A Q&A with Hans Allnutt of DAC Beachcroft, LLP
Adopted in May, the sweeping General Data Protection Regulation (GPDR) replaces the EU’s long-outdated Directive 95/46/EC. The privacy regulation, which takes effect after a two-year transition period, calls for steeper sanctions and fines for violations. To find out more about what its adoption will mean for risk managers, I spoke with Hans Allnutt of DAC Beachcroft, LLP.
The GDPR’s goals are twofold: 1) to harmonize the laws throughout Europe (as a “Regulation”, member states have no scope for interpretation); and 2) to update data protection rules to reflect the modern world.
Can you give an overview of GDPR?
Across the E.U., we currently have a mixed legal regime governing data protection. The existing base arises out of a European “Directive” from 1995 which was centrally delivered, but all of the member states incorporated it with their own interpretations.
The GDPR’s goals are twofold: 1) to harmonize the laws throughout Europe (as a “Regulation”, member states have no scope for interpretation); and 2) to update data protection rules to reflect the modern world. The Regulation’s purpose is to protect individuals’ personal data and privacy. The new Regulation will hugely inflate sanctions from where they currently are—if you don’t comply, you can face a fine of up to €20 million, whereas, for instance, in England the maximum fine that cab currently be levied is £500,000.
Data protection laws in Europe govern the “processing” of personal data. Processing has a wide definition and captures activites such as emailing, manipulating or storing personal data. The law distinguishes between “Processors” and “Controllers”. The Controller is the entity that determines the processing of the personal data. The Controller might not be the same entity as a Processor — a Processor might be the cloud computing vendor a company relies on, for example. Only Controllers are caught by current E.U. data protection laws but the GPDR will hold both the Processor and Controller responsible if they handle any sort of personal data. Therefore we expect the number of companies caught by European data protection law to increase.
Furthermore, the Regulation’s jurisdictional scope has also been widened to include those companies that frequently offer goods and services to EU citizens or monitor their behaviour. You’re therefore included if you’re a U.S. website offering goods and services to EU citizens. All such companies will need to have a representative in Europe but what remains to be seen is how Europe will sanction and hold companies without representatives to account for infractions.
The GPDR grants data subjects an enhanced bill of rights, including portability. That means if you have an account with an electricity provider and you want to move it to another provider, that data should be easily transported and your data should be deleted from the first account.
The rules about consent are also heightened. The regulation calls for much more transparency on the part of companies that have to disclose what they’re using the data for, and companies also have to account for any old data they’re holding. The concept is “privacy by design”: Privacy has to be built into any product or service from the outset and companies that are responsible for personal data must conduct Privacy Impact Assessments. A failure to do so may attract sanctions.
Much of what the Regulation calls for are best practices that companies should have had in place all along. However, the repercussions of failing to do so are now so much starker.
The regulation’s focus on the use/collection of profiling data which many companies leverage daily through big data analytics opens them up to significant liability. Could transparency or other tactics reduce this risk?
Yes, the rules encourage transparency so the challenge is making sure that notices are clear and actually read by the data subject—not just hidden away at the bottom of a long list of terms and conditions. In England, our regulator has said that companies should give a good consideration to how they can improve these practices, and one idea is to use video instead of a document for terms and conditions. There is a realization that no one using a smart phone is going to scroll through and read a 400 page privacy notice so this is not good practice.
Which of the new regulation’s stipulations will be most difficult for companies to adopt?
Making legacy data and legacy systems compliant is a big challenge. It’s difficult enough to deal with existing data and systems, especially for non-European companies, many of whom we expect will be caught unaware by the Regulation when it comes into effect on 25 May 2018. The other challenge is the “Privacy by Design” piece, which will require companies to consider data subjects’ rights in everything they do as a business.
Will there be ramifications for organizations that willfully decide to not report a data breach?
Yes, that will be an offense in itself. Under the new rules, you have to notify regulators within 72 hours. If you haven’t, you need to keep a log of reasons why not. Regulators will recognize justifiable reasons, but if there are no good reasons you can expect fines and sanctions.
When multiple organizations share or touch a customer’s data there is now the risk of co-liability. How does the law account for potentially unforeseen complexities with clouds outsourcing to other clouds and data that is replicated and residing in many nodes?
The bottom line is that almost any organization conducting business in the EU that handles personal data has responsibilities under the GDPR. Certainly there could be multiple culpable parties in instances of infraction. There will also be confusion in the case of a Controller and Processor who could be notifying regulators and customers of a breach at the same time. That complexity reflects the complexity of the modern world of data transfers. There is still a gray area for Processors outside of the jurisdiction, but that will be decided over time. Right now the regulators are welcoming questions, so if any risk managers have scenarios like this one to ask about, this is the time to let regulators know about your concerns.
What else should insurers and risk managers keep in mind?
My advice is to start acting now. There are a lot of steps required to put everything into place in two years. This is not an overnight process and if you get it wrong the consequences could be devastating. Companies that are not prepared are taking a huge business risk and may have to halt operations until they are compliant. The penalty–4 percent of worldwide turnover or 20 million Euros—is very steep. Not only that but plaintiffs have the right to claim material or non-material damages under the GDPR so a failure to comply could potentially attract litigation. There is also a mechanism under the GDPR for not-for-profit organizations to represent multiple plaintiffs in data protection matters – a sort of class action method, if you will.
In general in the UK, we are seeing existing laws being interpreted to favor individuals and their privacy, and the validation of a new tort of the Misuse of Private Information. In the last two years we have seen judges award compensation for up to £250,000, whether it’s a newspaper hacking into a celebrity’s phone or Google’s handling of citizen data. There are lots of developments around privacy and liability in the UK and Europe, so I would advise any company to get their house in order and implement best practices to protect this data.
In summary…
We want to thank Mr. Allnutt for his legal expertise and insights into this looming compliance and cyber risk issue for many US companies (including those that are EU-based and beyond) that have a global reach and either control or process personal data on EU citizens. As Hans indicated, with this “privacy bill of rights,” there will be challenges ahead. Most immediately, there is a need for immediate preparation to ensure that proper security safeguards addressing these rights are in place. Finally, the threat of massive penalties for violators should serve as a major spotlight on this issue.