The Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, better known as “General Data Protection Regulation” (GDPR) was voted by the EU Parliament on 14 April 2016, in force on 27 April 2016 and will be directly applicable in all Member States from 25 May 2018. The GDPR is not the first European legislation on Data Protection, in reality it replaces and renews the Data Protection Directive 95/46/EC. Its goal is to further harmonise data privacy laws across Europe, by gathering the most highly respected standards or principles around the world and applying them to protect EU citizens’ data privacy.
The special element of GDPR is its extraterritorial scope. Since May 2018, the GDPR has been effective in all 28 Member States of the European Union and applicable to all legal entities who:
Hence, this means that the GDPR may apply also to organisations that do not have an establishment in the European Union.
Non-compliance with the GDPR can result in heavy fines; such as in cases of infringements of basic principles for processing personal data, fines of 20 million EUR or 4% of worldwide annual turnover (whichever is higher).
In the GDPR, there are constant references that eventually create a full compliance framework that must be created by organisations, depending on their activities and type of provision of services. The principle of accountability demands organisations not only to be compliant with the GDPR, but also to be able to demonstrate it. This principle requires organisations to document and record all their efforts to comply with data protection legislation.
This is a concept that has not changed from Directive 95/46 but it has been further emphasized throughout the whole GDPR. The principle of transparency obliges organisations to be transparent about the purposes for which they process personal data, the means with which they collect this data, the period of storage of this data, and the recipients of this data. On top of this, when consent is the legal basis for processing, everything just mentioned must be communicated clearly and unambiguously to the data subjects and organisations must have proof of when this consent was received, when this consent was received pursuant to the principle of accountability mentioned above. Hence, in order to be able to follow through with the principle of transparency, a company must have great visibility of their data flows, and be able to show this to the outside world (both to customers, suppleirs, and if needed to Supervisory Authorities).
It is important to note that the GDPR leaves some leeway for the European Member States (hereinafter referred to as Member States) in specific areas, to establish further guarantees for their national legislation. This inevitably creates a more complex harmonization process where the controllers and processors also have to check their accountability with reference to the EU and to the national legislation. As expected by legal professionals, the national implementations of the GDPR will further help in defining the specifications of all derogations that the GDPR allows for. At the same time, these local derogations demand a lot of caution from smaller enterprises that may be established, offering goods or services, or monitoring behaviour of data subjects in more than one European Member State; since they do not only need to comply with the GDPR but also with each applicable national law. As a consequence, companies could be in a position where resources are limited, and the legislation has quickly evolved so as to make data protection a serious duty for any company that stores or processes personal data, even occasionally.
On the other hand, national data protection authorities have been more active in providing organizations with guidance on how to cope with the requirements and obligations that have arisen from both the EU and national laws. The data protection authorities and the European Data Protection Board help transform the legal complex documents into more comprehensive and practical tools.
Cyberwatching.eu will help raise awareness of national legislations that can differentiate from the harmonized law by providing recommendations to SMEs which specifically mention where a derogation of a Member State is possible or not. However, even though the GDPR provided an updated legal framework to protect personal data, the challenge comes up when one considers what the practical implementation of this framework is. The GDPR allows for approved certification mechanisms as a way to demonstrate the compliance with the data protection rules; however, until such certification mechanisms get approved according to the GDPR, the data protection matters still cannot be easily integrated with the cyber security solutions available in the market. This means that currently there seems to be a gap between the legislation and its application when it comes to techniques of ensuring and demonstrating compliance through certifications. Furthermore, there seems to be a gap in applying the GDPR in more complex processing operations that may be involved in, for example, Internet of Things and Artificial Intelligence.
To complicate matters further, the reach of the GDPR extends outside the borders of the European Union. It is fundamental to mention that the amount and complexity of international legislation on data protection can vary enormously – any country may have new, old or no laws relating to this field. In consideration of the possible disparity that may exist internationally, the GDPR has created a requirement where in order for transfers of personal data to take place outside the European Union, there must be appropriate safeguards for the protection of personal data. One of the possible ways to assess an adequate level of protection in a country outside the EU is to check whether there has been an adequacy decision published by the European Commission, which will allow controllers and processors to transfer legally.
Furthermore, another crucial element that enlarges the impact of the GDPR on an international level is its extraterritorial scope. More precisely, the GDPR is applicable to all legal entities who:
Hence, this means that the GDPR applies also to organizations that do not have an establishment in the European Union. This international scope has generated further challenges, such as, when it comes to jurisdictional matters regarding online services of technological companies violating the applicable law. An example of this uncertainty is the 50 million euros administrative fine issued by the French Data Protection Authority to Google, which used the reasoning that since at the moment of investigation Google Ireland Limited was not the controller of Google’s processing activities, it allows for the Commission Nationale de l’Informatique et des Libertés (CNIL) to also issue a fine instead of having a scenario where the Irish Data Protection Authority is considered to be the “lead supervisory authority".