To assist organisations in their ongoing compliance with the GDPR, we held the third in our series of webinars on keeping up with national law developments.
State of Play – National Implementation
To date, 22 EU member states and 3 EEA (European Economic Area) countries have finalised their legislation accompanying the GDPR. Six EU member states have not finalised their national legislation:
- Czech Republic
Two other countries, Spain and Finland, have recently finalised their legislative process. The Spanish law has by now entered into force (on 7 December 2018), and the Finnish law will enter into application on 1 January 2019.
National Law Updates
Taking a closer look at the implementing laws, there are some notable provisions, specifically when it comes to profiling. The GDPR contains explicit provisions for dealing with profiling and automated decision-making. It allows individuals to not be subject to either, if there are substantive consequences for them. Additional rules may be set by national law, and many member states have chosen to do so.
When looking at the national laws, there is a common thread. Almost all of the laws providing additional rules on profiling demand explicit safeguards to be put in place to protect the interest of individuals, including:
- The right for individuals to express an opinion;
- The right to request human intervention or verification of the outcomes of profiling; and
- The right to appeal a decision.
From an accountability perspective, national profiling laws would require organisations to put in place specific policies and procedures to deal with these additional safeguards for individuals.
When we look at the guidance issued by the Data Protection Authorities (DPAs), the long-awaited European Data Protection Board (EDPB) guidelines on the Territorial Scope of the GDPR are probably the most important ones. The document was adopted on 16 November, after earlier reports of adoption in September. The current version is released for consultation, which is open until 18 January 2019.
The guidelines address the interpretation of Article 3 GDPR: When does the GDPR apply? The main rule is that the GDPR applies when personal data are processed in the context of the activities of a data controller or processor with an establishment in the EU. An establishment means there needs to be some stable arrangements, such as an office in one of the EU member states. Also, there needs to be effective and real exercise of influence by the organisation over what is happening in their EU establishment. The generation of revenue in one or more member states is generally seen as an indication of having an establishment where the GDPR should apply.
The alternative criterion to make the GDPR apply is the so-called targeting criterion. If organisations offer goods and services or monitor behaviour of persons in the EU, irrespective of their nationality, the GDPR applies as well. The EDPB now clarifies that this means that an individual indeed needs to have a physical presence in the EU, and that the goods or services need to be targeted specifically to the EU. This means that an American news outlet offering an application in a US app store is not suddenly subject to the GDPR, just because one of the users of the app is vacationing in Europe.
In order to assess whether or not goods or services are offered in Europe, the EDPB gives some assessment criteria, which include the countries mentioned on the webpage of the provider, any addresses available to visit the organisation or to use for correspondence, the use of EU-based top-level domains, like .eu, .co.uk, or .de, as well as the languages used by the organisation. If the website of an organisation is available in Danish or Greek, for example, it is assumed that the goods or services are offered to people in the EU, since these languages are largely spoken in the EU.
There is further guidance available from the DPAs. Firstly, national DPIA Lists have been assessed by the EDPB, with the aim of a harmonised interpretation of the law. Most DPAs have had to update their national lists, most importantly, to add the processing of location data as a criterion for high risk processing.
The Spanish and French DPAs have issued specific guidance on the certification of data protection officers, even if the GDPR does not contain any specific reference to the possibility to certify individuals. The two DPAs have drafted a list of criteria that need to be met by certification providers. They have also indicated they will not be the certification body, themselves, but will leave it to third parties to provide the – non-mandatory – certification.
Complaints & Enforcement
With the GDPR in force for over six months, we have begun to see the first enforcement actions, as well as the first fines. Over 57,000 complaints have been received so far by the DPAs since the GDPR went into application, and over 27,000 data breaches have been reported. This number may be an underestimation, considering some of the data breach statistics released by the individual DPAs: 4,500+ in Germany and 9,000 breaches in the Netherlands, alone.
Three fines have been issued to-date. The first instance was a small travel agency in Austria using a CCTV camera. They were fined €4800 for capturing large parts of a public space and having insufficient signage warning the presence of the camera. The second fine was more serious: €400,000 for a hospital in Portugal whose data security was found lacking. The third fine was imposed in Germany. Again, the reason was a lack of data security, this time by the social media platform Knuddels.de. The company suffered a data breach, and it was discovered passwords were stored unencrypted and in plain text. However, because Knuddels cooperated fully with the DPA and was quick to inform their users of the breach, the fine was limited to €20,000.
Interestingly, the two largest fines imposed in the past weeks were issued under the old data protection legislation and not under the GDPR. The fines went to Uber, for their non-reported 2016 data breach, to a total of: €600,000 in the Netherlands and £385,000 in the UK. In this situation, both Uber Technologies and Uber B.V., the EU HQ, were found to be co-controllers, based on their influence in determining purpose and means of the data processing operations, even though there was a processing agreement in place between the two entities.
The European Data Protection Board (EDPB)
In November, the Board adopted the Territorial Scope guidelines discussed above, as well as a mandate to develop guidance on the use of personal data for clinical trials. This month, the Board also had an interesting agenda. Four more DPIA opinions were adopted, this time for Denmark, Croatia, Luxembourg and Slovenia, commenting on the consistent application of the high-risk processing criterion. The Board also discussed the Privacy Shield Joint Review, that took place in September, and the interplay between the GDPR and ePrivacy. No information has been released so far on these debates.
However, most importantly, the Board adopted their opinion on the Japan adequacy decision. The full opinion has not been released yet, but the press release following the plenary shows the Board is not yet satisfied with the Japan adequacy decision. The decision has been sent back to the Commission with recommendations for further improvement. The Board states it "considers that the EU-Japan adequacy decision is of paramount importance. As the first adequacy decision since the entering into application of the General Data Protection Regulation (GDPR), it will set a precedent.” The European Commission will now have to decide what to do next.
Nymity Research™ with Nymity GDPR Implementation Tracker™ were the privacy software tools used to derive this content. To learn more about national law developments to-date, view the pre-recorded webinar.
If you want to know more about how Nymity can support your privacy and data protection program, please do not hesitate to reach out to us: firstname.lastname@example.org.