Starting with May 2018, a new regulation on data protection will come into force and replace the current Data Protection Directive (95/46/EC). One change that comes with the new regulation is the requirement for data protection by design and by default. This can help reduce the risks identified in each stage of the development of the products and services. Now, the principles of privacy by design and privacy by default are not explicitly required by the DPD. However, the Directive did call in article 17 for the need of appropriate technical and organisational measures taken by the controller, which are the core of the principles.
What is privacy by design and how is it regulated by the GDPR?
Privacy by design is a concept founded by Ann Cavoukian which states that privacy should be incorporated in the design of ICT from the outset and not as an afterthought. According to its founder, the principles on which Privacy by Design is founded are the following: proactive, not reactive, preventative, not remedial; privacy by default; privacy embedded into design; full functionality; end-to-end security; visibility and transparency; respect for user privacy. Besides being one of these principles, privacy by default can also be understood as a separate concept which refers to the default settings that protect the individual from the start, as opposed to privacy as the default setting, how Cavoukian sees it.
Although the concept refers to privacy, the new General Data Protection Regulation (GDPR) introduces data protection by design, since the target of the regulation is data protection, not privacy. The difference is that privacy points out the relation between the individual and the collective, regardless if it is the state or other people. On the other hand, data protection is considered a tool which can be used to protect the individual against abuses on his privacy.
The GDPR provides the obligation to comply with the principles of privacy by design and privacy by default in recital (78). The recital requires that the producers of the products, services and applications to be encouraged to take into account the two principles to make sure that the controllers and processors are able to fulfill their obligations. According to article 25, the controller is the one that has to take the measures in order to comply with the regulation when he determines the means for processing and while the processing is taking place.
Therefore, in order to protect the rights and freedoms of the natural persons, the controller of the data has to take appropriate technical and organisational measures, such as:
- minimising the processing of personal data,
- pseudonymising personal data
- Transparency with regard to the functions and processing of personal data
- Enabling the data subject to monitor the data processing
- Enabling the controller to create and improve security features
The problems that are bound to appear relate to the identification of the liable controller in the case of an advanced device which implies multiple controllers and processors. Additionally, considering the fact that there is no obligation mentioned for the producer of the product, service or application in article 25, what will happen when the producer of a certain service is encouraged to implement privacy by design, but he fails to do so, resulting in the inability of the controller to comply with the regulation? Since it is not clear yet, the jurisprudence will decide on a case by case basis how the principles will evolve.
Currently 28 data protection laws in 28 countries exist within the European Union. Although they are all based on the same Data Protection Directive from 1995 (95/46/CE), they could not be more different in terms of the protection they provide based on their different implementation in each European country. The aim of the new Data Protection Regulation is to create a uniform, but high standard of protection all over Europe. The regulation will focus on reinforcing individuals‘ rights and will address the current lack of trust of the citizens. It will strengthen citizen’s rights such as the right to be forgotten, the right to data portability and the right to be informed of personal data breaches. Furthermore it will strengthen the EU internal market, streamlining international transfers and set global data protection standards with technologically neutral rules to enable innovations and remain up to date.
What does the new regulation mean for Non-European companies?
Data is the currency of today’s digital economy. Collected, analyzed and moved across the globe, personal data has acquired enormous economic significance. Strengthening the European standards of data protection will create new business opportunities beyond state borders and will include more and more Non-European companies. Therefore these companies have to face major changes and have to include the following three new substantial innovations in their business practice:
Most important for Non-European Companies will be the extended territorial scope of the new regulation. It will apply to all organizations that process personal data of EU residents. Unlike in the past the use of equipment located within the territory of a EU Member State is now irrelevant. The focus instead will be on the targeting of EU residents. Whenever a company offers goods or services to residents, handles personal data or monitors their behavior they must comply with the new rules (“the same rules for all companies – regardless of where they are established”). As a result, all Non-European-websites, search engines, social networks, e-commerce platforms, cloud services and apps available in the EU will be covered by the new regulation
Moreover, instead of dealing with 28 different legislations when processing such data in Europe, now these companies have to meet only one single set of rules (“one continent-one law”). Hence the regulation will overrule national laws and the current Data Protection Directive.
The last major innovation will be the “One-stop-shop”. In the past international companies had to deal with several national authorities, in Germany even with several state authorities. Under the new regulation companies (European or not) will have to deal with one single national supervisory authority based in the EU country where their main business is established. This change will especially simplify the creation of each Non-European company’s Binding Corporate Rules (BCR) and streamline their approval process and thus will simplify their transborder data flow.
What are the general obligations for Non- European companies?
As mentioned the applicability of the regulation will lead to major changes in the practice of Non-European companies as it may force them to comply with a wide range of privacy rules. These are their new main obligations:
- Companies have to implement appropriate technical and organizational security measures.
- If the companies handle data of more than 5000 residents within 12 months or if they handle especially sensitive data they need to appoint a European data protection officer.
- They have to produce a detailed documentation on the data that is processed
- They are required to adopt reasonable steps to implement compliance procedures and policies, which should be reviewed every two years. These procedures should include adopting privacy-by-design and privacy-by-default and promote new techniques to follow the rules of anonymization and pseudonymization.
- In case of a data breach the companies need to notify the responsible one-stop-shop supervisory authority in the EU without undue delay a (“comprehensive data breach notification”).
For this purpose the companies have to acquire detailed knowledge of the new regulation, existing security and data protection measures, policies and procedures have to be reviewed, new employees must be hired and staff trainings have to be set up.
Thus, all of named obligations require significant investments and resources and will after all have an impact on small businesses and their attempt to actually access a new market if they have not already sufficient protection mechanisms.
What are the consequences in case of failure to comply?
Companies who do not comply with the new rules will be fined by the data protection authorities with up to 20 Mio. EUR or up to 4% of their global annual turnover. In addition an immaterial compensation of damages will be possible. European regulators will be equipped with strong enforcement powers therefore the companies are required to carefully review their duties.