Can EEA authorities really enforce the new data protection law directly against US and other non-EEA companies?
The new European data protection law – the General Data Protection Regulation or “GDPR” – was officially approved by the European Parliament on 14 April 2016 and will now come into force throughout the EEA on 25 May 2018. The legislation will have far reaching implications for many, but one of its most intriguing aspects is its extra-territorial reach.
Those entities, wherever they may be based in the world, who offer goods or services to individuals in the EU or who monitor the behaviour of individuals in the EU will be directly caught by the legislation and will have to comply with it. That scope is tremendously broad and it captures a colossal group of entities globally, each of whom will need to observe the right to be forgotten, the data portability right, the right to object to profiling, the obligation to report certain data breaches within 72 hours and so on.
The authorities in Europe have been strident and uncompromising in their desire to ensure that European citizens' personal data are well protected in this increasingly digital and connected age. The unprecedented extra-territorial reach of the GDPR is perhaps the logical conclusion of that approach.
At a Westminster Forum conference last week, the message was crystal clear from Christopher Graham, the Information Commissioner himself (the UK data protection regulator). His office, the ICO, will have a remit to, and will, pursue companies outside as well as within the EEA.
There are, though, unanswered questions around resourcing and how much "overseas action" the ICO and its counterparts in other European countries will be able to take on. While the ICO does, and will continue to, work closely with the Federal Trade Commission and other non-European agencies, they and their counterparts in other EEA countries will inevitably have to pick their battles.
There is also the technical possibility that the US and other non-EEA countries may bring in legislation to blunt the impact of the GDPR within those countries. For example, such legislation could provide that data protection judgments issued by EEA courts will only be enforced if the “wrongdoing” to which the judgment relates would also be actionable under laws in the US (or other non-EEA country).
As things stand though, the position from the ICO is clear: (i) the GDPR will be effective in Spring 2018, (ii) you will have to be compliant, whether you are based in the EEA or not; (iii) you should act now if you want to avoid what Mr Graham calls a "nasty surprise".
Becoming compliant will require work and buy in at board level is essential. By starting now and following the three A’s approach (Audit what you have, Analyse against the legislation, Act so as to make the necessary changes), businesses can can stay out of the regulators' crosshairs.
Note: My thanks to Dan Svantesson for the very helpful and insightful work he has done in the area of data protection and extra-territoriality.
New data protection law: Will I be able to demand a company sends my personal data directly to its rival in an easy to use format?
The right of “data portability” is one of the key new rights to be ushered in when the new General Data Protection Regulation (GDPR) takes effect sometime in 2018, and it will have important implications for both businesses and individuals.
In a nutshell, individuals will have the right to transfer personal data from one business to another and, indeed, to require that the business holding the data transmits it directly to the receiving business. This sounds good in principle, but the right is limited in some important ways.
Let’s fast forward to 2018 when the GDPR comes into force. Imagine you are a gym owner; a customer tells you of her desire to take advantage of the new portability right in order to have all of her personal data that you hold transferred to a rival gym. (While we use the gym as an example, the same principles will apply to all sorts of businesses.)
The data held by the gym
The gym holds contact details like name, address, email, telephone, date of birth and bank card details, as well as some data on the customer's weight and height and limited medical information. The customer has also provided to the gym some details of the kind of activity she wants to do (e.g. weights or cardio-vascular etc.) or the results she want to achieve (e.g. losing weight, building muscle or maintaining general health).
But there is other data too. There are also records that the gym has kept of the dates and times of the customer's visits. Moreover, one of the gym’s instructors has worked with the individual to produce a detailed and customised exercise plan.
Is all of that data “portable”?
The short answer to this appears to be “no”. The portability right only attaches to data relating to a data subject "that he or she has provided to the controller" (emphasis added). So, it seems that any data not given to the gym – which in this case would include the personal exercise plan and the records the gym has of the dates and times the customer has visited – are excluded from the data portability right. These will be covered by a separate right, the right of access. That right, however, is only a right for the individual to receive an electronic copy and therefore stops short of entitling the individual to require a direct business-to-business transmission of data.
Looking at the data which was indeed provided to the gym by the customer, can the customer insist on a business-to-business transfer to the gym’s rival?
The answer in this case is, “it depends”.
Yes, the data subject “should have the right to obtain that the data is transmitted directly from controller to controller”. But, that right only applies where such transmission is “technically feasible”. What that will mean in practice, and how much pressure data controllers, like the gym in this example, will be under to enable such direct transmission of personal data to rivals and other businesses, is of course open to interpretation. No doubt guidance will be forthcoming.
In the meantime, we must satisfy ourselves with the conclusion that the “technically feasible” proviso will restrict the impact of the new data portability right. At the same time, as we have already observed, the right will only bite on data that were provided to the business in the first place. Given these limitations on the data portability right, we may only have, if not a mere shadow of the right many campaigners were hoping for, then certainly a materially diminished version.
Please sign up on the right hand side to receive future SportsDataProtection.com blog posts by email.
Much has understandably been said and written recently about the Schrems judgment of 6 October 2015 in which the ECJ declared invalid the Safe Harbour arrangements between the EU and the US.
Safe Harbour was based on a set of seven principles, together with 14 FAQs. By signing up, and thereby undertaking to adhere to those principles and the FAQs, US companies could ensure that they were recognised as being compliant with European data protection legislation. Accordingly, entities based in the EEA could transfer personal data to Safe Harbour companies without falling foul of the European data protection regime. Following Schrems and the declaration of invalidity, there is no small degree of uncertainty among those who had previously relied on Safe Harbour to ensure their transfers of personal data to the US were legal.
The invalidation was not necessarily a big shock. In the light of the Edward Snowden revelations, the European Commission had already made known to US authorities its concerns and had been holding talks with them since 2013 in relation to what is being widely referred to as "Safe Harbour II". There are some fundamentally difficult issues to resolve, specifically the broad-ranging ability to access personal data by US security agencies and the inability of non-US citizens to seek redress in US courts for privacy breaches by US companies. The general feeling however, is that the respective authorities will probably be able to reach an agreement by the end of January 2016 (so shortly after the expected announcement on the finalising of the new General Data Protection Regulation).
There are still other ways lawfully to transfer personal data to the US, including on the basis of consent, using the Standard Contractual Clauses and, for multinationals, the Binding Corporate Rules regime.
We live in a time of significant flux and data controllers and processors need to be on their toes to ensure they observe best practice.
Sports, leisure and fitness businesses who process data gathered from wearable or similar electronic devices should look carefully at their obligations under the new proposed data protection regime, especially with regard to the need for Privacy Impact Assessments ("PIAs.").
The Regulation in its current draft form requires the carrying out of a PIA where, "a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals" (Article 33).
So, whether the technology in question is being used to gather data concerning health, location data or any other kind of personal data, enterprises will need to consider whether this requirement will apply. An impact assessment will be mandatory if the processing in question is likely to result in a high risk for data subjects’ rights and freedoms.