GDPR compliance by May 2018Legal perspective

Johan Vandendriessche

Partner | Erkelens Law

Visiting Professor ICT & Data Protection Law | UGent | HoWest

GENERAL OVERVIEW

• GDPR is generally speaking a mature legal instrument• Builds on Directive 95/46/EC and guidance issued over many years• Issues with Directive 95/46/EC are well-known

• No harmonised approach• Scope (territorial application)• Evolution in technology• Lack of links with modern compliance and risk management methodologies

• Some issues that are currently being encountered when working with the GDPR• Linguistic issues• Scope (extraterritorial application)• Lack of transitional measures• Fine mechanism (forum shopping?)• Processing agreement issues

[Title]

LINGUISTIC ISSUES

• GDPR• Regulation with direct legal effect in the legal order of the Member States

• Harmonisation is achieved by a single legal instrument

• Language of the legislative process: English

• Official translations in official languages• Small differences exist between these versions

• All versions are authentic

• In case of doubt: apply the English version?

[Title]

LINGUISTIC ISSUES

• Some examples• Article 34.1 (personal data breach notification)

• Onverwijld

• les meilleurs délais

• without undue delay

• unverzüglich

• Article 37.1 (DPO)• Hoofdzakelijk belast

• Activités de base

• Core activities

• Kerntätigkeit

[Title]

SCOPE ISSUES

• Personal scope is expanded to processors (major improvement)

• Territorial scope in relation to processors• Establishment in the EU

• Establishment outside the EU: “processing activities related to”• Offering of products or services to data subjects in the EU (including free services)

• Monitoring of behaviour of data subject in the EU

[Title]

SCOPE ISSUES

• Establishment in the EU• GDPR applies to processor established in the EU

• Equal application to controllers falling under GDPR or not

• Practical issue of convincing the controller to apply the processor regime and agreement

• Issues in relation to data transfers• Importing data will lead to issues with international data transfers• Exporting data will be extremely difficult

• No adequate standard contractual clauses (C2C and C2P, but not P2C)• Exception regime will be difficult to apply• Legitimate interest does not allow structured transfers

• Commercial disadvantage to EU based processors offering services to non-EU based “controllers”

[Title]

SCOPE ISSUES

• Establishment outside the EU• “processing related to”

• Vague concept

• How strong must the relation be?• Sub-processor of a processor of an e-commerce company?

• If low, scope creep

• Service offering to a data subject in the EU• Extremely large notion, e.g. informational websites are an information society service and

thus appear to fall under this criterion

[Title]

NO TRANSITIONAL MEASURES

• GDPR entered into effect on 25 May 2016 and applies from 25 May 2018• “big bang” effect• No transitional measures for existing processing activities

• Transitional measure in relation to consent?“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”

• Consent based processing is unduly burdened by the increased quality requirements and the lack of transitional measures• Right to retract would have offered sufficient guarantees on its own

[Title]

NO TRANSITIONAL MEASURES

• No real transitional measures for consent• No consent complies with GDPR due to increased quality and transparency

requirements• Implicit consent are ruled out (generally accepted under Directive 95/46/EC)• Information notice is much larger under the GDPR, thereby excluding “informed”

consents

• Impact• New consent required• Changes to consent are not aligned with soft-opt in regime or opt-out regime

for direct marketing purposes (Book VI and XII of the Belgian Code of Economic Law)• Switch to legitimate interest (promoted under GDPR)

[Title]

ADMINISTRATIVE FINES

• Possibility of high administrative fines in case of breach• EU established controllers and processors cannot escape application

• Non-EU based established controllers and processors may apply ‘forum shopping’• Seek supervisory authorities with low enforcement agenda

• Structure concern to create a bottleneck• Holding company outside EU with a small subsidiary in the EU

• Fine is directed towards EU subsidiary, partially shielding the holding company

• Difficult to apply administrative fines to non-EU based controllers and processors• Practical disadvantage for EU based controllers and processors

[Title]

DATA PROCESSING AGREEMENT ISSUES

• GDPR may offer some unexpected benefits in the ICT contract area• Combination of data subject rights and data processing requirements

• Conflicts between article 28 of the GDPR and boilerplate clauses?

• GDPR requires description of the processing activity• Contracts are private laws (article 1134 of the Belgian Civil Code)

• Contract changes require mutual consent• Contract changes are often subject to formal requirements agreed between the parties• Cumbersome to include changes in the data processing activities in existing agreements

• Description is not always desirable• Zero-knowledge encryption based services• Liability risk for the processor under the liability exemption regime for information society

service providers?

[Title]

COMPLIANCE IS MOSTLY ACHIEVABLE

Johan Vandendriessche

Johan.vandendriessche@erkelenslaw.com

www.erkelenslaw.com

[Title]