The GDPR, more precisely the General Data Protection Regulation[i], will come into force in the EU on 25 May 2018. Being EU law it might reasonably be imagined that it would be of minor direct relevance to institutions and establishments based offshore and outside of the EU. Not so. The territorial scope of the new regime is widely cast and will undoubtedly be of relevance to information and data travelling from the EU to offshore (and visa versa).[ii]
What is data protection? Why do we need it?
At the time of writing Facebook is in the middle of an erupting scandal involving the alleged misuse of personal data from as many as 50 million users. The allegations suggest that the data was harvested to materially impact the outcomes of the 2016 US Presidential election and UK Brexit referendum. In this age of internet it is easy to see that each person’s online data footprint can be of immense importance and value. In the EU, very much the standard bearer of global data protection law, the regime protecting data currently hails from a pre-internet era (circa 1995). That is about to change with the GDPR.
As we move into this brave new world, both legally and practically, it will be increasingly important for institutions active in the EU and elsewhere to ensure they comply with all applicable rules in data protection. Allied to this is the fact that the scope of the GDPR can extend well beyond the EU and into third countries, including offshore. It means that for the first time many offshore market participants are having to think about the possible consequences and ramifications of data protection rules on their firms and businesses.
Data protection: The basics
GDPR develops many of the core concepts grounded in the EU’s original Data Protection Directive (DPD, Directive 95/46/EC):
- “Data processing” the core obligations under the GDPR attach to data processing. Processing refers to any operation performed on personal data, whether automated or not, and includes: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Personal data” refers to any information relating to an identified or identifiable natural person, such as employees or clients of service providers.
- “Identifiable natural person” refers to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. An identified natural person is also a “data subject”.
- “Controllers” and “processors”: A controller is a person, corporate or otherwise, that determines the purposes and means of the processing of personal data. A processor is a person that processes personal data.
A single rule-book for the EU
The original DPD was an EU directive and as such considerable differences arose in its implementation across the Union. By contrast the GDPR harmonises the pan-EU position as the legislation is an EU regulation, ‘directly applicable’ in all member states. Local governments have limited input in the content of GDPR, with the exception of the level of penalties that may apply for breaches.
The usefulness of this for third countries should not be under-estimated. Following the implementation of the GDPR the EU may be treated as one composite whole rather than 28 separate member states (or 31 in the case of the EEA).
Outreach beyond the EU to offshore
The GDPR extends to third countries including offshore in the following principle ways:[iii]
- It applies to processing personal data outside the EU by controllers/processors established in the EU, regardless whether the actual processing takes place in the EU.
- It applies to processing personal data of EU data subjects by non-EU controllers/processors, where the processing activities are related to the offering of goods or services (including over the internet) or the monitoring of behaviour.
By way of example:
- Corporate groups based inside and outside the EU will have to be very careful that data processing globally meets EU standards.
- EU-based managers of offshore funds will now need to ensure that their funds process data in a GDPR-compliant way.
- Offshore based service providers targeting EU clients through internet sales will need to comply with GDPR even though they may have no presence whatsoever in the EU.
Impact of GDPR on offshore business processes
Once caught by the GDPR offshore providers must ensure compliance with the core set of rights and obligations created under the regime, the most important being:
- Data processing is permissible only for certain purposes: These purposes may be met where consent is obtained from a data subject or where there is a clear public interest. However in the case of consent such consent must be freely given and may be invalidated where there is, for example, a significant imbalance in bargaining power between the data subject and the controllers/processors.
- Enhanced rights of data subjects: Data subjects enjoy significant rights under the GDPR including a ‘right to be forgotten’, right of access, right to data portability, right of rectification, right of erasure and so forth. All these rights must be built into the systems and controls adopted by controllers and processors as part of their businesses.
- Requirement to appoint a data protection officer (DPO): Each controller and processor must appoint an individual with expert knowledge of data protection law as the DPO. Many of the tasks of a DPO are similar in nature to the tasks conducted by compliance officers in financial institutions. However DPOs need not be employed and as such the role may be outsourced to competent third parties subject to certain checks and balances.
- Requirement to produce data protection impact assessments (DPIA): where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, a controller must carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
- Security of processing and encryption of data: controllers and processors, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Such security may well include pseudonymisation and encryption of personal data.
- Data transfers outside of the EU: Data transfers to certain third countries which are recognised as offering adequate protection are permitted without specific authorisation[iv]. Data transfers to other third countries are possible, provided that the controller or processor has implemented appropriate safeguards and on the condition that enforceable data subject rights and effective legal remedies are available.
For firms and businesses accustomed to data protection regimes under, for example, the DPD much of the GDPR will resemble evolution rather than revolution. Yes, the fines will increase but on the whole the culture of data compliance continues much as before. In offshore world however this area’s general newness means that many providers will quite literally be stepping into a brave new world of data regulation. It will be very important that the right systems and controls are put in place at the outset.
GDPR comes into force throughout the EU on 25 May 2018.
We advise extensively on the application of the GDPR and data protection rules to businesses in the EU and offshore.
[i] Much of the EU’s thinking in this area was actually determined prior to the GDPR and following the judgment of the Court of Justice of the EU in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014)
[ii] The European Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the ‘Privacy Shield’ framework) as providing adequate protection. Adequacy talks are ongoing with Japan and South Korea.
[iii] Regulation (EU) 2016/679.
[iv] GDPR applies additionally to the European Economic Area (EEA) which comprises the EU plus Iceland, Liechtenstein and Norway. In this article references to EU should imply relevance to the EEA as well.