12 April 2016 by Sandra Tierney
“The digital future of Europe,” Andrus Ansip, Vice President for the Digital Single Market noted in December 2015, “can only be built on trust.” His comments crowned four years of intense negotiation, the result of which is the General Data Protection Regulation (GDPR), expected to be formally adopted by the European Parliament and Council in the next few months and to come into effect two years thereafter. There are multiple reasons for replacing the 1995 Data Protection Directive, including the need to keep pace with new technologies and reduce the burden on companies operating across several European jurisdictions. Previously companies had to deal with as many Data Protection Agencies as member states they operated in, but under the GDPR will only deal with the Supervisory Authority within the jurisdiction where they have their main establishment. Clearly replacing 28 different data protection laws with one harmonised regulation is a practical measure (the reduction of red tape is expected to save companies €2.3 billion in annual expenditure), but the issue of trust is an equally important factor and companies should strive to keep it in focus when preparing for the new regulation. The last decade has been notable for high profile whistleblowing and data leakages that have called into question the protective structures around personal data. The impact of Edward Snowden’s revelations can be seen in the Court of Justice of the European Union’s recent decision in the Schrems case whereby the EU-US Safe Harbour regime was deemed invalid, leading to the negotiation of a new and hopefully improved framework for data transfers from the EU to the US (Privacy Shield). The recognised vulnerability of personal data found expression in a recent Eurobarometer survey which found that two thirds of Europeans are concerned about the lack of control they have over the information they provide online. The GDPR is seeking to resolve the issue by giving EU citizens much greater control over their personal data. At the same time, companies that process or control data within the EU will have far higher obligations towards their customers. Failure to observe these obligations will lead to extremely heavy sanctions, with companies liable for up to €20 million or 4% of annual turnover from the previous year depending on the severity of the matter, whether a breach was caused by negligence or intent, whether mitigating actions were taken, etc. Company obligations under the GDPR comprise roughly 200 pages of text, but the following are some of the main provisions:
Inevitably some companies will feel that these new regulations strip away old hindrances only to present new ones, and certain public figures have already expressed their concern. MeMe Rasmussen, Chief Privacy Officer for Adobe has said that the GDPR “was written by people who don’t run businesses,” while other figures such as Sheryl Sandberg and even President Obama have signalled their wariness. On the other side, some feel that the regulations don’t go far enough − Germany’s Data Protection Authorities, for instance, highlighted their concerns that the GDPR would weaken Germany’s existing regulations, and noted that they would have liked to see provisions such as the mandatory appointment of a Data Protection Officer applied more widely. The two-year period prior to the commencement of the GDPR will give companies space to fully consider their data protection activities in light of the incoming Regulation and to put in place necessary measures and safeguards in accordance with their obligations, in particular the Privacy by Default and Design principles. The penalties for non-compliance are severe and well-advertised, but perhaps it is more important to reflect on the benefit for companies that actively engage with the new measures and seek to cultivate something more than mere observance. Such a benefit will be the trust of their customers. In an age where the misuse of personal data has led to a high and pervasive level of cynicism, perhaps it is trust that will emerge as the most valuable economic asset.