By Sara Gerke
The EU’s General Data Protection Regulation, which came into force two years ago but became directly applicable in all EU Member States only last week, aims to establish an equal level of protection for the rights and freedoms of natural persons with regard to the processing of personal data in all EU Member States.
Each of us has been inundated with emails in the last few days and weeks, informing us about the GDPR and asking us, among other things, to review updated privacy policy. This flood of emails is, in particular, the consequence of the GDPR’s imposing administrative fines for infringements.
According to its territorial scope, the GDPR can also impact US companies that process personal data of data subjects who are in the EU. For example, this is the case for newspapers and affiliated websites, where the processing activities are related to the offering of services or goods, irrespective of whether payment is required. Some papers decided to simply block users in the EU, rather than abide by the GDPR’s provisions.
Administrative Fines
But why is GDPR so difficult to abide by? In particular, under Article 83(5), infringements of certain provisions of the GDPR can be subject to fines up to €20 million, or in the case of a company, up to four percent of the total global annual revenue of the preceding financial year, whichever is higher.
This is obviously a significant amount, and due to the somewhat opaque formulation of the GDPR’s requirements, it is easier for some companies to simply cease operation in the EU rather than complying with them.
Principles of the GDPR
The GDPR’s principles relating to the processing of personal data are laid down in Article 5 and include lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality of personal data, as well as accountability.
Article 6 of the GDPR sets out the requirements for the lawfulness of processing personal data, which shall be lawful, for example, only if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.
The conditions for consent are provided in Article 7. In particular, the request for consent must be presented in an understandable and easily accessible form, using clear and plain language. Consent must also be clearly distinguishable from other matters and as easy for the data subject to withdraw it as to give it.
Consent can also be obtained by ticking a box when visiting an internet website (recital 32). This is why it seems as though nearly every company you have ever interacted with online has sent you an email in the past weeks asking for explicit consent to process your personal data.
In addition to this digital footprint, the GDPR also classifies some personal data as “special”. These include, among other things, genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health (Article 4(13)-(15) of the GDPR).
The term “genetic data” is defined as “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”. One example of genetic data is DNA analysis, or products from companies such as Ancestry.com or 23andMe.
Genetic data is differentiated from “biometric data”, which is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprints] data”. The fingerprint for unlocking a smartphone is an example of biometric data.
The term “data concerning health” means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”, such as a medical history.
Under Article 9(1) of the GDPR, the processing of these special categories of personal data is prohibited. However, an exhaustive list of exceptions is made in Article 9(2). In the health care context, especially, the exceptions referred to in points (a), (h), (i) and (j) are relevant.
For example, special categories of personal data may usually be processed where explicit consent has been given for one or more specified purposes or “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional”.
Special categories of personal data may also be processed where processing is necessary “for reasons of public interest in the area of public health” or usually “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.
Concerning the processing of genetic data, biometric data or data concerning health, the EU Member States can introduce or maintain additional conditions, including further limitations (Article 9(4) of the GDPR).
Rights of the Data Subject
The GDPR also regulates in detail the rights of the data subject, such as the right of access (Article 15), right to rectification (Article 16), or the right to erasure (“right to be forgotten”) (Article 17).
However, the right to be forgotten does especially not apply in cases where processing is necessary “for [some] reasons of public interest in the area of public health” or usually “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.
Data Protection Officer (DPO)
The GDPR also requires the designation of a data protection officer (DPO) in specific cases (Article 37). For example, the controller and the processor must designate a DPO in any case where their core activities consist of processing on a large scale of special categories of personal data.
In other words, a specialized officer with expertise in data protection law and practices will now need to oversee the processing of large amounts of data concerning health, for example.
To sum up, the GDPR is a new milestone for data protection across the EU. The new instruments such as the penalties for breach, the right to be forgotten, or the designation of DPOs are likely to ensure a consistent and high level of protection of the rights and freedoms of natural persons with regard to the processing of personal data in all EU Member States.
