It’s not difficult to understand why there is some level of confusion and “panic” in many organisations with regard to upcoming privacy law changes. Just when people begin to think they have got their heads round the GDPR requirements, they suddenly hear about the Data Protection Bill, the ePrivacy Regulation and the Law Enforcement Directive. So – what do each of these mean and how do they interact? Below we summarise what each covers and how they interact:
Probably the most widely discussed, the General Data Protection Regulation (“GDPR”) introduced nearly 2 years ago, will come into force on 25th May 2018.
The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ with regard to data privacy and to reshape the way organisations across the region approach data privacy. Whilst a number of key data protection principles found in the Directive remain, the GDPR has introduced several new concepts as well as amending some existing ones.
The GDPR provides a framework for anyone processing personal data, as defined by the regulation and sets out a number of data protection principles which must be adhered to. Specific obligations with regard to data processing are imposed on both data controllers (those controlling the purposes and means of processing personal data) and processors (those responsible for processing on behalf of the controller). It applies to processing carried out by organisations within the EU and also organisations outside of the EU that offer goods or services to individuals within the EU. It gives individuals whose data is being processed a number of rights and protects their fundamental rights and freedoms. This aims to empower them by giving them much more choice and control over how their personal data is used and stored, requiring data controllers to be transparent about how they are using personal data.
Data controllers must ensure that all personal data is: processed lawfully, fairly and in a transparent manner; only collected for specific, explicit, legitimate purposes; adequate, relevant and limited to what is necessary in relation to the purpose for which it’s processed; accurate and up to date; is kept in a form permitting identification of data subjects for no longer than is necessary and; is processed in a manner ensuring appropriate security by using organisational and technical measures.
Data controllers and processors additionally have documentation and breach notification obligations. Additionally the GDPR requires some organisations to appoint a Data Protection Officer and regulates cross border transfers of data.
It empowers the supervisory authorities in each Member State (the ICO in the UK) to impose various sanction for non-compliance or breach, including substantial administrative fines.
The Data Protection Bill
The Data Protection Bill was published on 14 September 2017 (currently going through Parliament and aiming to have the Royal Assent to allow it to take effect in May 2018) and is another piece of legislation aimed at modernising data protection laws in our increasingly digital world.
The Data Protection Bill is a UK piece of legislation. Its contents can be split into five areas:
- The Data Protection Bill applies the GDPR standards to data protection law in the UK, setting new standards for protecting data, giving people more control over their data. Whilst the GDPR is a European Regulation with direct affect across all member states, the Regulation contains a number of provisions which provide Member States the opportunity to decide how to implement certain aspects of data protection law in their own country – the Data Protection Bill covers these areas (e.g. setting age from which parental consent to process data online is not needed). Therefore, the Data Protection Bill should be read alongside the GDPR to understand their interconnection. Upholding data protection standards set by the GDPR also means that post-Brexit, the UK can continue to operate as a trading partner across international borders.
- The Bill also deals with processing that does not fall under EU law for areas such as immigration. It applies GDPR standards adjusted accordingly to work in a national context.
- The Data Protection Bill also has provisions implementing the EU’s Law Enforcement Directive (LED) in Part 3. This covers those involved in law enforcement processing including the police, prosecutors and other criminal justice agencies. The new law enforcement provisions are intended to cover both cross-border and domestic processing of personal data for law enforcement purposes. These provisions only apply to ‘competent authorities’ for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This includes (i) any public authority with powers to investigate and/or prosecute crimes and impose sentences; or (ii) any other organisations (such as a private company/contractor) empowered by law to exercise those powers in a way that gives them control over the data (i.e. as a data controller, as opposed to a data processor) It will therefore cover criminal courts, prisons and any other person that has statutory functions for any of the law enforcement purposes as well as law enforcement bodies like the police or prosecution bodies.
