At last, agreement on EU data protection reform

Nigel Miller
Nigel Miller

First proposed in January 2012, agreement has finally been reached between the European Commission, the European Parliament and the Council (the so-called ‘trilogue’) regarding a new General Data Protection Regulation (GDPR).

Current data protection rules are based on the 1995 Data Protection Directive, which predates mainstream internet, social media, big data, the cloud and other advances in technology which shape the way business operates today. It’s a classic case of legislation not keeping pace with technological development; its overhaul is well overdue.

A key benefit of the GDPR will be a single harmonised data protection law covering the whole of the EU. At present, each EU state has implemented its own version of the 1995 Directive and differences can apply in different member states.

The main highlights are summarized as follows:

A stricter regulatory environment

Reflecting ever increasing concerns about how personal data is used in the digital economy, and the continuous flow of news reports about data security breaches, the GDPR imposes a much higher burden of compliance on business.  Specific points include:

  • Fines – the maximum fine for breach of the GDPR is to be set at 4 per cent. of a company’s worldwide turnover. Currently the maximum fine under the DPA is £500,000. This alone should be enough to put the GDPR onto every Board’s agenda.
  • Easier access to data: individuals will have (and businesses will be required to provide) more information on how their data is processed and this information should be available in a clear and understandable way.
  • Consent – a new more expansive and specific definition of consent requires that it must be a “freely given, specific, informed and unambiguous indication of his or her wishes” by which the data subject, either “by a statement or by a clear affirmative action”, signifies agreement to personal data relating to them being processed.
  • Additional administrative burden – businesses must keep a record of any data processing activities under their responsibility (referred to as documentation) and must carry out data protection impact assessments (DPIAs) if they are processing date using new technologies and this is likely to result in a high risk to personal data.
  • Rules for innovation – the regulation requires that data protection safeguards are built into products and services from the earliest stage of development (privacy by design). Privacy-friendly techniques such as pseudonymisation are encouraged by the GDPR, to allow the benefit of big data innovation while protecting privacy.
  • Data protection officers – companies will be required to appoint data protection officers if they process sensitive data or collect information from consumers on a large scale. This will be an additional cost to many companies, although there is an exemption applicable to SMEs – see below.
  • Data processors – the GDPR treats data processors as data controller if they process personal data otherwise than in accordance with the data controller’s instructions and subjects data to processors fines for breaches of the GDPR; under current rules, in general, only the data controller is responsible for compliance.
  • Data breach notification – companies and organisations must notify the national supervisory authority (that’s the ICO in the UK) of serious data breaches as soon as possible so that users can take appropriate measures.

Individual rights

As well as the above, the new rules strengthen existing rights to include:

  • a right to data portability – the GDPR will make it easier for consumers to transfer personal data between service providers such as social network platforms and SaaS service providers;
  • right to be forgotten– EU citizens will have a stronger right to require that their data is deleted provided that there are no legitimate grounds for retaining it, which may require a business to rethink its current policy on data retention and deletion.

International aspects

  • Impact on non-EU businesses – the new rules will apply to companies who do not have a physical presence in the EU but offer services in the EU and collect data about EU data subjects. This will, for example, affect many US companies that provide services into the EU.
  • International data transfers – the position regarding transfers of data outside of the EU is unsatisfactory, highlighted by the recent invalidation of the Safe Harbor framework in respect of transfers to the US. However, it seems that the position under the GDPR will be largely unchanged from the current position.
  • One continent, one law – The GDPR will establish one single set of rules for the whole of the EU which will make it simpler and cheaper for companies to do business in the EU.
  • One-stop-shop – businesses will only have to deal with one single supervisory authority.

Exemptions for SMEs

Under the new rules, SMEs benefit from certain exemptions to reduce the burden of compliance:

  • No more notifications: the requirement to notify to / register with the ICO is to be scrapped.
  • Subject access: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
  • Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
  • Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.

Next steps

Before the GDPR becomes law, the final text must be formally adopted by the European Parliament and Council, which is set to happen at the beginning of 2016.

