Companies that share data – on both clients and employees – with countries outside the EU will have to wait to see how they will be impacted by new legislation which should be introduced over the next two years.
These companies currently on so-called ‘standard contractual clauses’ (SCC), set up by the European Commission’s Data Protection Directive of 1995, which were considered sufficiently robust to deal with the transfer of data from controller to controller, as well as from controller to processor – such as an EU bank which has a call centre in Asia or an EU company which uses a server in the US – which also applies to data in the Cloud.
The issue revolves around the EU’s insistence that data should only be shared with approved third countries – who must have their own dependent data supervisory authority.
Saviour CachiaThe US, however, did not meet this criteria and the compromise was to establish the ‘Safe Harbour’ agreement of 2000, which worked on a self-certification basis and was criticised in three external EU evaluations. However, in the absence of an alternative, it remained in place until it was challenged by an Austrian, who objected to his data being sent by Facebook in Ireland to servers in the US – prompted by the 2013 revelations by Edward Snowden.
He argued that these showed that the “US did not offer sufficient protection against surveillance by the public authorities”.
The case was upheld by the European Court of Justice, which found that the legislation “compromised the essence of the fundamental right to respect for private life”, in effect meaning that not only was Safe Harbour invalid but that SCCs and Binding Corporate Rules had to be reviewed. The implications were vast and in the interest of pragmatism, they were allowed to stay in force until a better system was found.
This is one of the aspects of a new data protection regulation, approved by the European Parliament, which is seen as a real game changer
The result of this was the EU-US Privacy Shield agreed in February 2016, which imposes stronger obligations on companies in the US – but an EU Working Party this week asked the Commission for more clarifications.
This is one of the aspects of a new data protection regulation, approved by the European Parliament, which is seen as a real game changer. Online portal ComputerWeekly gushed that it represented “the most significant global development in data protection law since the EU Data Protection Directive, which has struggled to remain relevant in an age of mass information sharing”.
The ‘current uncertainty surrounding data transfer mechanisms may negatively affect local businesses but many other aspects of the General Data Protection Regulation should be welcomed by them.
“The regulation will streamline a number of issues that vary greatly from member state to member state – so this should be welcomed by businesses which like clarity,” Malta’s Data Commissioner Saviour Cachia said.
One of these issues is the applicable fines acoss members states: in Malta, the maximum fine for a breach is €23,000 but the UK’s and Germany’s is around €250,000 and Google was recently fined €900,000 in Spain.
The new General Data Protection Regulation imposes much stricter data protection compliance – with severe penalties of up to four per cent of a company’s worldwide turnover.
The regulation was first put forward in 2012, and member states have two years in which to implement it – although as a regulation, it differs from a directive which needs to be transposed to member states’ legislation.
It will also create more consistency between the Data Protection Commissioners in different member states. The regulation establishes that when there is activity across multiple member states, the Data Commissioner in the jurisdiction where the company is headquartered will be recognised as “the lead” authority.
“This is going to be particularly welcome for multinational companies that apply the same company policy across markets,” he explained.
Although the regulation will make policies and fines uniform across member states, there will undoubtedly be instances when national data commissioners may disagree. The regulation therefore envisages a European Data Protection Board whose decisions will be binding.
The impact on companies will be varied, depending on their operation – but the regulation will impose a risk-based approach.
Member states are likely to be given the option to specify exceptions to the consent requirement with respect to the processing of health data
The regulation may also introduce a third category besides personal data and anonymous data: pseudonymous data, which would still be regarded as personal information and therefore would be subject to data protection guarantees.
Pseudonymous data is used, for example, by drug companies as it allows the identification of an individual used in a drug trial – in case follow-up is needed – but without additional information being kept. The pseudonymous data would be kept separate from the identity.
Anonymous data, which does not allow identification of an individual, is excluded from the scope of the regulation.
“Crucially, the regime affecting pseudonymous data is less stringent. For example, profiling based exclusively on the processing of pseudonymous data is presumed not to significantly affect individuals,” US firm Hogan Lovells wrote.
“In addition, member states are likely to be given the option to specify exceptions to the consent requirement with respect to the processing of health data, provided that such data is anonymous or, if anonymisation is not possible, pseudonymous in accordance with the most advanced technical standards.”
Principles
The seven principles of Data Protection:
Notice
Individuals must be informed that their data is being collected and about how it will be used. They must provide information about how individuals can contact the organisation with any inquiries or complaints.
Choice
Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
Onward Transfer
Transfers of data to third parties may only occur to other organisations that follow adequate data protection principles.
Security
Reasonable efforts must be made to prevent loss of collected information.
Data Integrity
Data must be relevant and reliable for the purpose it was collected for.
Access
Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
Enforcement
There must be effective means of enforcing these rules.