The EU General Data Protection Regulation (GDPR) will apply within exactly one year from now! Are you ready?
The EU General Data Protection Regulation (GDPR) will apply from May 25, 2018. As we are now one year before such date, organizations should already move towards compliance as many of the obligations imposed by the GDPR will take time to integrate.
Recent technological innovations, such as social networking sites, cloud computing and location-based services, as well as highly publicized data breaches both by government security services as well as by hackers, have created a need to simplify data protection rules, and to bolster consumer trust in the protection of their personal data. The Parliament of the European Union (“EU“) adopted in April 2016, the new EU General Data Protection Regulation (“GDPR“), which aims to strengthen and protect individual fundamental rights in data protection. The GDPR will apply as of May 25, 2018 and will replace the antiquated EU data protection regime consisting of the 1995 Data Protection Directive (“Directive“), and the 28 national data protection laws. The goal of the GDPR is to ensure stronger enforcement of the privacy protection rules and to set global data protection standards. The GDPR will be applicable to all EU Member States – and, generally, will not have to be further implemented by national legislation on a country by country basis. As such, the GDPR will significantly reduce the need to verify compliance with each set of national data laws which are comprised of varying interpretations of the original EU framework. However, as the GDPR allows Members States to maintain or introduce specific rules with respect to, inter alia, genetic data, biometric data and health data, other than adopting a GDPR compliance program, it is required to examine whether the organization should comply with additional laws, if applicable to the organization’s field of business.
Are Israeli Entities Subject to the GDPR?
The GDPR will apply to organizations (controllers or processors[1]) established in the EU that process personal data[2] in the context of their activities (regardless of whether or not the processing of personal data itself takes place in the EU), as well as to organizations (controllers or processors) that are not established in the EU, that process personal data of data subjects who are in the EU, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the EU; or (b) the monitoring of the data subject’s behavior as far as their behavior takes place within the EU.
Many terms included in such applicability provisions are subject to interpretation, including the term “established” which was interpreted very broadly. An organization may be considered as “established” in the EU where it exercises any real and effective activity in the EU, even a minimal one through stable arrangement in the EU. For example, the presence of a single representative of an organization within the EU may be sufficient. Therefore, this matter should be examined on a case by case basis. For the purpose of determining whether an organization is “offering goods and services” to EU data subjects, it seems that mere accessibility of a website from within the EU may not suffice in order to have the organization be subject to the GDPR. However, it should be apparent that the organization envisages that such activities will be directed to EU data subjects. For example, use of an EU language or currency on a website, use of a European top-level domain name, inclusion of marketing campaigns directed to data subjects who are in the EU, and which are displayed within the website, etc. may serve as evidence that the goods and services are directed to EU data subjects and as such the GDPR will likely apply. In addition, the scope of monitoring which is required in order for the GDPR to apply is unclear, and potentially tracking individuals online (such as using cookies) to create behavior profiles (including for the purpose of predicting the preferences of users) may subject an organization to the GDPR. Controllers or processors not established in the EU that are subject to the GDPR should designate a representative on their behalf in the EU.
What are the Main Requirements of the GDPR?
Organizations are required to be fully compliant with the GDPR no later than May 25, 2018. However, organizations should become familiar with the provisions of the GDPR and begin planning for implementation now, since once the GDPR is enforced, violations of non-compliance could result in very high penalties.
The GDPR includes the following key elements:
• Legal grounds for data processing and consent: The GDPR sets out certain legal grounds for the processing of personal data in order for it to be lawful, one of which is the data subject’s consent which is highly restrictive under the GDPR. The GDPR requires freely given, specific, informed and unambiguous consent as one of the alternatives which support lawful processing of personal data. For example, consent under the GDPR may only be obtained where the data subject has been informed of the scope and the consequences of the data processing, and the information provided to the data subject must be clear, conspicuous, sufficient and in plain language. Existing consents will be considered applicable, provided that they meet the new requirements.
Additionally, GDPR provisions relating to consent include, inter alia: (i) the right of data subjects to revoke their consent at any time, which must be as easy to withdraw as it is to be given, (ii) the organization’s obligation to be able to demonstrate that the data subject has indeed consented to the processing; (iii) a requirement that the consent be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means. This could include ticking a box when visiting an internet website. Silence, pre-ticked boxes or inactivity should not therefore constitute consent; and (iv) specific rules and restrictions regarding the grant of consent by children under the age of 16.
