General Data Protection Regulation in the EU

The initiative

The EU published the General Data Protection Regulation (GDPR) in May 2016. This new data protection regulation - (EU) 2016/679 - will take effect on 25 May 2018. “Organisations anywhere in the world that collect or process personal data on EU residents must comply with the new regulation, or they will face significant financial penalties and reputational damage.”[4] Therefore, compliance is founded on the geographical location of the individuals about whom an organisation holds personal data, not the organisation's own domicile of registration.

The GDPR is expected to strengthen online privacy rights and boost Europe's digital economy.[5] Once it takes effect, the regulation will also harmonise data protection laws throughout the EU. Some of the key stages in the timeline for the GDPR's implementation are summarised below:

• January 2012: Release of the proposal for reform of the European data protection rules, including a draft revised Data Protection Regulation.
• October 2013: European Parliament Committee on Civil Liberties, Justice and Home Affairs voted on a compromise text
• December 2015: The EU GDPR was agreed
• April 2016: The GDPR was adopted
• April 2017: The Article 29 Working Party adopted guidelines on data protection officers, one-stop shops, and the right to data portability (which allows individuals to obtain, move and reuse their personal data)[6]
• May 2018: The GDPR will replace Directive 95/46/EC and will be applicable in all member states without the need for implementing national legislation.[7]

The challenge

As data is transforming the world economy, its analysis and regulation have become essential. A 2013 report by Deloitte stated that “the amount of data produced across the globe is estimated to be growing at 40 percent per year and, as far back as 2008, 9.57 zettabytes of data [1 zettabyte = 270 bytes] were processed by enterprise servers across the globe. This is equivalent to 6 gigabytes of data for each person on the planet every single day.”[1]

With digital transactions and information becoming the norm and, to some extent, indispensable, individuals and institutions have become more exposed. “Rapid technological developments have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally.”[2]

Given this reality, there is a need to build trust in the online environment, so that users feel confident to operate freely, which is essential for economic development. The European Council invited the European Commission to evaluate the functioning of EU instruments on data protection, and to present any necessary legislation - as well as other relevant initiatives - to ensure that the fundamental right to personal data protection was consistently applied in the context of all EU policies.

The Commission concluded that the EU needed "a more comprehensive and coherent policy on the fundamental right to personal data protection [because the existing framework] has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty, and a widespread public perception that there are significant risks associated with online activity".[3]

The public impact

As this regulation has not yet taken legal effect, the information available to date relates only to its expected impact, and there are different opinions on this - mainly according to whether they come from the private or public sector. “The [European] Commission estimates that the proposed regulation will help to harmonise and simplify regulation for businesses, leading to administrative savings of €2.3 billion for the European economy.”[8]

On the other hand, Deloitte estimated in 2013 that there was evidence of "serious potential economic harm" from the proposed Regulation if it were to be implemented as per its 2013 draft. One of the concerns was that the regulation would prevent the use of data for important activities, with negative consequences for medical and academic research, as well as commercial and academic applications.

Looking mainly into the sectors of direct marketing, online behavioural advertising, web analytics, and credit information, Deloitte's survey found that the regulation could be a big obstacle to businesses' use of some of these services, and businesses could be expected to lose an estimated €66 billion in sales. Similarly, consumer credit could also fall by as much as 19 percent. “The combination of reduced credit availability and sales across the whole economy generated by damage to the other three sectors would have serious economic consequences. [Deloitte's] study estimates that the combined effect from these four sectors alone could reduce GDP by €173 billion (1.34 percent of GDP in the EU-27), leading to a loss of 2.8 million jobs (1.30 percent of jobs in the EU-27).”[9]

Stakeholder engagement

Several events, meetings and consultations were organised from 2009 to 2011 to compile the opinions of different experts and interest groups. "This initiative is the result of extensive consultations with all major stakeholders on a review of the current legal framework for the protection of personal data, which lasted for more than two years and included a high-level conference in May 2009 and two phases of public consultation:

• "From 9 July to 31 December 2009, the consultation on the legal framework for the fundamental right to the protection of personal data. The Commission received 168 responses, 127 from individuals, business organisations and associations and 12 from public authorities.
• "From 4 November 2010 to 15 January 2011, the consultation on the Commission's comprehensive approach on personal data protection in the EU. The Commission received 305 responses, of which 54 from citizens, 31 from public authorities and 220 from private organisations, in particular business associations and NGOs."[10]

Other targeted consultations were conducted with key stakeholders: member state authorities; private sector stakeholders; and privacy, data protection and consumers' organisations. Discussions included issues related to the reform of the EU legal framework and the need for common data protection standards worldwide, and there were dedicated workshops and seminars on specific issues, which were held throughout 2011.[11]

There have been additional rounds of revision: the first reading was adopted by the European Parliament in March 2014, and the European Council agreed on a general approach in June 2015, giving the presidency a negotiating mandate to enter into "trilogues" with the European Parliament. To prepare for these ten trilogues, the regulation was examined "intensively" by experts and by justice and home affairs counsellors. Also, outstanding issues relating to the whole GDPR were analysed by the Permanent Representatives Committee on 19 and 26 November 2015 and on 2 and 9 December 2015.[12]

Political commitment

The high level of engagement from all the EU member states indicated that there is a common interest in carrying out this initiative successfully. There is yet to be longer-term evidence with regard to the governments' or the EU's commitment after full implementation.

In June 2015, the European Council reached a general approach on data protection regulation. From this meeting, several European leaders expressed their support and enthusiasm for the implementation of the GDPR. For example, Latvia's minister for justice said - after the council reached a general approach on the general data protection regulation - "today we have moved a great step closer to modernised and harmonised data protection framework for the EU. I am very content that after more than three years of negotiations we have finally found a compromise on the text. The new data protection regulation, adapted to the needs of the digital age, will strengthen individual rights of our citizens and ensure a high standard of protection." At the same event, Luxembourg justice minister said: "This reform is a package and we have the firm intention to conclude by the end of this year."[13]

Public confidence

Overall, even though the public has become increasingly used to the idea of sharing their information, there is also a stronger push for more control and regulation over the use of their data.

According to research from Citizen's Advice, the public expects Data Protection Agencies (DPAs) to take action when data protection laws are violated and take proactive steps to ensure organisations comply with regulatory requirements. “A common theme appearing in research into the public's views, both Europe-wide and in the UK is one of control. The public are often uncomfortable with providing their personal data to organisations, as they perceive that once it has been given they lose control of it.”[14]

Therefore, although citizens are becoming increasingly accustomed to the idea of sharing their data, they are also demanding more security in the ways it is managed. “Eurobarometer research found that 74 percent of those surveyed see having to disclose personal data as an increasing part of modern life. Research by Sciencewise (a UK government funded programme) concluded that although the public are aware that they need to disclose their personal data as part of their day-to-day life, there is concern about losing control of their that data and the public are keen to have more control over how it is used... The research also found that 85 percent of respondents were concerned about organisations passing or selling their personal details onto other organisations.”[15]

Despite these concerns, similar research has found that convenience often outweighs the perceived risks and, although there is a general feeling of mistrust of the online environment, the public will continue to use online services because they see the potential problems as being a necessary evil.

Clarity of objectives

The objectives of the GDPR are quite broad and difficult to measure, as they focus mainly on the safety and utility of individuals' personal information and protecting those individuals from the abuse of their personal data. The main purposes of the GDPR are, in summary:

• Regulating the collection, retention, use, disclosure and security of personal information
• Setting out procedures for data incident responses and notifications of breaches
• Balancing data utility and personal privacy
• Unifying different approaches to data protection across the globe.[16]

Strength of evidence

The GDPR is based on Directive 95/46/EC and the case law derived from it, the experience of member states in implementing equivalent regulations, and the need to address two decades of technological development. For this reason, there is a transition period in place.