Similar to the GDPR, the Data Protection Bill provisions dealing with law enforcement promotes accountability from organisations and enhances individuals’ rights. For example, personal data cannot be kept for longer than necessary after which it must be erased and data subjects must be made aware of these timescales. Data subjects can also request access to their data, which requests must be responded to without delay and always within one month. There are however some key differences between the law enforcement provisions of the Data Protection Bill and GDPR with regard to data processing, notably that the Data Protection Bill requires:
- categorisation of individuals (i.e. witnesses, victims, suspects, convicted perpetrators);
- classification if the data is fact or personal opinion/assessment; and
- logging of the specific processing actions for automated systems (i.e. metadata that someone did something at a specific time) such as collection, alteration, disclosure or erasure.
Note that this applies to criminal activity only. Any data processing activities (i) covered by organisations other than the defined “competent authorities” and/or (ii) being civil rather than criminal functions will be covered by the GDPR provisions. This includes for example the use of CCTV cameras by shop owners or civil enforcement such as parking fines.
Other points to note include (i) all competent authorities to whom the law enforcement provisions apply, must appoint a Data Protection Officer, (ii) any processing that involves data sharing to non-competent authorities is likely to need to comply with GDPR. Similarly, any data sharing that takes place which does not fall under the law enforcement purposes must also be compliant with the requirements of GDPR and (iii) when processing is likely to result in a high risk to the rights and freedoms of individuals, as also required by the GDPR, a Data Protection Impact Assessment must be carried out prior to processing.
- Another area which falls outside the scope of EU law and is covered by the Data Protection Bill is that of National Security. The Bill, in Part 4, contains provisions based on the Council of Europe Data Protection Convention 108 which applies to the intelligence services. This ensures that they comply with internationally recognised data protection standards whilst tackling existing, new and emerging national security threats. It sets out the GDPR standard or data protection principles and rights given to individuals. However, it also provides the intelligence services, and data controllers and processors in certain situations, with an exemption from the provisions where necessary to safeguard national security.
- Finally the Data Protection Bill also covers the Information Commissioner’s Office duties, functions and powers plus the enforcement provisions. As the Data Protection Act 1998 is being repealed, the Data Protection Bill also addresses the interaction between the Freedom of Information Act and Environmental Information Regulations and the Data Protection Act.
The Bill includes a number of provisions for the Commissioner, including:
- i. Provisions giving the Commissioner and her staff powers to inspect personal data where international obligations make inspection necessary.
- ii. Putting an obligation on the Commissioner to produce annual performance reports for the consideration of Parliament.
- iii. Allowing the Commissioner to recoup fees from controllers, as set by the Secretary of State.
- iv. Allowing the Commissioner to issue ‘information’, ‘assessment’, and ‘enforcement’ notices where necessary to ensure data controllers are processing personal data within the data protection framework.
- v. Provision of an appeals system to challenge the Commissioner’s decisions and monetary penalties imposed before an independent tribunal.
The Law Enforcement Directive
The Law Enforcement Directive is another piece of legislation designed to complement the GDPR. Member States have until 6 May 2018 to incorporate it into their national law. As mentioned above, the UK is doing this via Part 3 of the Data Protection Bill 2017.
The Directive aims to better protect individuals’ personal data when their data is being processed by police and criminal justice authorities and improve cooperation in the fight against terrorism and cross-border crime in the EU by enabling police and criminal justice authorities in EU countries to exchange information necessary for investigations more efficiently and effectively.
The Directive: (i) contains requirements for the processing of personal data for criminal law enforcement purposes; (ii) contains requirements for the free movement of such data; and (iii) replaces the 2008 Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.
It sets out the same six main data protection principles as the GDPR, as well as containing some other key concepts found in the GDPR such as a requirement for time limits to be set after which data must be erased and enhanced rights for individuals (including the right to be supplied with certain information by law enforcement authorities). It also reflects security requirements of the GDPR, stating that national authorities must take technical and organisational measures to ensure a level of security for personal data that is appropriate to the risk as well as imposing a requirement that certain security measures are put in place where data processing is automated.
It requires that law enforcement authorities make a clear distinction between the data of different categories of persons including:
- those for whom there are serious groundsto believe they have committed or are about to commit a criminal offence;
- those who have been convicted of a criminal offence;
- victims of criminal offencesor persons whom it is reasonably believed could be victims of criminal offences;
- those who are parties to a criminal offence, including potential witnesses.
