The past month has seen two major developments on the privacy front that will have worldwide consequences for entities that handle personal data. Except for the final implementation date, we knew what to expect from the latest iteration of EU data protection language. However, no preview was forthcoming regarding the contents of the eagerly awaited formal evaluation by the European Union’s data protection regulators of the EU-US Privacy Shield, which was announced earlier this year.
The May 4th publication ((Official Journal of the European Union. L 119. 4 May 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC)) of the long anticipated EU Regulation 2016/679, better known as the General Data Protection Regulation (GDPR), set the clock for full implementation of the new standard by May 25, 2018. Among other things, the new Data Protection Regulation:
- Expands the scope of data protection significantly;
- Establishes new accountabilities (such as a 72-hour notification requirement in the event of a breach); and
- Expands the rights of individuals (for example, it introduces the right to be forgotten and the right to not be subject to profiling in certain situations).
The GDPR covers any entity that touches data on EU residents, even if that entity did not collect the data itself. In our interconnected online world that expanded coverage scope has tremendous implications for most entities that collect, hold or process data.
Equally noteworthy – and with no advance preview – was the April 13, 2016 publication ((Statement of the Article 29 Working Party on the Opinion on the EU-U.S. Privacy Shield. Brussels. 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/press_release_shield_en.pdf)) of the EU’s Article 29 Working Party opinion on the new EU-US Privacy Shield, an agreement that was announced with great fanfare after difficult negotiations on February 2 ((Statement of the Article 29 Working Party on the Opinion on the EU-U.S. Privacy Shield. Brussels. 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/press_release_shield_en.pdf)). The Shield’s negotiators on both sides felt comfortable that the language adequately provided for:
- Strengthened obligations and improved enforcement in the commercial sector;
- Clear limitations and safeguards on the access to personal data by the U.S. Government;
- Improved redress and a mandatory arbitration mechanism to ensure enforceable actions; and
- Annual reviews conducted by the EU Commission and US Department of Commerce ((EU-U.S. Privacy Shield. European Commission. February 2016. http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_eu-us_privacy_shield_en.pdf
)).
Despite a number of improvements, including what the US and EU both said is a first time limitation of the US government’s access to EU residents’ data, the Article 29 Working Party expressed a number of what it called “strong concerns” ((Statement of the Article 29 Working Party on the Opinion on The EU-U.S. Privacy Shield. Article 29 Working Party. Brussels. 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/press_release_shield_en.pdf)) about the Privacy Shield agreement. These concerns involved both commercial entities and access by public authorities to data transferred under the Shield, especially in areas related to national security. Among the biggest concerns were:
- The Working Party believes that massive and indiscriminate collection of personal data originating from the EU is still possible, despite claims to the contrary by the US Office of the Director of National Intelligence (ODNI).
- The Working Party believes that some key data protection principles, as outlined in European law, are not reflected or have been inadequately substituted by alternative notions. These principles include:
- The purpose limitation to data processing, the definition of which the Working Party says is unclear in the agreement.
- The data retention principle, which the Working Party Opinion says cannot be construed by the agreement’s current wording.
- Protections that should be afforded against automated individual decisions based solely on automated processing are not acknowledged.
- The Working Party believes that the proposed Ombudsman role is not sufficiently independent and does not have the power to effectively exercise its duty. Also, according to the Working party, the language of the agreement is not adequate to guarantee a satisfactory remedy in case of disagreement. ((Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision. Article 29 Working Party. Brussels. Adopted 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf
))
-
If the EU and the US don’t address the issues raised by the Working Party, observers suggest that the likelihood of legal challenges to the agreement will increase significantly, creating uncertainty for firms who wish to take advantage of the Privacy Shield.
What is the Article 29 Working Party?
Most US residents are not familiar with the inner workings of EU governance, so a little background in this situation may be helpful. The European Union Parliament established the Article 29 Working Party through the 1995 Data Protection Directive ((Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1442330397711&uri=CELEX:31995L0046)) and gave it a broad advisory charter to:
-
(a) examine any question covering the application of the national [data protection] measures adopted under this Directive in order to contribute to the uniform application of such measures;
(b) give the Commission an opinion on the level of protection in the Community and in third countries;
(c) advise the Commission on any proposed amendment of this Directive, on any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any other proposed Community measures affecting such rights and freedoms; and
(d) Give an opinion on codes of conduct drawn up at Community level.