• Sensitive Data: The GDPR provides specific restrictions with respect to special categories of personal data (“sensitive data”), which are defined under the GDPR as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Note that under the GDPR the processing of such sensitive data is generally prohibited and allowed only under certain circumstances, such as if the data subject has given its explicit consent for specified purposes, while in certain circumstances collection of sensitive data cannot be based merely on the consent of the data subject. Nevertheless, the GDPR allows EU Member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health, which may create differences between the requirements imposed by each Member State with respect to the processing of such data.
• Rights of Data Subjects: The GDPR introduces more extensive rights for data subjects, such as the following:
• “Right to be forgotten”: the GDPR adopts the “right to be forgotten”, allowing data subjects the right, under certain circumstances, to require a data controller to erase personal information relating to them, without undue delay (for example, if there are no legitimate grounds for retaining it). If the controller has made such personal data public, it shall take reasonable steps, including technical measures, to inform controllers who are processing the personal data that the data subject has requested the erasure by such controllers of any link to, copy or replication of, such personal data. We note that such obligation is wide reaching and may be extremely difficult to implement.
• “Right to data portability”: The data subjects have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller. Such right will enable the data subjects to exercise greater control over the transmission of their personal information between service providers and will enable the data subject to better understand how their personal data is processed.
• “Data Protection Officer“: pursuant to the GDPR, in certain circumstances, data controllers and processors will be required to appoint a Data Protection Officer (“DPO“). For example, when their core activities consist of processing on a large scale of special categories of data or where their core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. The GDPR further imposes certain obligations and tasks of the DPO;
• Data Breaches: according to the GDPR, under certain circumstances, data processors must notify, without undue delay, data controllers of data breaches, who in turn must notify the competent data protection authority of such data breaches without undue delay (and in certain cases to the data subject themselves), and where possible, within 72 hours of being aware of the breach. Where this obligation is not met, a justification must be provided;
• Accountability and “Data protection by design and by default“: The GDPR places onerous accountability obligations on data controllers and requires organizations to take all technical and organizational measures to comply with the principles and obligations under the GDPR and to be able to demonstrate and substantiate such compliance. Such obligations include, inter alia, requiring data controllers to (i) maintain certain documentation, including records of processing activities, (ii) conduct a privacy impact assessment (PIA) before processing personal data for operations that are likely to present higher privacy risks to data subjects due to the nature or scope of the processing operation, and (iii) implement data protection by design and by default, e.g. taking privacy risks into account throughout the process of designing a new product or service, adopting technical and organizational mechanisms to ensure that, as a default, only personal data which are necessary for each purpose of the processing are processed, used and retained and to ensure that tools such as pseudonymisation or anonymization, which are designed to implement data protection principles, will be integrated as safeguards into the processing of information.
• Stronger enforcement: National data protection authorities (“DPA(s)“) will ensure compliance issues throughout the EU. Non-compliance could lead to heavy sanctions. The data protection authorities will be able to levy administrative sanctions of up to 4% of the total worldwide annual turnover of the preceding financial year of the infringing company or 20 million Euros, whichever is higher. In addition, any person who has suffered material or non-material damage as a result of an infringement of the GDPR have the right to receive compensation from the controller or processor for the damage suffered.
• Data Processors: One of the key changes in the GDPR is that data processors have direct obligations and may be held directly liable for damages caused by their processing Companies processing information on behalf of other companies will be required to comply with a number of specific data protection related obligations (such as, implementing technical and organizational measures, notifying the controller without undue delay of data breaches and appointing a data protection officer, if required). These new obligations will likely impact how data protection matters are addressed in supply agreements. We note that the GDPR recognizes Binding Corporate Rules (BCRs) for controllers and processors of data as means of legitimizing inter-group international transfers of data;
• Transfer of Personal Data outside the EEA: Transfers of personal data to third countries outside the European Economic Area (EEA) is a very important issue for multinational organizations as well as Israeli data processors processing data on behalf of European affiliates. Generally, such data transfers continue to be regulated and restricted under the GDPR in a manner similar to which it is regulated under the current European privacy protection framework. Specifically the existing list of countries which have previously been approved by the European Commission for data transfer outside the EEA, which includes Israel, will remain in force. In addition, the GDPR allows for transfers of personal data based on standard data protection clauses adopted by the European Commission (known as “Model Clauses”) and codifies the transfer of such data based on an organization’s approved BCRs. It shall be noted that breaching the GDPR’s provisions concerning international data transfers may subject organizations to the highest level of administrative fines and penalties. We note that the transfer of personal data from the EU to the U.S. under the EU-U.S. Privacy Shield framework is not referenced in the GDPR, however, such transfers are allowed to the extent that they meet the requirements imposed on the EU-U.S Privacy Shield framework.
