Data Protection Roundup – The Move Towards Stronger Personal Data Rights
by Nick Humphreys & Alex Brooks
Since the mid-1990s, data protection rights have formed a key part of the privacy rights relating to, amongst others, employees. As a result of a radical European overhaul of data protection legislation by EU Regulation (EU) 2016/679 (the General Data Protection Regulation (GDPR)), there will be some profound changes which will be implemented by 25 May 2018. Some of the key changes are as follows:
First, because changes to data protection are being introduced by way of EU Regulation (which requires direct implementation into National law in the form of the Regulation), as opposed to by way of Directive (as was the case with the EU Data Protection Directive 95/46/EC, in response to which the Data Protection Act 1998 (DPA) was created, and which allows EU Member States to implement the Directive in the way they see fit), there will be a greater degree of harmonisation across EU Member States for businesses in relation to the way in which data protection principles operate.
Second, the territorial scope of data protection legislation will now extend beyond the EU to non-EU businesses that were not previously subject to the EU Data Protection Directive. In this regard, in the event that non-EU based data controllers and/or data processors either offer goods or services to data subjects in the EU (irrespective of whether payment is received) or monitor data subjects’ behaviour insofar as their behaviour takes place within the EU, they will be subject to the GDPR.
Third, the penalties for failing to comply with obligations under the GDPR are to be substantially increased. Due to the fact that the EU Data Protection Directive allows Member States to set their own penalties, fines under national law vary (in the UK for example, the maximum fine is £500,000). Under the GDPR, fines will increase substantially for data controllers and data processors, this being on a two-tier basis, as follows:
- in relation to violations relating to internal record keeping, data processor contracts, data security and breach notification, up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater); and
- in relation to violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and/or international data transfers, up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater).
Fourth, the GDPR requires a freely given, specific, informed and unambiguous indication of an individual’s agreement to their personal data being processed, with data controllers having the burden of proof in showing that consent was validly obtained for each of the purposes for which it is processed by the data controller. The data subject will have the right to withdraw any consent which has been given at any time. Further, it will not be possible to make the execution of a contract or the provision of a service conditional on consent to processing or use of data that is not necessary for the execution of the contract or the provision of the service. In other words, such conditionality is only allowed to the extent necessary to perform the contract or provide the service.
Fifth, the requirement for prompt notification in relation to data breaches to the relevant regulator (the Information Commissioner’s Office in the UK) is enhanced. This must be done without undue delay and, where feasible, within 72 hours of awareness of the breach. The data controller must also notify the affected data subjects without undue delay.
A further change has arisen as regards data subject access requests (DSARs) submitted by data subjects pursuant to the DPA, s.7, which are commonly used as a form of pre-action disclosure by employee data subjects in English case law. Following a series of cases in which the courts looked at the purpose for which personal data was being requested pursuant to a DSAR, the Court of Appeal has held in the case of Dawson-Damer v Taylor Wessing LLP ( EWCA Civ 74) that looking at the purpose for which a DSAR is submitted so as to determine whether to comply is not permissible for a data controller.
Accordingly, unless a data controller can show that the scope of the subject access request is disproportionate (and the Court of Appeal in Dawson-Damer held this would require the data controller to show more than simply that there is a high volume of documents that might be produced from a DSAR), all DSARs will have to be complied with.
The data protection regime will be very much strengthened as a result of these changes and data protection compliance will need to be placed high on the agenda for 2018 as a result.