Current EU data protection law, based on Directive 95/46/EC, has finally been sentenced to death: on 14 April, in fact, after four long years of negotiations at the institutional level, the European Parliament adopted the data protection reform package, the so-called “GDPR – General Data Protection Regulation”, which marked a crucial milestone for the birth of a stronger European-wide right to privacy.
This fundamental step comes at a time where significant advances in information technology have been achieved and there have been radical transformations to the ways in which individuals, organisations and public institutions communicate and share information.
Therefore, the divergent approaches in implementing EU data protection laws taken by than ever and pushed the EU towards new and more effective ways to harmonise European privacy legislation.
Furthermore, European citizens’ growing awareness on risks and dangers relevant to their personal data (i.e. also driven by recent global outrage for massive surveillance scandals and data breaches), fostered the approval of a common set of rules applicable within and outside the EU’s borders.
Nonetheless, despite the significant efforts by the legislature to re-think the basis of EU personal data privacy law, the final deal was not as comprehensive as initially hoped. In fact the process of adopting this law shows that you cannot have the best of both worlds.
The final version of the package adopted on 14 April 2016 by the European Parliament – and then published on the EU Official Gazette on 4 May 2016 – is therefore the synthesis of the most suitable and viable compromise solution EU legislators could buy into bringing privacy law to a higher level of complexity, while setting aside controversial topics for future institutional talks, i.e. “hot potatoes” including the e-Privacy Directive reform, employment issues and, last but not least, the new EU-US Privacy Shield.
In essence then, the reform package, made up of a Regulation (i.e. the General Data Protection Regulation or GDPR) and a Directive (i.e. the Police and Criminal Justice Data Protection Directive), represents a fundamental keystone for the creation of the future EU Digital Single Market and an important step towards greater legislative harmonisation on privacy and data protection issues across the continent.
The package will now enter a two years’ implementation period during which Member States will have to adapt domestic legislation to the new EU rules by 25 May 2018.
In fact, over the course of this time-frame, organisations need to understand clearly what changes are most likely to affect their sector of activity and be prepared to assess their level of compliance with the reform’s new requirements.
As for the definition of the traditional categories of players subject to accountability in EU privacy law’s “chain of responsibility” (i.e. data controller and data processor), many of the core definitions from the previous Directive remain essentially unchanged.
At a national level, for instance, in Italy, the legislator and the Italian Data Protection Authority (i.e. the Garante), after having found themselves faced with the difficult task of balancing the reform package with the current domestic regulatory framework and adapting it to Italian legal terminology, decided to maintain the current translation of “data controller” (i.e. titolare del trattamento) and “data processor” (i.e. responsabile del trattamento) in order not to cause unnecessary interpretative burdens for public and private entities processing data.
Moreover, the entry into force of the GDPR will definitely cause major concerns for private and public institutions operating in several areas (e.g. from banking to health care) because of stricter and more pervasive privacy obligations to comply with.
Where the Regulation will be deemed to be applicable to a business entity processing personal data, for example, the entity will need to provide clear evidence that it is in full compliance with the new rules to either national Data Protection Authorities and the future European Data Protection Board, which will replace Article 29 Working Party’s role and functions.
Same thing will apply to the public sector and, for the very first time, also to data controllers and processors based outside the EU but conducting businesses (i.e. processing data) within EU borders.
Currently, if a data controller is established in any Member State, it is considered subject to the discipline established by the Directive as implemented by national laws and regulations of that legal system, however under the GDPR this distinction will fall apart.
The Regulation, in fact, will only apply in case that a legal entity, either public of private, offers goods or services to data subjects in the EU or monitors their behaviour within the borders of the EU.
For instance, a business established in the US that markets its products directly in the EU single market but has no physical presence in the EU, will now be subject to the requirements of the GDPR as if it was established on European soil.
This important aspect, along with others (e.g. the obligation to conduct regular privacy impact assessments, the new privacy by-design and by-default principles or the duty to appoint a data protection officer and a national Representative where prescribed), are an expression of the strategy behind the desire to regulate and adequately circumscribe the power of telecom and digital multinationals processing personal data of EU citizens through a borderline approach to privacy compliance.
In fact, the entry into force of the GDPR will indeed force big companies that have previously regarded non-compliance with EU data protection law as a “calculated risk” to re-evaluate their position especially in light of the substantial new fines (i.e. up to € 20 mln or 4% of the annual worldwide turnover) and increased enforcement powers given to national Data Protection Authorities (e.g. total ban on processing and in depth investigative capacity above all).
On the other hand, the same companies processing personal data, either from within the EU or outside, will benefit from a significant degree of autonomy in dealing with Member States’ data protection authorities through the new One-Stop-Shop mechanism, which will connect controller and processor with a single “lead authority” on the basis on the location of its “main establishment”, i.e. the place where the main processing activities take place. It is now clear how difficult has it been for EU legislators to combine civil society’s push for a stronger protection of the individual right to privacy with legitimate interests of companies to collect and process personal data. But a compromise solution has been successfully achieved. With a greater simplification and a substantial de-bureaucratisation of some privacy obligations (i.e. same rules apply in all EU Member States with no need to contact twenty eight national DPAs), comes the revamped focus on data protection in all corporate policies and regulations as a guarantee of stronger and deeper protection to individuals’ rights. As for Italy, the Garante’s serious approach to the new rules will surely show a reasonable and sound approach in choosing how to better integrate the letter of the GDPR with the Italian Data Protection Code (i.e. Legislative Decree no. 196 of june 30th, 2003). In conclusion, only time will tell whether more stringent and incisive privacy rules have been enough to raise and consolidate EU and global data protection standards and made IT compliance and cyber security a number one priority for all companies and public institutions. There is still a long way to go for the full implementation of the GDPR. Different Member States still have some room for different approaches. However the key development is the recognition that privacy compliance is a real strategic asset for the private and the public sector alike and the birth of a corporate culture of data protection and social responsibility might be closer than it seemed even in recent years.