GDPR Regulations – Framework of Liability and Duties
Background
On 22.5.2018, the GDPR [“General Data Protection Regulations“] (Hereinafter: the “Regulations”) entered into effect on behalf of the European Parliament, the Council of the European Union and the European Commission, bodies serving as the legislative and executive arm of the residents of the European Union respectively.
These Regulations replaced the European Directive for the Protection of Information EC/95/46, which constituted a collection of archaic regulations that embodied the data protection mechanism of EU residents.
In contrast to the Directive, the Regulations refer and relate to the many technological fields, which their predecessors did not mention and certainly did not enforce in accordance with the level expected from Regulations that deal with the protection of privacy.
In addition, criteria such as encryption, monitoring services and Cyber Risk Training are only part of the concepts and criteria anchored within the Regulations and express the opinion that these Regulations, which are primarily installed to reinforce the residents’ right for privacy and control over the details they submit, should be carried out using up-to-date terminology, which is suitable for our time.
Apart from the increased duties that apply to any business owner or institution that’s holds personal data of EU residents, the said Regulations give a new message- just as the right to receive data as part of the provision of a service or purchase of a product is a condition for its supply, the right to be kept within a database is bilateral and can be revoked by any EU resident who does not wish to have his details preserved. The 22.5.2018 is a key date due to the manner in which the regulations are implemented- the nature of the Regulations requires continuous compliance and fulfillment- “Ongoing Compliance”, in order to avoid economic sanctions with devastating consequences.
Application of the New Regulations
Due to the nature of the bodies that have enacted the aforesaid Regulations, one may think that we are dealing with guidelines that do not have binding force vis-à-vis entities that are not part of the European Union, but this is not the case.
It should be clarified that, contrary to the previous European Directive, the Regulations are broadly applicable and aim for creating a regulatory mechanism across continents as will be described below.
The applicability of the Regulations is to any entity controlling the data (“Controller), which relies on the nature and purpose of the collected data, as well as to any entity who is responsible for the processing of the said data (“Processor”), i.e., any person or corporation, public authority or agency that establishes purposes and means for processing personal data. Such personal data may be data related to a “natural person”, such as: name, picture, IP address, email address and any information that can enable that person’s identification (hereinafter: the “Data Subject”).
As long as the nature of the data relates to the details of the EU residents, the Regulations manage to provide for their applicability while keeping the interests of the EU residents.
Several principles and basic rights alongside sanctions on non-compliance and violation of the regulations GDPR shall be described as follows:
The right to “be forgotten”
One of the rights that was first anchored in the Regulations, due to the decision of the European Court from May 2014[1] is the right to be forgotten[2] . This right gives the Data Subject the right to demand the deletion of any information about him in the following events: Lack of relevance for the purpose of collecting the data, the explicit cancellation of his consent to collect the data about him, the method of the data collection is illegal, the deletion of the data is required to meet the Data Subject’s regulatory duty.
In addition, any Controller of data who made the data collection regarding the Data Subject public, is obliged to instruct other data Controllers who process the data about the Data Subject’s demand.
Furthermore, the Data Subject may at any time require the update and/or change of any inaccuracies or errors in respect with the data collected about him.
Objection to data processing
Article 18 of the Regulations gives the Data Subject the right to object to data processing in cases where the data processing is inaccurate. In such case, the data processing shall cease immediately, until the verification of the accuracy of the information by the data Controller. Such shall apply also when the Data Subject objects to the data processing and the creation of a behavioral profile [another right anchored in section 21 of the said Regulations], when the data is collected for the purposes stated by the Controller who is using them, or when the data was collected illegally.
Sanctions for non-compliance
The Regulations are designed to maintain and establish a line alignment of the right to privacy among EU residents. The Regulations establish a unified and and particularly strict framework of sanctions against those who do not meet the Regulations and violate the rights of Data Subjects.
The Data Subjects may operate on a number of levels, including filing a complaint to the Data Protection Authority, and the option to file a direct claim against the data owners and processors. As stated above, it is important to emphasize that these two entities are not necessarily identical.
The Regulations divide the level of sanction according to several criteria: the nature, severity and extent of the violation, previous violations, the level of cooperation with the Data Protection Authority and whether the violation was committed by an act or omission.
Sanctions for noncompliance may be light as for example, reproach and warning, or, alternatively, may be aggravating penalties in high rates. It should be noted that each case will be judged on its merits.
The administrative fine may reach the sum of €20 million or up to 4% of the annual revenue cycle – whichever is higher, against blatant and serious violations of the principles of transferring data in and outside the EU.
The impact on the Israeli market and the need for immediate adjustments
As presented above, the GDPR have become and apply also to Israeli entities and/or companies that have data collection and processing connections with EU residents.
Evidently, many companies in the Israeli market are affected by the publication of the Regulations: E-commerce companies, companies that provide software as a service [“SaaS”], digital advertisement companies, placement agencies, Big Data, and many others who work with customers that are EU residents are exposed and the Regulations apply to them directly.
Therefore, our firm recommends to make changes in the manner of data processing so that would comply to the Regulations in an orderly manner, such as: Trainings for company employees, updating the consent document to use data, and even employing employees with a broad understanding of the Regulations, such as a compliance officer. All the aforesaid can be beneficial and prevent critical damage to your company or business.
In light of the premature publication of the Regulations, it has not yet been clarified how the aforementioned rules will be enforced and the severity of the enforcement is currently in question. However, we recommend that you maintain transparency in front of the Data Subjects, in order to prevent serious economic and other damages such as damage to the reputation that have the potential to become irreversible.
[1]Case C-131/12 Google Spain SL, Google Inc. v. Agencia Espanola de Protection de Datos, Mario Costeja Gonzalez
[2] Article 16 of the Regulations