We recommend that our clients consider, inter alia, the following in order to prepare their organizations for compliance with the GDPR:
1.Data Inventory Check:
• Performing a data inventory to understand what personal information and sensitive information they collect, how it is processed, where it is stored, how it is protected and who may have access to it.
• Creating a “paper trail” of internal records relating to data processing activities.
2. Data Governance:
• Examining which data protection authority shall supervise the company’s data processing.
• Examining whether the company needs to appoint a DPO.
• Reviewing or establishing legal grounds for data processing, as the GDPR requires that all processing will have a legal basis (e.g. consent, contract, legitimate interests, etc.)
• Conducting a PIA (Privacy Impact Assessment) in the event that the organization is engaging in high-risk personal information processing.
• Drafting or, if applicable, revising the company’s written information security policies to ensure the appropriate technical, administrative and physical measures to protect personal information. Ensuring that procedures are in place to continually monitor compliance with these policies prior to, during and after processing of personal information.
• Ensuring that the company has clear policies in place which meet the required standards. The company should review and update the company’s privacy policies to ensure that they are easily accessible, include clear and plain language and include full disclosure of the company’s personal information collection, use and processing.
• Reviewing and revising, if applicable, the company’s methods of obtaining consent from data subjects (including privacy notices and consent forms) to ensure that freely given, specific, informed and unambiguous consent is provided before processing data, and that if special categories of data are processed, such consent meets the applicable requirements of the GDPR.
• Reviewing and revising, if applicable, the company’s methods of obtaining consent from children and the company’s processing of personal information relating to children (where applicable).
• Reviewing the company’s cyber-incident (data breach) response plans and policies and updating them if necessary in order to be able to react quickly to any data breach and to timely provide notice of data breaches.
• Training of key personnel regarding GDPR compliance.
3. Product Design:
• Implementing privacy by default and by design procedures in the company’s product development process in order to ensure that privacy risks are considered early in the process and that the products and services only collect and maintain the minimum amount of personal data necessary for the proper performance of the company’s products and services.
• Implementing security measures and safeguards that maintain the integrity of the data processing system.
• Ensuring that obtaining consent via the company’s product or service complies with the GDPR restrictions, i.e. that the consent is not bundled with other written agreements, that the consent is actively granted (pre-ticked boxes are not valid), that separate consents are obtained for distinct processing operations, that users are able to withdraw their consent in the same manner as it was granted and so forth.
• Reviewing the company’s ability to enable the data subject to exercise their right to be forgotten and the right to data portability.
4. Third Party Data Transfers:
• Reviewing agreements with controllers, processors or other service providers (as applicable) in order to ensure sufficient contractual guarantees and compliance with the GDPR. In addition, the company shall consider whether to adopt BCRs to facilitate intra-group transfers of data.
• International data transfers – identifying, reviewing and where necessary, revising the mechanisms that facilitate data transfer outside the EEA, including by use of Model Clauses or BCRs.
Since we are not licensed to practice law outside of Israel, this document is served only as a general guideline with respect to the new provisions of the GDPR and shall not be regarded as binding legal advice. As many provisions of the GDPR are subject to interpretation we recommend receiving legal advice with respect to the specific circumstances of each organization’s activities regarding processing of personal information.
GKH’s IP Group is available to assist clients prepare for the impact of GDPR on their business.
For further information regarding this update, please contact Adv. Ella Tevet, Partner, Head of IP Practice, at ellat@gkh-law.com or 03-6074588.
[1] “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
[2] “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.