It’s important to note that, under the new GDPR, the Article 29 Working Party will transition to become the European Data Protection Board, with more independence and more power. Its primary task will be ensuring the consistent application of the new regulation ((EU General Data Protection Regulation (GDPR). Chapter 7: Cooperation & Consistency, Section 3: European Data Protection Board, Article 68: Procedure. 14 April 2016. http://www.eugdpr.org/00. Also, among many other tasks, the new European Data Protection Board will advise the Commission on any issue related to the protection of personal data in the EU, as well as any proposed amendment of the GDPR. Some observers have described the Article 29 Working Party’s output as “soft law;” ((http://www.linklaters.com/Insights/Publication1403Newsletter/TMT-newsletter-September-2011/Pages/Article29-working-party.aspx)) that is, the group’s opinions are persuasive but not binding on the European Commission, national regulators or European or national courts.
That said, in the last 24 months the Article 29 Working Party has issued a number of opinions on a wide range of issues – everything from the Internet of Things (IoT), Cloud computing, the surveillance of electronic communications for intelligence and national security purposes, and even privacy and data issues relating to the utilization of drones ((Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision. Article 29 Working Party. Brussels. Adopted 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm)).
Part of the Working Party’s influence stems from its composition, which includes representatives of the data protection authorities from each member country, the European Data Protection Supervisor (currently, Giovanni Buttarelli) and the European Commission. That structure will carry over to the Data Protection Board. The Working Party’s current Chair is Isabelle Falque-Pierrotin, who is also Chair of the French Data Protection Authority.
Differences in Privacy as a Concept: US versus EU
In a recent interview with The Economist ((Data sovereignty: An interview with Giovanni Buttarelli. The Economist. April 7, 2016. http://www.eiuperspectives.economist.com/technology-innovation/companies-digital-transformation-and-information-privacy-next-steps-0/video/data-sovereignty-interview-giovanni-buttarelli
)), Giovanni Buttarelli described one of the fundamental differences between the way we think about privacy in the United States and the way Europeans understand the concept. He noted that in the US we think in terms of users, consumers and subscribers. In the EU, individuals and persons are at the center of any notion of privacy.
In the EU, individuals are guaranteed protection of personal data through the Charter of Fundamental Rights, adopted in 2000, but only acquiring the full force of law in 2009 through the Treaty of Lisbon. That language ((Charter of Fundamental Rights of the European Union. Official Journal of the European Communities. 2000/C 364/01. 18 December 2000. http://www.europarl.europa.eu/charter/pdf/text_en.pdf)) reads:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
This strong, explicit data protection basis in EU law does not have clear equivalency in the United States, and that gap has been at the center of the data protection and privacy related friction between these two economic blocs for years. Seen in this context, it’s likely that discussions about the adequacy of the EU-US Privacy shield are not complete. That, of course, adds to the challenge for US companies who want to operate under the terms of the Shield Agreement.
What Should We Do to Prepare?
What should companies do to prepare for the EU’s GPDR May 25, 2018 effective date, and what should companies wishing to operate under the Privacy Shield do if the terms of the Shield may change or be challenged in the courts?
One of the most important points to remember about the GDPR is its expanded scope. Even if your organization is based and processes information outside of the EU, if it holds data relating to the offering of goods or services to EU data subjects or monitors their behavior, your organization will now be directly subject to the new regulation.
There are two years before the GDPR becomes fully effective, but planning should begin now. From a contextual perspective, one good place to start is by reading the Article 29 Working Party’s Opinion on the EU Privacy Shield Draft Adequacy Decision. No matter how the Privacy Shield issues are resolved, the opinion provides great insight into how EU privacy regulators think about topics and where they perceive gaps between what should be required under EU statute and what the US and EU negotiators have agreed to so far. That insight should provide real benefit to entities concerned about managing data privacy going forward, whether the existing Shield language is modified or not.
And firms with operations within the EU should fully understand what’s changed in the GDPR’s language and that’s a lot. Even basic concepts, such as the definition of the word “consent,” have changed. “Consent” now means “a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. ((EU General Data Protection Regulation (GDPR) Chapter 1: General Provisions, Article 4: Definitions (11). 14 April 2016. http://www.eugdpr.org/))” This definition creates a significantly higher standard for establishing permission than the prior directive.
The GDPR has a number of newly defined terms, which will be embedded in EU law. In some cases, these definitions take common concepts and redefine them in ways that incorporate new requirements into working definitions for terms in common use today, but not defined in law (See Table 2).
The single most important piece of advice should be evident – don’t wait to start your GDPR implementation planning process. The magnitude of change, depending upon your specific set of circumstances, may be so great that 24 months will slip by in a blink.
For more than 35 years, Gary Roboff, Senior Advisor, The Santa Fe Group,, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) board of directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its board.