The current ePrivacy Directive provides a specific set of privacy rules to regulate the processing of personal data by the telecoms sector. Until it is amended, the ePrivacy Directive will co-exist with the GDPR (which applies to all sectors including the telecoms sector). There remains some uncertainty in the relationship between the ePrivacy Directive and the GDPR, which will require clarification.
The ePrivacy Regulation is a proposal for a Regulation on Privacy and Electronic Communications which will repeal the ePrivacy Directive. It is designed to complement the GDPR with regard to electronic communications data that qualify as personal data and will significantly strengthen the online and direct marketing legal landscape. Initially, the aim was to replace the ePrivacy Directive with the new ePrivacy Regulation, so that it would come into force on the same day as the GDPR. However, due to ongoing discussion and various legislative hurdles still to cross, this is highly unlikely to happen and the ePrivacy Regulation is more likely to come into force after the GDPR.
While the GDPR regulates the processing and sharing of personal information, the ePrivacy Regulation addresses the rules organisations must follow when sending electronic direct marketing and using track technologies such as cookies. If it is adopted, it is proposed that it will be lex specialis to the GDPR meaning that its terms can override those of the GDPR in case of a conflict.
Summary of main changes:
- it extends the scope of ePrivacy to cover OTT content providers
- it applies rules to new tracking and e-marketing technologies
- it aligns privacy concepts with the GDPR (consent, data breaches, territorial scope, fines)
Broader content and territorial scope. The ePrivacy Regulation aims to modernise the law, meaning that not only traditional telecoms providers will be caught but also text and email providers, internet-based voice and internet-messaging services - “over-the-top” content providers such as Skype, Whatsapp, Facebook Messenger and iMessage.
The ePrivacy Regulation will apply to any business that provides any form of online communication service that utilises online tracking technologies or that engages in electronic direct marketing including non-EU providers that provide electronic services (free and/or paid) to EU nationals. It also changes the way that electronic communications data is currently regulated by creating separate rules for the use of content and metadata, with regard to how each is used, when consent is required. The proposal also includes new rules for the storage and erasure of electronic communications content.
Consent. The ePrivacy Regulation will reflect the GDPR approach to valid consent. This means that for consent to be valid it must be freely given, specific, informed and unambiguous. As with the GDPR, this means that, if relying on consent, anything other than clear opt-in consent to electronic direct marketing will not be valid consent.
Direct marketing. The definitions of direct marketing and electronic communications are broader than those in the Directive. The proposal distinguishes between B2C and B2B communications. For B2C communications the proposal requires the sender of the communication to obtain the consent of individuals for direct e-marketing purposes. However, for B2B communications the proposal leaves it to the Member States to ensure that the legitimate interest of corporate end-users are sufficiently protected from unsolicited communications.
Telephone marketing calls. Organisations making direct marketing telephone calls would be required to display calling line identification, or present a specific code/prefix indicating that the call is a marketing call.
Relationship with GDPR. To ensure consistency with the GDPR, as mentioned above, if it is adopted, it is proposed that it will be lex specialis to the GDPR meaning that its terms can override those of the GDPR in case of a conflict. Many aspects have been drafted in line with the GDPR so as to avoid such conflict: the penalties for non-compliance will reflect those in the GDPR; end users are granted many of the same remedies as provided by the GDPR – the right to lodge a complaint with a supervisory authority, the right to an effective judicial remedy against a supervisory authority, and the right to an effective judicial remedy against a controller or processor; a right to compensation and damage is also envisaged and; individuals will also have the right to sue for compensation for ‘material or non-material damage’ caused by an infringement of the Regulation.
Soft opt-in: The current draft of the ePrivacy Regulations retains the soft opt-in exemption but limits it to commercial marketing in connection with the sale of goods or services where the organisation has obtained the individual’s details in the course of such a sale. However, the reference to negotiations has been removed so is more restricted than its predecessor. Any electronic direct marketing under the soft opt-in must be limited to marketing similar products or services of the specific entity using the soft opt-in (ie. not another group company) Also, like the PECR, the marketing materials must be closely related to the products/services originally purchased. The requirement of giving individuals a simple and clear option to opt-out in every correspondence remains.