After over three years of discussion, the new EU data protection framework has finally been agreed. It takes the form of a regulation: the General Data Protection Regulation. The GDPR will replace the current Data Protection Directive, will be directly applicable in all member states without the need for implementing national legislation, and is likely to come into force in the first half of 2018. It has not yet been published in the Official Journal, so the numbering of the articles will change. Technically, changes to the content are also possible, though hopefully unlikely.
It is a sizeable piece of legislation, currently with over 130 recitals and over 90 articles, which makes a number of significant changes to the current regime. These will have an impact on all businesses and the cost of complying with the new law is likely to be substantial.
Set out below is a punt at what might be the key changes for litigators. Time will tell which emerge as the most important.
The thing that has caught the headlines is the potential fines under the GDPR. Data protection authorities will be able to issue administrative fines of up to 4% of an undertaking’s total worldwide annual turnover in the preceding financial year. This puts compliance with data protection legislation in the same league as compliance with competition legislation.
The hurdle that you are required to clear to show that you have the data subject’s consent to process data, sometimes relied on in the context of litigation, is going to be higher. The fact that consent is being sought needs to be separately drawn to the attention of the data subject and it cannot be extracted in return for something else (in the language of the agreed text, the “utmost account” shall be taken of whether provision of a service/performance of a contract is made conditional on consent).
Transfers to a foreign authority or court
A transfer of personal data to a foreign authority or court is one of the most common issues litigators face in practice. It is now expressly provided, in what is currently article 43a, that a judgment of a foreign court or administrative authority requiring a controller or processor to disclose or transfer personal data will only be recognised and enforceable if it is based on an international agreement (such as a mutual legal assistance treaty) which is in force between the requesting third country and the member state.
In a recent development, the UK government announced on 4 February 2016 that it will not opt in to the parts of article 43a that restrict a member state from enforcing a judgment requiring the transfer or disclosure of personal data where there is no international agreement or treaty.
Separately, on 2 February, the European Commission announced that it and the United States have agreed on a new framework for transatlantic data flows known as the EU-US Privacy Shield.
Putting these recent developments to one side, it may still be possible to rely on other derogations to legitimise a transfer to a foreign court or authority, for example that:
- The transfer is necessary for important reasons of public interest.
- The transfer is necessary for the establishment, exercise or defence of legal claims.
- The transfer is necessary for the purposes of compelling legitimate interests of the data controller.
The fact that, under article 43a, the mere existence of a foreign judgment or request from a foreign authority is not, without more, a justification for a transfer and the other derogations that are available under other articles does not represent a dramatic change, but overall, subject to the recent developments, the legal test to justify a transfer to a foreign court or authority has been made harder to satisfy.
The bigger issue is the question of fines for infringement (mentioned earlier), which will alter the weight attached to the need to comply with data protection laws when compared to the need to comply with the foreign authority or court.
One of the grounds for justifying a transfer to a foreign authority or court, among others, has historically been to argue that the transfer is in the legitimate interests of the data controller. As noted earlier, this ground will remain a potential legal basis for processing data under the GDPR and will now be harmonised across the EU. Helpfully, it will also be expressly recognised as a basis for transferring data out of the EU, unlike under the current Directive. However, the circumstances in which you may rely on it have been narrowly defined, so they will be much harder to fall within.
Subject access requests
The regime for subject access requests, sometimes used to elicit a form of pre-action disclosure, has shifted in favour of the data subject (the controller needs to respond more quickly and there is no fee payable to the controller for the initial request).
Records of data processing
The GDPR introduces onerous requirements to keep records of data processing. For litigators, this means their clients will need to keep a proper record of the decisions made in relation to processing of data for litigation, and a proper process will need to be followed, all of which will be available to the supervisory authority.
Limits on data retention
The limits on data retention have been toughened up. Litigators and their clients will have to think hard about how long hold on to data. The GDPR acknowledges that anonymous data is not subject to the principles of data protection.
There are new requirements in relation to sub-contracting (that is, the use of data processors) and this will require changes to be made to the contracts with, for example, processors used for disclosure. Data processors will also be caught directly by the new legislation.