Intellectual Property Bulletin - Winter 2016

By Jonathan Millard and Tyler Newby

In December 2015 the European Commission published a General Data Protection Regulation to replace the Data Protection Directive, which currently regulates the collection and use of personal data within the European Union. The Data Protection Directive was enacted more than 20 years ago and was in dire need of updating to keep pace with developments in data collection and sharing practices, as well as the explosion of data security breaches. The Regulation will likely come into force in 2018, but its wide-ranging implications necessitate immediate attention from the business community not only in the EU, but on the global stage.

The key features of the Regulation are summarized below.

The “extra territorial” reach of the Regulation is a key change that all non-EU entities will need to be aware of. Previously, EU law in this area applied only to those entities that control the use of the data and have some sort of establishment or equipment in the EU. However, the Regulation applies directly to any entity that processes personal data about EU residents in connection with (i) the offer of goods or services in the EU; or (2) the monitoring of behavior in the EU. Jurisdiction will therefore be measured digitally rather than physically, paying less attention to the physical location of the entity undertaking the processing. When assessing this reach, regulators will look to a variety of factors, including how a website references EU individuals, the currencies accepted, and the languages used. Any profiling of EU individuals will fall squarely within these criteria. This is a huge shift and something that entities that were previously outside the scope of the current law, but are now likely subject to the Regulation, will need to absorb over the coming months.

The Regulation expands upon the definition of “personal data” from the Data Protection Directive, the collection and processing of which is covered by the Regulation. After its effective date, personal data will include unique online identifiers, e.g., IP addresses and mobile device identifiers, as well as geo-location data about a subject. Unique biometric data such as fingerprints, retina scans, and genetic data are also included in the expanded definition of personal data.

The Regulation also requires data controllers to provide greater transparency to individuals about the data they are collecting and how that data will be used at the time of data collection. Most of this information should be described in a well-written privacy policy, and includes the identity and contact information of the controller, the purpose of data collection and processing, and third parties to whom the data will be transferred. The information provided must also identify the legal basis of transferring data outside of the EU. Those bases — whether the use of standard contractual clauses, binding corporate rules, or the new “Privacy Shield” — are likely to continue to be in flux until the Regulation comes into effect. Controllers also must inform individuals about the right to deletion and correction of data about themselves, more colloquially known as the “right to be forgotten,” the right to lodge complaints to the controller’s data privacy authority, and the right of individuals to receive data that has been collected about them in a structured and commonly used machine-readable format.

Article 4(3aa) of the Regulation also requires controllers to notify individuals if they will use personal data for “profiling,” which is defined as (a) involving automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Profiling cannot be based on certain special categories of personal data, such as racial, ethnic, or religious information without explicit consent, unless such processing is necessary for reasons of substantial public interest. Controllers will be required to use adequate procedures and implement technical and organizational safeguards to correct data inaccuracies and avoid errors, secure personal data, and minimize the risk of “discriminatory effects.” Additionally, individuals will have the right both to request the “profiling” data about themselves and to object to or demand that profiling be stopped.

Data processors will now have direct obligations under the Regulation. Currently, only the data controllers are subject to direct regulatory oversight, often flowing applicable obligations to the data processor under contract, such that the data processor would be contractually liable to the data controller, but would not be subject to direct enforcement or penalties from a data protection regulator. Whether a data processor is located within the EU or overseas, this is a big movement in regulatory compliance risk. These obligations of a data processor will include implementing appropriate technical and organizational measures with respect to personal data, notifying the data controller of a data breach and potentially appointing a data protection officer. In addition, contracts appointing data processors will need to be more prescriptive, requiring audit rights for the data controller and a mechanism for the approval of the appointment of sup-processors.

The Regulation imposes several internal administrative compliance obligations for data processors and controllers. First, both controllers and processors will be required to develop and maintain documentation describing their data protection policies. Both will also be required to keep a record of processing activities. Controllers and processors will be required to conduct data protection impact assessments where the proposed data processing is likely to result in a high risk to the rights and freedoms of individuals. An impact assessment evaluates the likelihood and severity of the risks involved in the proposed data processing and assesses the safeguards to be introduced to mitigate the risk. To ensure covered companies will have internal accountability for compliance, the Regulation will require data processors and controllers to appoint a data protection officer where its core processing activities require regular and systematic monitoring of individuals on a large scale, or where its core activities consist of the processing of sensitive data on a large scale. The data protection officer will have the responsibility for overseeing the company’s compliance with the Regulation.

As a mechanism to bring non-EU data processors within the regulatory oversight of EU data protection authorities, Article 25 of the Regulation requires both data controllers and processors that regularly collect or process personal data from EU citizens on a large scale to appoint local representatives within EU member states where they do business. This requirement is likely to apply to, for example, U.S.-based Software as a Service providers whose customers include companies with significant numbers of EU end users or employees.

Fortunately for companies that have few contacts with EU citizens’ personal information, there is an exception to this requirement for companies that do limited processing of EU citizens’ personal data. Companies that only engage in “processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of data relating to criminal convictions and offences referred to in Article 9a, and is unlikely to result in a risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing” are not required to appoint local representatives.

Under EU law, a “regulation” is law directly applicable to companies acting within the EU whereas a “directive” requires legislation to be passed at a national level implementing the general principles of the directive, inevitably resulting in a lack of uniformity throughout Member States. Therefore a key nuance which is not necessarily evident from the text of the Regulation, but which is a product of this fundamental principle of EU law, is that the Regulation will now create a uniform privacy regime across the EU, in place of the current patchwork of member state laws implementing the current directive.

Following the same theme, the Regulation will also fundamentally change the way that data protection law is supervised in the EU. A key proposal to promote this uniformity was for any given company (which may have a presence in a number of Member States) to be able to have one point of contact for supervisory purposes. This has manifested itself in detailed structure whereby a lead supervisory authority in the Member State in which a company has its main or sole establishment will have supervisory responsibility, with that lead supervisory authority having the ability to work with other concerned authorities. A centralized European Data Protection Board will be established, having the ability to issue opinions on particular decisions. It remains to be seen how this will work in practice, and whether companies will have the ability to influence which lead supervisory authority is allocated to it, along with the political and tactical maneuvering this may entail to ensure the most preferable outcome for the company.

There are no major changes in this area of the Regulation and, save for the Safe Harbor uncertainties, the existing methods to transfer data internationally have broadly been...