the Snowden revelations hit!
In 2015 the European Court of Justice took on the case from the High Court of Ireland in what is known as Schrems v Facebook. Mr. Schrems, an Austrian citizen, complained that his data was being processed by Facebook on servers in the United States. Mr. Snowden had revealed that the NSA was spying on everything and everyone, and Schrems argued that therefore the U.S. did not offer sufficient protection and surveillance. The court agreed, ordering that a new agreement be negotiated between the two countries. Safe Harbour 2.0 was born, and it held things in place for a few more years until the General Data Protection Regulation was ushered in with much fanfare on May 23, 2018. The world has not been the same since.
That’s not to say that the GDPR rollout was completely smooth. To begin with, when GDPR was announced there was confusion about which businesses it applied to. Every business? EU businesses only? Does it apply to EU citizens? What about EU residents who aren’t citizens? Many conversations and much guidance later, we found out that it applies to all businesses doing business in the EU, and to all residents (not just citizens), and that includes even non-citizens who happen to be traveling to the EU from all over the world. If you are in the EU, then GDPR applies to you, and if you are doing business in the EU—no matter where headquartered—then yes, the GDPR also applies to you.
All EU businesses, as well as all companies doing business in the EU. The law was adopted in 2016 and took effect on May 25, 2018.
The Privacy Act amendment was introduced such that PIPEDA, which governed how businesses could collect, use, and disclose PII, would be better aligned with the European Union’s General Data Protection Regulation (GDPR).
Intent and Major Provisions
The GDPR established several principles governing the data processing of personal information. We have excerpted their salient points below:
Article 5: Principles relating to processing of personal data
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes… (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date… (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed… (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data… (‘integrity and confidentiality’).
- The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Article 6: Lawfulness of processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party…
- Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation…
Article 7: Conditions for consent
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Article 8: Conditions applicable to child’s consent in relation to information society services
- … the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be… authorized by the holder of parental responsibility over the child.
- The controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child…
Article 9: Processing of special categories of personal data
- Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited…
Article 10: Processing of personal data relating to criminal convictions and offenses
- Processing of personal data relating to criminal convictions and offenses or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law…
Article 11: Processing which does not require identification
- If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
- Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible.
What makes the GDPR regulation so important isn’t the data protection requirements or even its international scope. Rather, it’s the position of the Data Protection Officer, and the extensive individual rights that were codified, including:
Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
Article 13: Information to be provided where personal data are collected from the data subject
Article 14: Information to be provided where personal data have not been obtained from the data subject
Article 15: Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling… (and) meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
- The controller shall provide a copy of the personal data undergoing processing.
Article 16: Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
And the most famous Article of all:
Article 17: Right to erasure (‘right to be forgotten’)
- The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based… and where there is no other legal ground for the processing;
- the data subject objects to the processing… and there are no overriding legitimate grounds for the processing…
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
- Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Article 18: Right to restriction of processing
Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20: Right to data portability
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Insofar as the Data Protection Officer is a mandated position, the law added specific details on not only what is expected from the position but took the extra step of specifically establishing and protecting the position’s independence. Article 38 reads, in part:
Position of the data protection officer
- The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
- The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
- Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
- The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
- The data protection officer may fulfill other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Article 39 has more to say about the officer’s role:
Article 39: Tasks of the data protection officer
The data protection officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
The GDPR is the only law so far that both mandates and explicitly describes the tasks of a data protection officer, and then protects such a position within an enterprise. Previous regulations tended to discuss enforcement from the perspective of the government but remain silent on enforcement at the corporate level. Essentially, the GDPR mandates that an enforcement officer, hired by the business, should report directly to the highest management level, and be immune from termination of employment as a consequence of performing their duties under the law.
Under GDPR personal identifiable information is defined as:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The more specific inclusion criteria for the GDPR are laid out in Articles, 1, 2, and 3.
Article 1: Subject-matter and objectives
- This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
- This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
- The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Article 2: Material scope
- This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system….
Article 3: Territorial scope
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
There are very few exclusions under GDPR. Those that exist are enumerated under “Article 23: Restrictions” and revolve around data processed during an activity that is outside of EU jurisdiction, individual data processing for personal or household activity, law enforcement activities (investigation, prevention, detection, prosecution of criminal offenses), and when processing personal data under the scope of the The Maastricht Treaty (formally known as the Treaty on European Union).
The GDPR is enforced by the EU member states’ Supervisory Authority.
Article 51: Supervisory authority
- Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).
- Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.
- Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.
Penalties in the GDPR were a matter of substantial controversy and intense lobbying. At the end of the day, the penalties began steeply and remained that way in the final draft. As excerpted from Article 83, General Conditions for Imposing Administrative Fines, they are (emphasis added):
- If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
- Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Bottom line? You definitely do not want to be found to be “a controller or processor intentionally or negligently” breaking this law. In the GDPR’s case, compliance is not optional.
Here is the complete text for the General Data Protection Regulation (GDPR).
The effect of the GDPR is truly global. The European market is one of the largest in the world, and as a result there are millions of companies doing business with European residents, and all of them, in one way or another, are affected by the GDPR. What’s more, as you’ll note as you read on in this series, countries attempting to write their own regulation have begun to lean on GDPR as the gold standard. The principles and even the language of the GDPR will likely echo across all future regulations.