This post was provided courtesy of Tom de Cordier, Partner at CMS DeBacker. Tom possesses extensive experience in privacy and data protection law, telecommunications law, IT law, and technology-related IP.
The second week of April 2016 was another busy week in privacy land! Two major developments took place:
- An important EU body criticized the EU-US Privacy Shield
- The EU Parliament adopted the long awaited EU data protection regulation
The new regulation and the Privacy Shield will play a major role in shaping the future data protection rules for Europe and far beyond. For this post, let’s focus on the General Data Protection Regulation. In this GDPR summary, I’ll cover the regulation’s requirements as well as encryption’s role in it.
GDPR: What is it about?
On Thursday the EU Parliament voted what is known as the “General Data Protection Regulation” into law. 173 recitals (explanatory statements), 99 Articles in 260 pages (in the English version). It took four years of heavy political debate and intensive industry lobbying (resulting in a stunning 4.000 amendments – a record in the history of EU law-making) to get the GDPR adopted.
The GDPR has been criticized heavily and many myths have been spread about it. Here is my take.
Many are saying that the GDPR will bring about a massive overhaul of the EU’s current data protection regulatory landscape. I respectfully disagree.
Certainly, the new rules are generally stricter and more demanding for businesses than the current rules. However, many rules that are now hailed for being new are actually not so new.
Take, for example, the right to be forgotten. The current EU rules already provide for a right to have personal data deleted or made unavailable and the Court of Justice of the EU confirmed this in its landmark Google Costeja decision of 2014.
Another example are the GDPR’s provisions relating to consent. Admittedly, the GDPR contains more detailed provisions regarding consent (think of the requirement that consent be “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”), but the key requirements for consent (ie. that consent must be free, informed, specific and unambiguous) already exist under the current rules.
How the GDPR could change data security
Nonetheless, the GDPR will bring a number of important changes. One of the areas where I expect significant change in the next few years is data security, particularly the increased adoption of data pseudonymisation and data encryption best practices. I have three reasons to believe so:
1. Data protection standards established
Firstly, the GDPR requires businesses to implement technical and organizational measures to provide appropriate protection to the personal data they hold.
When determining such security measures businesses must take into account the nature, scope, context and purposes of their use of personal data. So far nothing really new.
What is new, however, is that the GDPR now expressly states that such measures include:
- The pseudonymisation and encryption of personal data
- Measures to ensure resilience of systems and services processing data
- Measures that allow businesses to restore the availability and access to the data in the event of a breach
- Frequent testing of the effectiveness of the security measures
In short, with the introduction of the GDPR, encryption and other security measures are established as data protection standards responsible organizations are expected to utilize or face the consequences. Speaking of which…
2. Data breach notification requirements
The GDPR will introduce a name-and-shame mechanism whereby businesses will have to notify the data protection authority if there is a security incident that affects the integrity, confidentiality or security of the personal data that they hold.
If the breach is likely to result in discrimination, identity theft or fraud, financial loss, damage to reputation, or other significant economic or social disadvantages for data subjects, businesses will have to notify the breach to the affected data subject.
Importantly, no notification to the data subjects will be required if businesses have implemented appropriate technical and organizational security measures in respect of the data that were affected by the breach.
So if, prior to the breach taking place, the data were rendered unintelligible, for example by means of encryption, businesses will not have to notify the data subjects of the breach.
3. The high cost of security failures
Finally, the EU wants the new data protection rules to become a board-level issue and it has therefore decided to make the rules subject to hefty fines:
- If a business fails to comply with its data security obligations under the GDPR, it may get a fine of up to 10,000,000 EUR or 2 % of its total worldwide annual turnover whichever is higher.
- Worse even, if a business is found to be in breach of certain other obligations under the GDPR, the fine may go up to a dazzling 4 % of its total worldwide annual turnover.
So to summarize our GDPR summary, based on the above I expect that in the coming years data security will be high on the agendas of many a board of directors. And, on the back of that, I expect that data pseudonymisation and data encryption will become standard best practices in Europe and beyond.