The GDPR has kept some of the principles from 95/46/EC, but has also introduced several changes that will need to be tested. "While the GDPR largely retains the principles and terminology of the 1995 Directive, it also adds some new principles with uncertain consequences, such as a stricter concept of consent, a requirement for data portability, and a ‘right to be forgotten'."[17]

Individual EU member states had already been implementing their own cybersecurity and data protection measures before the GDPR was agreed. This provided them with some experience, and with the infrastructure to manage rising challenges, but their experiences varied from country to country.

In France for example, data privacy has been regulated for the most part by Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (Data Protection Law), and has faced some concerns in the past. “Compliance with the French data protection framework remains of concern for companies, given the penalties imposed by the French data protection authority and reputational risks.”[18]

Germany has enacted rules on cybersecurity in different acts, codes and ordinances, with specific regulations to criminalise hacking, including the production, sale, and distribution of hacking tools. There are also regulations on IT security requirements for providers of specific services (e.g. banking, telecommunications and payments).[19]

Therefore, despite countries having previous experience and knowledge in their own jurisdiction, this unifying regulation still presents new challenges in both the changing digital space and the different perception of various countries in respect of their data privacy. For this reason, the regulation has been implemented slowly, with a transition period to test its performance and gather evidence of its effectiveness: “it will be enforced after a two-year transition, beginning on 25 May 2018, replacing the national laws and regulations based on the venerable 1995 EU Data Protection Directive and reaching companies that target EU consumers from outside the EU".[20]

Feasibility

The structure and financial requirements of the new regulation have been evaluated, and there is expected to be an additional cost burden for the EU and its member states. "The regulation would have an impact on the public authorities both at EU and national level. It would include some additional compliance costs due to the establishment of the online platform for data controllers' notifications, the IT tool for exchanges of information between DPAs, and the programmes for best practice sharing and staff exchange between national supervisory authorities. The extended tasks would lead to an increase of the annual costs of its secretariat from the currently estimated costs of €1.7 million by an approximate minimum of 30 percent, i.e. an additional €0.5 million per year for the EU budget."[21]

The need to promote public awareness of data privacy issues is also expected to be significant. "EU funding would also be needed for awareness-raising activities to encourage the use of Privacy Enhancing Technologies (PETs) and privacy certification schemes. In the period 2009-2010 the funding of projects under the Fundamental Rights programme, covering awareness-raising and other activities amounted to more than €800,000. A 25 percent increase could be envisaged to finance additional awareness-raising projects and activities in the domain of data protection."[22]

A survey by the Cloud Industry Forum, which collected information from 250 decision-makers across the private and public sectors found that there are concerns about preparations for the legislation, especially within the public sector. “One-third (34 percent) of public sector decision-makers are not confident that they will be prepared for the incoming GDPR by the time they are enforced in May 2018... Only 16 percent of private sector organisations said they were completely confident that they fully understood what the GDPR meant for their organisation - but, worryingly, respondents from the public sector were some of the least confident in their understanding of GDPR; just one in ten said that they were completely confident that they understood what it meant for their organisation.”[23]

The negotiations for the UK to leave the EU provide additional uncertainty. “If the UK were to eschew the GDPR completely as a result of the recent referendum, then businesses in the country could be fined up to GBP122 billion in penalties for data breaches as soon as the new regulations come into effect in 2018."[24]

Management

The GDPR organisational structure is relatively complicated, but it establishes clear guidelines for management at both the European and national levels. On the other hand, it imposes more thorough procedures than previous regulations, which are likely to take some time for organisations to adjust to and implement fully.

