Data Protection Update: EU-US Privacy Shield & GDPR

There have been several legislative updates regarding data protection recently; Lisa Morgan outlines the need to know of the EU-US Privacy Shield, and the General Data Protection Regulation below.

Safe Harbor – EU-US Privacy Shield

2nd February saw the announcement of the EU-US Privacy Shield provisional agreement: a new framework for data transfers across the Atlantic.

This is intended to replace the Safe Harbor framework, which has recently fallen out of grace with the European Union. The USA member companies registered with ‘Safe Harbor’ were previously recognised as providing adequate protection for EU data subjects. However, the Court of Justice declared in the Schrems case in October 2015 that this arrangement did not meet the EU’s standards.

In brief, the new framework will include the following elements:

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement
  • Clear safeguards and transparency obligations on US government access
  • Effective protection of EU citizens’ rights with several redress possibilities

It is important to note that this is not yet a binding agreement – and the Article 29 Working Party (a grouping of EU data protection authorities, including the UK’s ICO) are scheduled to provide an opinion to the European Commission about the Shield. The final agreement may therefore be a while in the making.

In the meantime, the ICO has clarified that organisations can continue to use other tools such as standard contractual clauses and binding corporate rules to legitimately transfer personal data to the USA. Businesses are also advised to bring the Shield to the attention of their contacts in America to avoid any surprises down the line.

General Data Protection Regulation

Following agreement on the final text in December 2015, the formal adoption of the GDPR is eagerly awaited. Although it is not expected to come into force until spring 2018, businesses are advised to start thinking about what this comprehensive overhaul of data protection means for them as soon as possible.

The key changes that the GDPR makes can be summarised as follows:

  • Sanctions – the violation of data subjects’ rights will carry fines of as much as 4% of global turnover.
  • Data Processors – currently, the data controller bears almost all responsibility for compliance. Going forward, data processors will be subject to specific obligations and exposed to fines. The GDPR also prescribes the required terms for any processing contracts.
  • Global reach – unlike the current regime, the GDPR will apply to data controllers and processors established outside the EU – if their processing activities relate to the offering of goods or services to EU data subjects, or to the profiling of their behaviour.
  • Breach Notification – all organisations must notify the regulator of breaches ‘without undue delay’, and within 72 hours where feasible, unless they can demonstrate the breach is “unlikely to result in a risk for the rights and freedoms of individuals”. The data subjects themselves must also be notified in certain circumstances.
  • Data Protection Officers – the requirement to appoint a DPO will apply to the public sector and to private sector organisations engaged in ‘large scale’ systematic monitoring.
  • New Rights – as well as building on the existing rights of data subjects, the GDPR grants new rights for individuals, e.g. the ‘right to be forgotten’ and the right to restrict or opt-out of processing.

For now, the ICO has advised organisations to ensure they are fully compliant with current data protection rules and continue to meet their responsibilities. It highlighted the following five key areas as priorities:

  1. Consent and control
  2. Accountability
  3. Staffing
  4. Privacy by design
  5. Breach management