General data protection regulation Authors: David Borg-Carbott, Philip Mifsud Published on September 22, 2017 The European Parliament and the Council of the European Union reached an agreement in 2015 on the main principles behind the General Data Protection Regulation 2016/679 (hereinafter referred to as the “Regulation” or “GDPR”). This Regulation, which will come into effect on 25th May 2018, was proposed in order to address the difficulties and deficiencies arising under the 95/46/EC Directive. The principle scopes of the GDPR are to (i) harmonise data privacy laws of EU Member States; (ii) facilitate the free flow of data in the digital single market; (iii) protect all citizens from data and privacy breaches; (iv) remove bureaucratic inconsistencies that organisations face with respect to data protection laws in different States; (v) provide further transparency and accountability by data controllers and possessors of data. This is becoming increasingly more relevant in a world where technological changes and globalisation are becoming more prominent in every sector, and people more reliant on technology to address basic requirements. In fact, the GDPR will empower EU citizens and protect them from invasive processing of data and privacy breaches. In essence, the GDPR will seek to ensure that every person’s fundamental right to the protection of any personal data concerning him or her (as stated in Article 8 sub-article 1 of the Charter of Fundamental Rights of the European Union) is respected. The GDPR also increases the rights of individuals whose data is being processed. Compliance with the rules and monitoring of powers for the protection of personal data are ensured through strengthening of powers of authorities and increased sanctions. This article will form part of a series of articles that will analyse the key points of GDPR. This first article focuses on Chapter 1 of the GDPR titled ‘General Provisions’ The Regulation will apply: – to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not; and – to all companies processing data of individuals residing in the EU, even though the companies’ location may not be in the EU. This means that a company outside the EU targeting consumers in Member States will now be subject to the Regulation. This is one of the crucial departures from the Directive as the GDPR now has extra territorial scope and applies where a data controller (e.g. a company processing personal data) located outside the EU offers goods or of services to Member States’ citizens, even if for free. What constitutes offering of goods or services is to be determined on a case-by-case basis, but a service provider located outside the EU that is offering a service in the language used in a Member State (if not also used in the third country), and mentioning customers or users in a Member State may be subject to the GDPR. Additionally, the Regulation also applies where controllers and processors that are located outside the EU monitor the EU data subjects’ behaviour. This is also to be determined on a case-by-case basis but instances which may apply include those where the choices and behaviour of individuals resident in the EU are tracked in order to predict their personal preferences through the formation of personal profiles. To tackle the applicability of this extra territorial principle, the GDPR provides that entities processing the data of EU citizens, even though not established in the EU, must appoint a representative within the EU. Most of the key definitions of the Directive have remained the same in the Regulation. For instance the main characteristics of controllers and processors have remained unchanged and only some minor modifications can be noted. The following is a commentary on some key differences of the main definitions as listed in Article 4 of the GDPR. “Personal Data”: – The definition of what constitutes “personal data” is very important, since the Regulation only protects what falls under this definition, thus, whatever is not considered to be “personal data” is not protected by the GDPR. – The definition has been widened to include location data, online identifiers and genetic data – for example certain types of cookies and IP addresses become personal data under the GDPR, if they can be (or are capable of being) linked back to the data subject without having to exercise any excessive amount of effort. “Pseudonymous data”: – Pseudonymous data was not specifically dealt with in the Directive as it was treated as personal data, but the Regulation – even though still treating such data as personal due to its identifiable nature – deals with the process through which such data is pseudonymised. “Consent”: The Regulation has added stricter requirements for consent to be valid, hence methods used by data collectors and processors under the Directive need to be reviewed in order to be in harmony with the new requirements set out in the Regulation. Existing consents may still be valid, provided they meet the new conditions imposed by the GDPR. The consent of the data subjects needs to be: – Freely given; – Specific – consent cannot be general to cover all possible types of processing activities. – Unambiguous and easily legible – thus making sure that the data subject is aware of the reasons why their consent is being given. – Explicit. Consent needs to be shown by some sort of explicit affirmative action. For example through: – A written statement; – An oral statement; – Electronic means. The Data Controller needs to be able to show that consent was given. For this reason, silence or inactivity cannot amount to the consent of the data subject, whereas previously, under the Data Protection Directive, consent could be inferred. “Data Breach”: The term “data breach” is only referred to in the Directive through an obligation placed on the controller to protect personal data against any sort of unauthorised access or disclosure. On the other hand, the Regulation provides a specific definition. The Regulation also has specific provisions relating to data breaches which will be covered in a later article. “Data Concerning Health”: Similarly to the case of “data breaches”, “data concerning health” does not have a specific definition in the Directive. In the new definition set out in the Regulation, both mental health and physical health are expressly covered. “Main Establishment”: Under the GDPR a new definition for “main establishment” has been added to provide a regulatory point of contact for a company or groups of companies operating in more than one Member State of the EU. A company will now need to have a lead supervisory authority for data compliance across the EU. “Cross-Border Processing”: The Regulation has introduced a new definition which states that “cross-border processing” can either be: – processing of personal data which occurs in more than one Member State where the controller or processor is established in more than one Member State; or – processing of personal data of activities which occurs in a single establishment of the controller or processor but which affects or is likely to affect data subjects in more than one Member State. As a final point, it is important to note that all organisations will be affected by the new Regulation in some way or another. Therefore, they need to bring their data processing mechanisms in line with new requirements by reviewing their current systems and determining whether any improvements are required or not. This article was first published in The Times of Malta, 21 September 2017. The authors would like to thank Ms Maronia Magri (intern at GANADO Advocates) for her research and assistance in the preparation of this article. Go back