The new rules will then become applicable across the EU two years thereafter.

For more information on how the GDPR will affect your business, please contact Nigel Miller (partner) or Sian Barr (associate) at Fox Williams LLP.


Data Privacy for Peer to Peer and Alternative Finance Platforms

Sian Barr
Sian Barr

Setting up a new platform for a peer to peer or alternative finance business is challenging at the best of times, as entrepreneurs plot a route through the diverse areas of law and regulation which must be respected for the platform to be launched and run in a sustainable manner. One such area is data protection and privacy. This article distils some of the experience and learning we at Fox Williams have gained from advising on data protection and privacy issues into what we consider to be the five most important data protection considerations relevant to P2P and alternative finance platforms.

1. Design with privacy in mind. Each platform will use and process personal data in different ways. If your platform innovates by providing a new service, or changes and improves the user experience of an existing service, then it may be using personal data in an entirely novel way. There is no ‘one size fits all’ solution to complying with privacy laws. The challenge is to ensure that the platform is still commercially viable even when operated within the framework of privacy laws. To help ensure this is the case, the platform or business model should be designed with privacy in mind so that any issues are identified early, which should minimise the costs of sorting them out. “Privacy by design” such as this is best practice and the interaction of data protection and privacy laws with your business model should be kept under review as the relevant legal framework changes.

2. Factor in new developments. Privacy laws are constantly evolving. Platform owners should establish a system, in conjunction with trusted advisers, so that the business is kept up to date with developments to privacy law both during the development phase and post-launch. The existing European data protection legislation is in the process of being reviewed and new laws are likely to enter into force at some point in 2017, although they could become law earlier or later than 2017. The new legislation is only in draft form at present but contains a number of material changes which will affect platform owners. For example, existing methods for getting your customers’ consent to his/her data being used may no longer be adequate as the requirements for valid consent are set to become more stringent and the potential fines for breaching data protection laws look likely to increase (the draft legislation provides for fines of up to 1 million euros or up to 2% of annual worldwide turnover).

3. Does your platform rely on the US Safe Harbor? Your platform could be affected by the recent decision of the Court of Justice of the EU, in which it ruled that the US Safe Harbor scheme is invalid. If, for example, your parent company is a US company and your HR or customer data is held by the parent company on servers in the US, or if your platform uses Software-as-a-Service (SaaS) solutions which are hosted in the US where the service provider is under Safe Harbor – such as Amazon Cloud or Salesforce. The eighth data protection principle of the UK Data Protection Act says that personal data shall not be transferred to a country outside the European Economic Area unless that country ensures an “adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. Formerly under the Safe Harbor, transfers could be made to the US, if the US recipient of the data had signed up to the US Department of Commerce Safe Harbor Scheme, as this had been recognised as providing “adequate protection”. Businesses that previously relied on Safe Harbor (or new platforms intending to rely on it) will need to review and where appropriate make changes to their business so that they can send data to the US lawfully. For further information on the Safe Harbor decision, please see our earlier item “Safe harbor update – and what to do” which can be found here.

4. Change management. Parallel with being informed of any new developments, you need to be able to implement changes to the way your platform operates fast to keep on the right side of new privacy laws. This means being able to adapt business processes which are usually governed by a complex network of contracts between you, as platform owners on the one hand, and customers or other users of the platform, and suppliers to the platform, on the other. All contracts and terms should give you the right to amend existing contracts and standard terms in order to bring them into compliance with applicable data protection law and regulation and set out a clear and transparent way of notifying all interested parties of the changes that have been made and the reasons for making them.

5. Transparency is one of the guiding principles of privacy law. This principle should also resonate with P2P and alternative finance platforms as often the point of distinction between them and the more traditional finance businesses is that platforms are easier to navigate and understand. The principle of transparency should track through to the legal terms governing the platform. The privacy statement and privacy policy should be clear, easy to follow and easy to find. The platform should be up front at all times about how personal data is to be used. Doing so can only improve the user experience offered by the platform.