Privacy Regulation coming into force in two years time; will your organisation be ready when the time comes?

On 4 May 2016, the final text of the privacy regulation was published in the Official Journal of the European Union. Article 99 of the regulation determines that it comes into force on 25 May 2018. This means that in two years time an extensive set of rules must be complied with. Are you ready?

Principles mostly the same
There have been substantial negotiations on the privacy regulation and every phrase has been carefully weighed. Something can be said about every single word therefore. In broad lines and viewed from a distance however, it can be seen that many of the principles which currently apply to personal data processing (transparency, purpose limitation, security, etc.) will roughly remain unchanged . So this is not where the greatest changes can be found (although interesting blogs can be written about the nuances).

Further details
The regulation does however provide more specific details on how a certain principle must be understood and which exceptions/additions apply. This includes the detailed rules on transparency (article 13/14), the detailed right to access (article 15) and the detailed right “to be forgotten” (article 17, which is strongly anchored in the scope of the old right to object). The exceptions / limitations are worked out in far greater detail (article 23).
In addition, it is noticeable that the requirements put on the processors are extensively specified, as well as the requirements put on a processor’s agreement (article 28). Here the regulation also clearly departs from the current directive, on which I recently blogged.

Importance of compliance
The regulation also strongly departs from the directive in the field of compliance. It is going to be important that organisations not only handle personal data processing correctly, but also that they are able to demonstrate this. In the future, privacy must become part of an organisation’s genetic make-up. This is reflected in several places:

• the controller must not only adhere to the general principles, it must also demonstrate them (I suspect that this refers to their compliance) (article 5(2));
• the controller must take measures to ensure that the data subject actually receives the information relating to processing (article 12(1));
• the controller must take measures to ensure that the data subject is informed of his rights (article 12(2), this will probably go beyond the mere drafting of a privacy statement);
• the controller must take measures to ensure that systems are organised in a privacy-friendly way (article 25(1));
• the controller must take measures which ensure that in practice no more data is processed than is necessary (article 25(2)).
• the controller must maintain a processing activities record (article 30);
• the controller must not only take security measures but also guarantee their adequacy, with regular tests for example (article 32(1));
• for certain types of processing, a data protection impact assessment must be carried out (article 35);
• and a data protection officer is compulsory for specific companies and institutions (article 37).

More room for market initiative
It is also noticeable that the regulation offers plenty of room for initiatives from the market/sectors. Codes of conduct (article 40) and certifications (article 42) can be drafted which, if approved, can be used to (help to) demonstrate that many of the new obligations are being met.

By way of illustration, signing up to codes of conduct/certification mechanisms helps to demonstrate that:

• the processor complies with the statutory requirements (article 28(5));
• the security obligation has been met (article 32(3)); and
• last but not least, the controller in general complies with its obligations (article 24(3)).

Please also note that on determining the height of  administrative fines  the authorities must take into account whether the infringer had signed up to an approved code of conduct/certification mechanism (article 83(2(j))) .
All in all, it can therefore be rather beneficial for parties to seek affiliation with an approved code of conduct/certification mechanism. It constitutes a basis for proof (or perhaps even supposition) that the rules are being observed. It also provides additional support in any discussions with supervisory authorities.

Lowered threshold for consumer
It is also interesting to note that in several places the consumer is further protected. For instance, the consumer can always contact his own local supervisory authority. Article 56(2) determines that a supervisory authority has a (cross-border) power if a complaint only affects the interests of consumers in its own Member State. It will also become easier for consumers to complain, as all supervisory authorities must place a complaint form online (article 57(2)). Complaining will always be free of charge for the consumer (article 57(3)).
In addition, article 82(4) determines that where there are several controllers or processors involved in the same processing they are jointly and severally liable for the entire damage towards the consumer. In other words: the consumer must first be compensated for his damage and the business partners must then (internally) sort out how the cost of the claim will be divided.
The question is whether this regime also applies in the situation where one controller engages one processor. Linguistically, such a situation could fall under the article (one controller and one processor are after all two and therefore “several” parties). Also in view of the rationale behind consumer protection it seems logical to assume that this joint and several liability is already in existence in a simple processing relationship. This interpretation is however somewhat at odds with that stated in paragraph 2 on the limited liability of processors. This will undoubtedly result in a request for a preliminary ruling.

Consumer rights
Under the regulation, the consumer also has rights which we partly already know from current privacy law.

• right to access (article 15 – strongly resembles the existing right to inspection, being that now there is an express right to electronic data provision);
• right to rectification (article 16, strongly resembles the current right to correction);
• right to “be forgotten” (article 17, strongly resembles the right to object and right of correction, in particular in view of interpretation of the European Court of Justice in the Google-issue);
• right to restriction of processing (article 18, appears to be some kind of conditional right of correction/objection and to this extent it is new);
• right to notification to third parties to whom personal data has been provided (article 19, appears to be inspired by Rijkeboer case law);
• right to receive data in a readable format, including transmission to a different controller (article 20, a new right);
• right to object on grounds relating to legitimate interests including profiling (article 21(1), is tightened up compared to current right to object);
• right to object to commercial use (article 21(2) et seq., strongly resembles existing methodology, be it that the consumer can object by automated means in accordance with paragraph 5 (therefore do not track setting in the browser???));
• right to object to automated decision-making (article 22, is tightened up compared to current system)

More and higher fines
It is also noticeable that the regulation introduces more and (substantially) higher fines. There are two fine categories:

• maximum 10,000,000 euros or 2% of the total global turnover;
• maximum 20,000,000 euros or 4% of the total global turnover;

Broadly speaking it applies that the lower fines are for breaching administrative requirements (such as relating to compliance) and the higher fines are for breaches of the rules relating more directly to the protection of the privacy of the data subject.
An interesting final provision is article 84: this determines that Member States must impose sanctions for breaches of the regulation where the regulation itself does not provide a sanction. This means that a breach of any provision will carry a sanction (being European, or national).

Final comment
Much is expected from organisations therefore, in particular in the field of compliance. It is becoming increasingly important to take privacy law seriously. Not only because in the future any breach of the rules will carry a penalty but also, or maybe predominantly, because both consumers and commercial users have raised expectations from organisations in the field of privacy compliance.

We will be addressing the upcoming privacy regulation in this blog in more detail in the near future. If you have any questions, please do not hesitate to contact us. We would also like to make you aware of the seminar Current Privacy Law Developments on 20 September 2016 for which you can now register.

By Mark Jansen