Skip to main content

EU General Data Protection Regulation

 

What is the General Data Protection Regulation (GDPR)?

GDPR is an EU regulation adopted on 14 April 2016, after over four years of the adoption process (the European Commission released the proposal for GDPR on 25 January 2012). Its aim is to unify data protection within the EU, and to strengthen the legal protection of individuals against unlawful processing of their personal data. The GDPR is going to replace the Personal Data Directive. It will come into force on 25 May 2018.

 

What is a regulation?

A regulation is a legal act of the European Union. Unlike directives (which require transposition into Member States’ internal laws), regulations are of direct effect and they apply in a uniform manner in all EU Member States. GDPR will therefore, at least to a large extent, replace not only the Personal Data Directive, but also the national laws on data protection. Full unification, however, will not be achieved, as the GDPR leaves some aspects to the discretion of the Member States (for example, concerning derogations from certain rights of the data subjects whose data are processed for research purposes -- see below).

 

So, what is going to change?

In a nutshell: not that much. Indeed, the GDPR is not intended to be a revolution, but an evolutionary step forward. The general framework will remain largely unchanged, and the additions will mostly come from well-established opinions of the WP29. The following changes should be mentioned here:

  • the territorial scope of the EU data protection rules will be widened. Unlike the Directive, the Regulation will apply to all the companies who are offering services to data subjects in the EU, or monitoring their behaviour (art. 3 of the Regulation), even if they are established on foreign territory. This mechanism has been designed to ‘capture’ such US companies as Facebook or Google, who often managed to dodge EU data protection rules by claiming that they do not carry out any personal data processing on the territory of the EU.
  • on the same note, the fines for breach of data protection rules will now be revenue-based (up to 4% of annual worldwide turnover). This is intended to have a dissuasive effect, particularly on large US-based companies (such as those mentioned above).
  • genetic data and biometric data have been included in the list of special categories of data (sensitive data - see above about special categories of data in the Personal Data Directive).
  • pseudonymisation has been officially included as one of the safeguards for the rights and freedoms of data subjects. Article 4(5) defines pseudonymisation as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to a natural person’. Pseudonymisation is *not* equivalent to anonymisation, but may in some special cases (including processing for research purposes) be a sufficient safeguard to allow for processing of data without the data subject’s consent.
  • data processors (i.e. entities who process data *on behalf* of the data controller) will have to comply with a number of obligations (art. 28, 30, 31, 32, 37…), which is not the case under the Directive (which is focused on data controllers). The obligations of data processors will therefore cumulate with those of data controllers, creating an additional layer of protection for data subjects’ interests.
  • a new principle of accountability has been introduced (Art. 5(2)); according to this principle, data controllers shall be responsible for, and able to demonstrate the compliance with the rules governing processing of personal data. In order to do so, data controllers shall conduct a risk assessment (art. 35), implement data protection measures (both organisational and technical) “by design and by default” (art. 35) and keep detailed records of processing operations (art. 30). This will place a significant burden (including burden of proof) on data controllers.
  • data subject’s consent will be governed by stricter rules. Apart from being (as per the Directive) freely given, specific and informed, consent will now also have to be “unambiguous” (art. 4(11)); furthermore, according to Recital 32, if consent is requested by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided; if consent is given in the context of a written declaration which also concerns other matters (e.g. in terms of service), the request for consent shall be clearly distinguishable from these other matters (art. 7(2));
  • the Regulation contains a detailed list of elements to be taken into account while assessing compatibility of purposes if the controller wants to process data for a new, compatible purpose (as processing data for a new purpose does not require new consent if the new purpose is compatible with the original one -- see above about purpose extension); pseudonymisation may be taken into account here;
  • data controllers will be required to notify any personal data breach to the supervisory authority ‘without undue delay, and where feasible, not later than 72 hours after having become aware of it’ (art. 33);
  • the existing rights of data subjects (see above) will generally be reinforced (defined in more detail and accompanied with provisions which make it easier to claim damages); a new right to data portability will be added according to which in most cases the data subject shall have the right to receive the personal data concerning him or herin a structured, commonly used and machine-readable format and to transmit those data to another controller (art. 20);
  • more organisations will have to appoint Data Protection Officers (see art. 37-39).

 

Processing of data for research purposes will be governed by art. 89 of the GDPR. It says that:

  • when such processing is carried out, organisational and technical measures should be in place in order to ensure that appropriate safeguards have been implemented to protect the interests of data subjects, and in particular to ensure that the data minimization principle (according to which processing shall be limited to necessary data) is respected;
  • pseudonymisation and anonymisation should be implemented whenever the purposes can be fulfilled in that manner;
  • EU or Member State laws may -- if necessary -- allow to limit some rights of the data subject. No such specific laws exist at the moment, and the future of existing national provisions on data processing for research purposes is uncertain.

Moreover, recital 33 concerns consent for data processing for research purposes. It says that ‘It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose’.

Arguably, the purpose extension principle has gained some flexibility under the GDPR, which allows research purposes to enter more easily in that category. That would mean that it will become easier to process data originally collected for a different purpose, for research purposes. How this will work in practice, however -- just like many other changes under the GDPR -- remains to be seen.

Terms & Disclaimer