It is not going to far to say that the tensions between data use and data protection constitute one of the defining features of our times and the relationship between the two poses normative, conceptual and pragmatic issues for the European Union (EU).

Within Europe, the individual’s right to privacy is firmly embedded in the European Convention on Human Rights and Fundamental Freedoms of 1950. The Council of Europe reaffirmed this right when it adopted Convention 108 for the protection of individuals with regard to the automatic processing of personal data. Furthermore, the EU established clear basic principles for the collection, storage and use of personal data by governments, businesses and other organizations or individuals in Directive 95/46/EC (“Directive”). In addition, since the Lisbon Treaty, the point of reference for the principles at the core of data protection is the Article 8 of the Charter of Fundamental Rights.

However, it is salutary to recall that when the Directive was enacted, in 1995, only 1% of the EU population was using the Internet and Google had yet to be launched. Nowadays, the quantity of personal data processed each year increases and it is easier to produce, edit, disseminate and store data, and all this at a decreasing cost. More personal data is currently being processed than at any other time in history. This shifted landscape poses new challenges for data protection. Accordingly, in 2012 the European Commission proposed a new “Data Protection package” which includes a Regulation - the General Data Protection Regulation (GDPR) - to replace the Directive. In short, this new package, based on Article 16 of the Treaty on the Functioning of the European Union (TFUE), seeks to give citizens back control over their personal data and to simplify the regulatory environment for business.

Given its nature, the GDPR will be directly applicable in all Member States without the need for implementing national legislation. It will not apply until May 2018. However, as it contains some onerous obligations, many of which will take time to prepare for, it will have an immediate impact. Although the GDPR follows the avenue already taken with Directive, it also introduces new elements and a high degree of uncertainty. What are these new elements?

 1. Strengthening of individuals' rights

The GDPR serves the purpose of strengthening the existing rights and empowering individuals with more control over their personal data. In particular, these include:

1.1 easier access to personal data and more information on how data is processed (cf. 8);

1.2 a right to data portability: it will be easier to transfer personal data between service providers;

1.3 a clarified “right to be forgotten”;

1.4 processing of personal data of a child: introduction of conditions for the lawfulness of the processing of personal data of children;

1.5 the right to know when your data has been hacked: for example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures (cf. 9);

 2. Data processors (not only the controller) will be held responsible for data protection

Under the GDPR data processors have direct obligations for the first time. So, anyone who touches or has access to personal data, wherever they are based, is responsible in the case of a data breach.

3. Data Protection Officers

In certain circumstances data controllers and processors must designate a Data Protection Officer as part of their accountability programme. The threshold is (i) processing is carried out by a public authority, (ii) the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, or (iii) the core activities consist of processing on a large scale of special categories of data.

4. The Regulation has expanded territorial reach

The GDPR implicates data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behaviour (within the EU) of, EU data subjects. Many will need to appoint a representative in the EU.

5. One-Stop-Shop

Businesses will only have to deal with one single supervisory authority. This is estimated to save €2.3 billion per year.

 6. Accountability and privacy by design

The GDPR places onerous accountability obligations on data controllers to demonstrate compliance. This includes requiring them to: (i) maintain certain documentation, (ii) conduct a data protection impact assessment for riskier processing (DPAs should compile lists of what is caught), and (iii) implement data protection by design and by default

7. Consent

A data subject’s consent to processing of their personal data must be as easy to withdraw as to give. Consent must be “explicit” for sensitive data. The data controller is required to be able to demonstrate that consent was given.

8. Fair processing notices

Data controllers must continue to provide transparent information to data subjects. This must be done at the time the personal data is obtained. Comparing with the Directive the information to be provided is more comprehensive and must inform the data subject of certain of their rights (such as the ability to withdraw consent) and the period for which the data will be stored.

 9. Data breach notification

Data controllers must notify most data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness. In some cases, the data controller must also notify the affected data subjects.

 10. Non compliance

Companies should begin preparing themselves to comply with the new requirements under the GDPR, as the consequences arising from non-compliance may result in fines of up to €20 million or 4% of the company’s annual global turnover.

 Posted by Graça Canto Moniz, Faculdade de Direito - Universidade Nova de Lisboa