It’s personal!, American Investor, Winter 2017
The new EU regulations governing personal data protection are something to reckon with, and for good reasons
On May 4, 2016, the EU’s General Data Protection Regulation (2016/679) was published in the Official Journal of the European Union. It will be effective across all EU member states starting May 25, 2018. Although it seems a long time, it is not, considering the nature of the required changes and the threatened sanctions for failure to implement them.
Same for all
The reform of data protection regulations was necessary and long-awaited. The existing regulations from the pre-Facebook and Google era failed to keep pace with the progress of technology, resulting in frustration and fueling businesses and consumer distrust of privacy protection mechanisms. The Data Protection Directive (95/46/EC) from 1995 and the 28 different legal acts implementing it across the various member states (including the Polish act from 1997) imposed huge challenges on consumer data protection particularly for businesses operating across borders.
The business community was especially distressed by the varying decisions by regulators in different member states and different security requirements in the EU for the same online services or mobile applications. In many instances the existing legal solutions were long outdated, such as the requirements for written consent of consumers to allow companies use their sensitive personal data. So the introduction of a single up-to-date regulation applying directly in all member states provides hope to businesses. The General Data Protection Regulation (GDPR) also attempts to offer adequate levels of protection to consumers by uniforming the protection of their rights and freedoms throughout the EU. Their rights are guarded by the specter of harsh financial sanctions for violation of the GDPR.
A market you can trust
The preamble of the GDPR states that the regulation is “necessary to provide legal certainty and transparency for economic operators”, and to ensure that consumers in all member states have “the same level of legally enforceable rights and obligations and responsibilities for controllers and processors” of their data. The GDPR is designed to build the trust required for growth of the digital economy in the EU’s internal market.
To ensure consistent oversight and enforcement of the GDPR, data protection authorities throughout the EU (in Poland, GIODO—the Inspector General for Personal Data Protection) will be vested with the same tasks and powers, including the authority to conduct investigations, carry out corrective measures, and impose administrative fines.
The authors of GDPR assumed that effective enforcement of the regulation requires severe sanctions for violations. But not unconditionally. If the infringement is slight or the potential fine would impose an undue hardship on an individual, the fine can be replaced by a warning.
Under the GDPR, each national data protection authority is empowered to impose administrative fines. In light of previous regulations, the Polish GIODO did not have such power (except to impose a fine for the purpose of compelling compliance with an existing decision). The new regulations make it possible for fines to be imposed on law-breaking companies along with other corrective measures or instead of them. The other measures include warnings and decisions mandating or prohibiting certain actions, including a limitation or ban on processing or an order to halt the flow of data.
Under the GDPR guidelines designed for data protection authorities, fines must in each case be effective and deterrent. Infringement of the GDPR may be punished by a fine of up to EUR 20 million, and for businesses, up to 4% of their worldwide turnover in the preceding financial year. That seems to be a sufficiently painful sanction for even the biggest players on the market. Previous penalties imposed by selected national data protection authorities did not exceed EUR 1 million.
One of the main goals of the GDPR is to provide effective enforcement of data protection obligations. With this in mind, following 25 May 2018 the first fines can be expected to be imposed on stubborn offenders, as an example and warning to others. Companies which have had troubles to comply in data protection regulations in the past, will have to adjust or get punished.
The specter of administrative fines is not all that courts and law enforcement agencies in EU member countries will have at their disposal. Under the GDPR, a company which processes or controls personal data can be held liable for damages caused to an individual that come as a result of a GDPR violation. In turn, a company which controls and processes personal data may be exempted from liability if it proves it is not in any way responsible for the damage.
Even a single violation of data protection regulations can lead to further financial losses which, often, are hard to estimate. Typically, businesses become most aware of the value of data when the damage has been done—the security of data has been compromised. The damage done in such circumstances, including foremost a harm to the company’s reputation, can also affect the company’s business in other ways, including the profits. This is why many companies have expressed a growing interest in data protection recently. An increased awareness of threats—not exclusively legal threats, but also security threats—and the liability involved, can help businesses avoid security incidents which may turn out to be costly if not damaging.
Published in: American Investor, Winter 2017