17 May 2018
On 25 May 2018, it all changes. Because that’s when the European Data Protection Regulation (GDPR) comes into force. As of this date, stiff penalties may be imposed for breaches of the data protection provisions. Even so, some companies haven't yet got to grips with the new directive, and for many users it’s still unclear how and in which cases the GDPR will reinforce their rights. #explore explains what companies, website operators and users have to look forward to.
What aims is the the legislature pursuing with the General Data Protection Regulation?
Until now, every Member State of the European Union has adopted its own laws for the protection of privacy and data security. With the new privacy regulation, the EU now aims to standardise data protection laws across Europe and to reinforce the rights of citizens to their private data.
Which companies are affected by the GDPR?
The GDPR applies to all businesses that process personal data - whether they do it online or offline. This is because the GDPR is "technology-neutral". In other words, it doesn't just concern the Internet activities of the company but all those areas in which companies collect personal data: ranging from those of their own staff and, for example, patients, right through to customers or users. What is different from before is that IP addresses or cookies are now also considered to be personal data. The GDPR basically requires companies to identify, document, and, where applicable, adapt their data stocks, data flows and data-processing procedures. “How much it will cost to implement the GDPR depends in the first instance on how well data protection is already anchored in the business,” says Jörg Schlißke of TÜViT.
“How much it will cost to implement the GDPR depends in the first instance on how well data protection is already anchored in the business.”
Which data are considered “particularly worthy of protection”?
Under the existing German Data Protection Act, data concerning health, religion and ethnicity are already considered “particularly worthy of protection”. With the GDPR, genetic and biometric information by means of which a person can be identified is now also included. These data may now only be processed if the data subject has given their express consent or if there is a special legal reason for the processing. For very critical areas such as profiling, the mass processing of sensitive data and the prolonged surveillance of public spaces using video systems, an assessment of the impact on data protection needs to be carried out in which the risks for the data subjects are analysed in detail.
How or when should companies respond to data breaches?
Data protection breaches will in the future need to be reported to the supervisory authority no later than 72 hours after they come to light. The data subjects too need to be informed "without undue delay".
What kind of penalties can be imposed in the event of breaches?
With the General Data Protection Regulation, both the amount of the fines and the number of companies affected are set to increase dramatically. The existing Federal Data Protection Act allows for fines of up to € 300,000, although it has always been possible to increase this figure in order to make sure that there would never be any economic benefit for the offender. As of 25 May, regulators can sanction violations with fines of up to € 20 million. In the case of company groups, they might be forced to pay up to 4% of their annual global turnover from the previous year. In future, what is known as the marketplace principle is going to apply: this means that the GDPR will apply to all businesses that collect personal data in Europe - even if they have their headquarters in, say, San Francisco or Singapore.
How are the information obligations of website operators going to change, and what does this mean for users?
The operators of websites, social networks or trading platforms, for instance, will in future have to deal with user data will meticulously, more sparingly and more transparently. Cryptic privacy statements which you need a law degree to understand will be banned as of 25 May. Online providers will have to formulate their regulations for protecting data “in clear and simple language”, so that, for example, minors can understand them. But the duty of transparency of the operators doesn't stop there. Among other things, the privacy policy must contain:
- The contact details of the data controller or the data protection officer,
- Information concerning the purpose of the data processing,
- Information on the initial collection of data, as well as a compliance notice relating to the correction or deletion of personal data or the restriction of the processing thereof,
- Information as to whether the data are going to be transmitted to third countries,
- A reference to the fact that consent, once granted, can be revoked at any time.
Consent to the processing of data can be granted by the user in writing, orally or electronically. “Silence, previously ticked checkboxes or a lack of action are not consent within the meaning of the GDPR,” adds data protection expert Schlißke from TÜV NORD. In other words, active consent on the part of the user is required, and it is exactly this that data controllers will in the future have to demonstrate if they wish to process personal data. Revoking consent must at the same time be as easy as granting it – ideally by just one click instead of protracted and tedious e-mail correspondence with the customer service team.
“Silence, previously ticked checkboxes or a lack of action are not consent within the meaning of the GDPR.”
How is the right of information going to change for the users?
What many users don’t know is that the existing German Data Protection Act already gives them the right to require companies to tell them what user data they hold and are processing. The General Data Protection Regulation will both reinforce and expand the rights of information of users. Consumers can ask for information orally, in writing, by fax or by e-mail. The company must then disclose information including the following, free of charge and within one month:
- How long the data are going to be stored,
- Who has already received the data or is supposed to receive them,
- Where the data come from if they were not collected by the company itself.
The companies must create structures to fulfil their obligation to provide information in good time. In complicated cases, they may need up to two months to process requests; however, they will need to provide reasons for this extended period to the data subject. Companies that handle a wide range of personal data, such as banks or insurance companies, may under some circumstances require that a user specifies which data his or her request for information relates to.
When can users exercise their "right to be forgotten"?
Users can require the immediate deletion of personal data such as phone numbers or e-mail addresses if these have satisfied the original purpose of storage, if they have revoked their consent to the data processing or if their data have been unlawfully processed. If, for instance, data have been disseminated via the Internet, the company responsible will be required also to inform all the other bodies which are using these data or have disseminated them about the demand for the deletion. All links to the data in question and all copies thereof will then also have to be deleted.
To whom can users turn in the event of breaches of the data protection regulation?
If users suspect that their personal data are being unlawfully processed or have not or only partially been deleted, they can contact the data protection regulators. The regulator responsible is the supervisory authority of the federal state in which the company is headquartered. If the company is registered abroad, responsibility will rest with the national data protection authority. And there is an important innovation: In the future, not just the regulators but also private individuals will have the right to sue for material and non-material damage caused by the misuse or unauthorised use of their data. And, unlike in the past, the burden of proof will in future fall on the companies. These will in other words be forced to prove beyond all doubt that they have permission to process the data of the user.
What is the “right to data portability”, and in which cases will it benefit consumers?
Until now, anyone wishing to move from one streaming service or social network to another has had to start from scratch, in other words, to enter all their data right from the beginning. The GDPR is set to change all of that. Consumers will in the future be able to require services to provide their stored personal data in a machine-readable form and, if so requested, to transfer them directly to another provider. According to the Article 29 Group of European data protection officers, the aim is for this to make it easier to swap to smart energy meters or to change fitness trackers or music streaming services. This would make it possible to transfer playlists of your favourite songs to another provider just as easily as you would move your pedometer records or shift standing orders from one bank to another. The aim is to strengthen the freedom of choice for citizens, which has to date been thwarted by the high costs involved in changing providers.