The challenges of the GDPR
Every day, over 250 million European citizens use the Internet. While online, users share amounts of personal data, such as their first and last name, home address, ID card number, credit/debit card number and health information. In particular, 52% of Italians say they do so to access a generic service, while 25%, the highest percentage of the EU, does so to get a service adapted to their needs and 14% to receive targeted offers (poll of the European Commission dated 24 May 2018, on the eve of “GDPR Day”). The European Commission underlined that 8 out of 10 Italians believe they do not have complete control over their personal data, while 6 out of 10 say they do not trust companies that operate online. Scandals like Cambridge Analytica brought the privacy matter even more under the spotlight. From now on users/citizens will benefit from new and greater rights (i.e. right to oblivion): if the individual realizes that his/her personal information is used incorrectly, he / she can contact the DPO and exercise the rights.
On the business front, on the one hand, for many large organizations that have long become aware of the value that personal data have in the digital economy, a complex process of general adjustment to the Regulation ended last May 25th – even if further measures to be adopted will be specified in the pending decree of harmonization – on the other hand, many public entities have not still appointed a DPO and many private companies are still away from the full compliance.
This article looks at the new EU Regulation known as the General Data Protection Regulation which aims to address the challenges that this new on-line reality creates for both the regulator, for citizens and for business.
25 May 2018, the “Christmas” of Privacy (or the “Privacy Day”)
On 25 May 2018 EU Regulation 2016/679 (General Data Protection Regulation – the famous “GDPR”) on the protection of individuals with regard to the processing of personal data entered into force. This law replaces the old directive 95/46/EC and it is now both in force and binding in all EU countries. Therefore, 25 May 2018 represents, somehow, the “Christmas” of Privacy. This date marks, in fact, the crucial moment, on the one hand, for a conscious and safer use of data (real information assets) and, on the other hand, for the consolidation and future development of the Single Digital Market of the European Union. This article will provide a general and critical overview of the regulatory framework outlined by the GDPR, focusing on the main obligations for both data controllers and processors, either public or private, in order to ensure adequate compliance with the new European rules.
It is important to bear in mind that, in order to clarify some aspects of the new legislation and to facilitate companies to be prepared for GDPR, the Article 29 Data Protection Working Party (a Body composed of the representatives of the national Authorities of the 28 EU Member States) has issued, a series of Guidelines (i.e. DPO, One-Stop-Shop, Transparency, etc.). The Italian Data Protection Authority, led by Antonello Soro, did the same by releasing FAQs on DPO, both in public and private sector, and useful indications to address the GDPR-compliance objective.
The Regulation applies to controllers and processors who, both from within and outside the borders of the European Union (i) process data within their own establishment located in the territory of the Union; (ii) offer goods, services – even free of charge – or conduct behavior monitoring activities for interested parties within the EU. The application of European data protection standards to a third country entity vis-à-vis residents of the European Union can be designated as a real territorial extension of the applicability of the law. This requirement of compliance with the data protection criteria can be brought closer to compliance with certain product requirements (for example, safety standards) deriving from non-European imports. What emerges is a sort of “sticky regulation”, with a territorial extension of European data protection law.
A data controller operating in different Member States will be subject to the jurisdiction of a single Data Protection Authority depending on where its main establishment is located. This Authority will act as a “One-stop shop” in order to supervise all the processing activities that could have an impact on consumers within the EU borders. However, a complex triangulation is expected to develop between the national Authorities of the States in which the controller operates: the Guidelines of the Article 29 Working Party have tried to guide the criteria for the definition of a single Supervisory Authority. Finally, the possibility to come within the competence of the European Data Protection Supervisor, as a second step, is also provided.
Among the various innovations, the GDPR introduced the figure of the Data Protection Officer (DPO). The appointment of this figure is mandatory for: public administrations, data controllers or data processors who require regular and systematic monitoring of large-scale data subjects; controllers and processors who deal with large categories of data or personal data relating to criminal convictions and offenses.
The DPO will: monitor correct compliance with the GDPR, perform the risk analysis, make sure that the protection and safety systems are adequate and up-to-date, guarantee the application of privacy measures by design and by default, cooperate with the Data Protection Authority and act as the contact point, keep records of the processing activities carried out under his own responsibility.
The GDPR provides the possibility of entrusting DPO’s responsibility to either company employees or, externally, by means of a service contract. The Guidelines of the Article 29 Working Group made it clear that, in principle, the DPO should be based in the European Union and should report directly to the highest levels of corporate management.
The fundamental principles of privacy by design and privacy by default, together with the principle of accountability, are enshrined in the GDPR: whenever there is the development of a new technology, product or service, all the necessary measures have to be taken to ensure full compliance with the data protection obligations set out in the Regulation. The data controllers, therefore, are required to develop only technologies that, from the very beginning of their design (by design) and by default (by default), will give adequate implementation to the principles of data protection, including the minimization, necessity and proportionality of the processing.
Data Privacy Impact Assessment (DPIA) introduces the obligation to carry out, especially in the case of use of new technologies, a preventive assessment of the impacts that may derive from processing with a high level of risk for the rights and freedoms of the subjects concerned. According to the Article 29 Working Group, DPIA is a process to build and to demonstrate compliance. The GDPR identifies some non-exhaustive cases in which the DPIA is mandatory ex lege.
The Data Controller must put in place technical and organizational measures that guarantee an adequate level of security with respect to the risks that may arise from the data processing. Moreover, in case of violation (for example: destruction, loss, unauthorized modification or disclosure or illegal access to data), the data controller will have the obligation, according to predetermined timing – i.e. maximum 72 hours, save appropriate justification of the delay – to notify in detail the data breach to the competent national Authority and, in some cases, to the interested party. Notification may be avoided where the breach does not pose a high risk with respect to the rights and freedoms of individuals.
The Regulation introduces a wide range of administrative sanctions. The main news, however, is represented by the duration, entity and severity of some of these penalties, which may be imposed: (i) from a maximum of EUR 10 million or alternatively up to 2% of annual global turnover, under certain circumstances, or (ii) up to a maximum of EUR 20 million or up to 4% of the Group annual global turnover, in the most serious cases. The possible application of criminal sanctions are left to the discretion of each Member State. In this regard, it should be noted that in Italy the European Delegation Law gave mandate to the Government to issue a legislative decree to adapt the national legislation to the new EU Regulation framework. The Decree, which has introduced criminal sanctions, in addition to the administrative ones, is expected to be approved by the Italian Parliament by August 21st and then adopted by the Government.
European Data Protection Supervisor, Giovanni Buttarelli, stated that relating to illicit filing, undue profiling, hidden monitoring or the subtle processing of data on online political platforms, these are important problems and further observations are expected by the Italian Data Protection Authority. It seems, therefore, that the implications behind the data and their protection deepens even in the political scenario. In the last FAQs, the Italian Data Protection Authority explained that also political parties have to appoint a DPO. Next European elections in 2019 are likely to be characterized also by a stronger awareness on how data are processed and for which purpose.
As a matter of fact, Privacy has just moved from the role of ‘Cinderella’ of Law, to the frontier and center of gravity of Law applied to the New Technologies given the enormous commercial developments linked to Big Data. An informed, aware and organized use of data can represent: a source of development, an opportunity for new businesses, a chance to implement technological progress even in sectors not, yet, fully explored.