At the European level, the GDPR will be supervised by the European Data Protection Board, whose role will include issuing opinions and guidance, ensuring consistent application of the GDPR and reporting to the Commission.[25] The Board oversees the Lead Supervising Authority and together they issue guidance for "data processors", "data controllers" (organisations) and "data subjects" (individuals).[26]

From the management perspective, the regulation adds strict guidelines and procedures for data controllers to follow. “The GDPR places onerous accountability obligations on data controllers to demonstrate compliance. This includes requiring them to: (i) maintain certain documentation, (ii) conduct a data protection impact assessment for more risky processing (DPAs may compile lists of what is caught), and (iii) implement data protection by design and by default, e.g. data minimisation."[27]

Given that it contains quite onerous obligations which take time to prepare for, it is expected that the guidelines will have an immediate impact on the way organisations operate, and it is possible that it will take some time for the processes to function smoothly.

Measurement

Alignment

There is little evidence at present on the alignment in implementing this initiative, as it has not yet been fully launched; however, member states support the regulation and strongly believe it to be beneficial for data protection and the data privacy of their citizens.

Collaboration so far among the different actors has been effective, and there is agreement on the principles of the regulation, as well as the need to adjust it to the rapidly changing technological context. "The European Parliament approved by its resolution of 6 July 2011 a report that supported the Commission's approach to reforming the data protection framework... During the consultations on the comprehensive approach, a large majority of stakeholders agreed that the general principles remain valid but that there is a need to adapt the current framework in order to better respond to challenges posed by the rapid development of new technologies (particularly online) and increasing globalisation, while maintaining the technological neutrality of the legal framework."[28]

Several countries have launched independent initiatives to align their existing legislation with the new EU regulation. “The French government has created a task force, led by the Ministry of Justice, to analyse the consequences of the GDPR and to reshape the existing French Data Protection Regulations, according to a report published on 22 February 2017... Germany enacted a law (1) to revise the existing Federal Data Protection Act and (2) to introduce a new national data protection law supplementing the GDPR... The Polish Ministry of Digitisation is working on the adaptation of Polish legislation in line with the provisions of the GDPR. Initially, the Ministry has organised several meetings with various industry associations and bodies to discuss the shape and scope of the required changes in national data protection law."[29]

Bibliography

Data Protection: Council agrees on a general approach: Press Release, 15 June 2015, European Council, and Council of the European Union

Data protection rights: What the public want and what the public want from Data Protection Authorities, 2015, Information Commissioner's Office

Economic impact assessment of the proposed European General Data Protection Regulation - Final Report, 16 September 2013, Deloitte

GDPR Compliance and Its Impact on Security and Data Protection Programs, Osterman Research, January 2017, Actiance

GDPR deadline: One third of public sector decision makers not confident they'll be ready, Sooraj Shah, 12 June 2017, PublicTechnology.net

GDPR: Getting Ready for the New EU General Data Protection Regulation, W. Scott Blackmer, 5 May 2016, InfoLawGroup

GDPR National Legislation Survey, 2017, Baker McKenzie

General Data Protection Regulation, Caroline Budde, 28 April 2017, CorporateCompliance.org

General Data Protection Regulation: Key Articles Overview, Craig Clark, University of East London

Impact Assessment Accompanying the document: Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), 25 January 2012, European Commission

IT security law in Germany, Dirk Stolz and Lutz Martin Keppeler, Heuking Kühn Lüer Wojtek, 01 April 2017, Thomson Reuters Practical Law

Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), 25 January 2012, European Commission

Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), European Commission, 27 January 2012, Council of the European Union

Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), 15 December 2015, Council of the European Union

The impact of the EU General Data Protection Regulation on the financial services industry in relation to customer consent, Natasha Rana, 3 March 2017, Capgemini Consulting

The EU General Data Protection Regulation, 2017, Allen & Overy

The EU General Data Protection Regulation - Timetable, 2017, Allen & Overy

The Privacy, Data Protection and Cybersecurity Law Review: Edition 3 - France, Dominique de Combles de Nayves & Pierre Guillot, November 2016, The Law Reviews

The UK plans to implement the EU's General Data Protection Plan post-Brexit, Anthony Spadafora, 1 November 2016, ITProPortal