Since Part I, we now have a final published text of the GDPR, which is available in all the official languages of the EU. We also know that the new rules will go live on 25 May 2018. We have noted that many organisations that are looking to implement process and technological changes to be compliant with the GDPR are preparing business cases and budget proposals to be approved in the second half of 2016, with the bulk of activity focused on 2017 and 2018.
For many organisations, securing executive buy-in is essential to ensure that the appropriate resources can be deployed on a GDPR change programme. One way to raise awareness among key internal stakeholders is to highlight the strengthened enforcement powers that EU data protection authorities will have under the GDPR.
One of the headline aspects of the GDPR is that the maximum fines available to regulators will increase significantly compared to EU member-state implementations of the current Data Protection Directive 95/46/EC. Infringements regarding obligations of the controller and the processor may be subject to fines of up to the greater of €10 million or 2% of worldwide annual turnover. Infringements regarding the basic principles for processing, data-subject rights, transfers of personal data, or noncompliance with an order by the supervisory authority may be subject to administrative fines of up to the greater of €20 million or 4% of worldwide annual turnover.
With these increased fines comes a new cross-border regulatory regime which includes the establishment of a ‘one-stop shop’ (1SS). The 1SS aims to address a number of problems that data controllers operating across the EU face under the current fragmented legal and regulatory system. Unlike Directive 95/46/EC, the GDPR will be directly applicable across the EU, creating one harmonised law for all. This should deal with the current challenges faced by data controllers and processors in complying with multiple member-state implementations of the law. However, EU member states may still carve out national rules on the processing of children’s data, data processing in the employment area, freedom of expression, and some other areas in the GDPR. Member states are only just beginning to consider whether they will exercise these opt-outs, so organisations are therefore advised to track developments in the countries in which they do business.
The regulation also establishes a new European Data Protection Board (EDPB) — an EU body with its own legal personality — to bring a more coherent approach to the resolution of cross-border disputes. The EDPB will operate a consistency mechanism enabling complaints to be considered by representatives of all national supervisory authorities and for a single binding ruling to emerge at the end of a regulatory investigation.
As mentioned in Part I, where a controller or processor does not have an establishment within the EU, it must designate a representative in a member state of the EU. The representative will therefore need to engage with the supervisory authority competent in that member state should a complaint or other regulatory matter arise.
The rules on transfers of personal data to third countries outside the European Economic Area (i.e., EU member states plus Norway, Liechtenstein, and Iceland) remain largely the same for now, in that the European Commission (EC) can determine that particular jurisdictions provide an adequate level of protection for the personal data of people in the EU. However, no countries in Asia have so far benefited from an adequacy determination, which often takes several years to be agreed in any case. Japan is currently looking at applying to the EC for an adequacy decision, but no other Asian nations have emerged as potential candidates to date.
Therefore, other mechanisms need to be in place for a transfer of data relating to people in the EU to made to a third country — including those in Asia — such as standard contractual clauses, approved bespoke contractual arrangements, approved codes of conduct/certification mechanisms, and binding corporate rules (BCRs) which for the first time are formally recognised in the legislative framework.
BCRs may be suitable in particular for international organisations with multiple entities that wish to put in place a coherent global framework for intra-organisation transfers of personal data. However, an assessment should be undertaken in order to determine whether BCRs would deliver sufficient benefits to justify the (often substantial) time and cost commitment to see through the application process.
Although certain derogations can be used as a basis for third-country data transfers, such as explicit consent and limited legitimate interest grounds, greater certainty would be achieved by relying on a mechanism formally recognised in the GDPR for data transfers.
Businesses in Asia, which adhere to the APEC CBPR system, may find that they have already gone some way toward becoming compliant with the GDPR. However, adherence to the CBPR system is unlikely to be sufficient in its own right for GDPR compliance. The CBPR system, which is principles-based, differs from GDPR rules on transfers in that the CBPR system is based on a certification mechanism approved by recognised nonstate auditors, rather than a mechanism approved by a competent data protection authority as is the case in the EU. Furthermore, the CBPR system lacks any centralised enforcement mechanism as it leaves enforcement to each participating country. However, the CBPR system remains a useful means by which organisations can start to put in place formal data protection policies and procedures, particularly where none have previously existed. As such, adherence to the CBPR system could be helpful in moving the organisation in the right direction toward GDPR compliance.