Cheat Sheet on EU General Data Protection Regulation (GDPR)

June 2015

Written by Ardi Kolah LLM FCIM and Prof Bryan Foss of GO DPO

Q1: Whats the significance of the Council of Ministers version of GDPR published on 15
June?

What this means is that the Council of Ministers has political agreement on the basis of
which it can now begin negotiations with the European Parliament with a view to reaching
overall agreement on GDPR by the end of the year.

Negotiations with the European Parliament and the European Commission start as planned
on 24 June 2015. For a complete picture of the roadmap, click here.

Q2: In addition to GDPR, what other moves are contributing to reforms in data protection
and privacy law across the EU?

This can be summarised as:

EU Data Protection Directive

EU Charter of Fundamental Rights
EU Digital Single Market

EU Data Protection Directive

This is a separate law being proposed for governing the use of personal data in the area of
law enforcement and crime. The expectation is that the debate on the EU Directive as well
as GDPR by the Council and European Parliament will be run in tandem, with an outcome
expected this October 2015

EU Charter of Fundamental Rights

The Charter is an important development as its the first formal EU document to combine
and declare all the values and fundamental rights (economic and social as well as civil and
political) to which EU citizens should be entitled. The main aim of the Charter is to make
these rights more visible. It is important to note that the Charter doesnt establish new
rights but assembles existing rights that were previously scattered over a range of
international sources. Now that the national courts and Court of Justice of the European
Union (CJEU) have to consider the Charter it can be used to assist in cases where EU law is in
issue and clearly GDPR needs to be seen within this context.

EU Digital Single Market

In May 2015, the EU outlined its strategy to create a digital single market. The thrust of the
proposals included establishing standard rules for buying goods online, pruning cross-border

1
regulations on telecoms and reducing the tax burden on business. The plan also calls for a
comprehensive assessment of whether Facebook, Google and other internet platforms
distort competition (aside from posing significant data protection and privacy risks).

EU Commission President Claude Juncker has promised to transform the EU single market
for the digital age by removing regulatory walls, moving away from 28 national markets to a
single one and generating 415 bn ($468 bn) a year for the European economy as well as
creating 3.8m new jobs.

The call for reform isnt simply politically motivated many businesses from within and
outside of the EU have been pressing for reform in order to compete across a level playing
field rather than risk facing fines and penalties across 28 Member States that pursue their
own competition, data protection, privacy laws and regulations.

Its against this backdrop that GDPR is the final piece of the jigsaw that will create a very
different picture of the European Union than exists at present.

Q3: What are the main drivers for GDPR?

There are three key drivers for reform:

Simplifying the regulatory landscape and framework

Updating rights and obligations to the opportunities and challenges of the digital
world.
Strengthening enforcement.

The core element of the European Commission package is to completely update and
modernise the principles of the 1995 Data Protection Directive. It sets out the rights of the
individual and establishes the obligations of those processing and those responsible for the
processing of the data. It also establishes the methods for ensuring compliance as well as
the scope of sanctions for those in breach of the rules.

Q4: Whats at the root of the reforms being proposed?

This can be summarised as putting individuals back in control of their own data. This is
perhaps at the root of the proposed data protection and privacy reforms and has the biggest
impact of the changes being proposed by the European Commission. In many ways, this
principle more than any other is an attempt to re-establish fundamental rights as well as to
strengthen trust within the digital single market.

Q5: What are the main features of GDPR?

There are 4 main features of the EU Regulation:

Putting individuals back in control of their own data

Portability of data

2
 Breach notification
More effective supervision and enforcement
One-Stop Shop

Putting individuals back in control of their own data

This is perhaps at the root of the proposed data protection and privacy reforms and has the
biggest impact of the changes being proposed by the European Commission. Perhaps more
than in any other part of the EU Regulation effecting data protection, the proposed reforms
means putting individuals back in control of their personal information in order to re-
establish fundamental rights as well as to strengthen trust within the digital single market.

The cornerstone of this is strengthening existing rights such as the so-called right to be
forgotten and improving citizens rights to be informed if their data is hacked.

Portability of data

One of the proposed eye-catching reforms to be included in the GDPR will be portability of
personal data across the EU. This is essentially about allowing users to extract in a
structured format personal data from service providers and to move that personal data to
another provider.

This idea stems from what happens in the mobile telecoms sector and its about giving more
say to individuals to decide what happens to their data in practice; being able to effectively
make a choice in the market and in that way lower the barriers to entry in particular to
those markets which are currently dominated by very few big players.

According to the European Commission, this is an example of a question of balance taken

within the GDPR - of balancing fundamental rights as well as complementing the principle of
competition within the internal market.

Breach notification

In this area, the European Commission has studied in detail what some States in the USA
have adopted in terms of data breach notifications and are convinced of the case for a
federal approach across the EU. In practice, the same idea is true for the protection of
privacy by design. This is about investing in good data protection practice and methods as
early and as upstream as possible in the provision of goods and services.

3
More effective supervision and enforcement

The new emphasis on supervision and enforcement placed by the European Commission
reflects the transition from an ex-ante to an ex-post data protection and privacy system.
Data protection and data breaches have become much more serious and relevant and
currently we dont have a credible set of enforcement rules and sufficiently dissuasive
sanctions. In Europe, we have a very fragmented situation where certain countries have that
power to impose financial sanctions and some countries dont appear to have that power.

The European Commission drew inspiration from other areas of Europe such as competition
law in looking at the issue of supervision and enforcement. There have been a lot of
misgivings about the level of fines and it should be emphasised that these are a ceiling its
about a maximum amount of the fine which will be applicable to the most serious cases of
violation.

The fine will be between 2-5% of global turnover or 100m and will be based on a number
of factors including:

duration of the data breach

seriousness of the data breach
negligence or intention
nature of the violation
impact on users
other factors.

Mitigation factors include having taken all necessary steps to comply with the principles of
the EU Regulation including the appointment of an independent Data Protection Officer
(DPO).

One-Stop Shop

This is one of the jewels in the crown of GDPR and clearly the European Commission sees
this as being fundamental in terms of enforcement and supervision that sits alongside its
strategy for the digital single market and the Charter of Fundamental Rights.

Whats now proposed is a two-level structure that provides the benefit of proximity for
complainants against organisations and companies by recourse to their own Data Protection

4
Authority (DPA) and the courts as well as making it easier to launch a cross-border
complaint by reference to a single adjudication body (the lead DPA body of the main
establishment).

In this new regime, both bodies will need to agree on the interpretation of the GDPR rather
than having diametrically opposed interpretations that would negate the operation of a
one-stop shop mechanism. The one-stop shop has become more congruent and more
consistent in interpretation and application of EU data protection laws throughout the EU
and this is good in terms of legal certainty.

The European Commission view is that the one-stop shop is more effective in the protection
of users rights and this appears to have gained consensus within the European Parliament
and the Council of Ministers.

Negotiations around the one-stop shop mechanism took a while and were debated in detail
by the Council where it was important to strike the right balance and for having the ability
to adjudicate on cross-border cases with one interpretation of the data protection rules.

Although the UK did have reservations about the one-stop shop principle, the compromise
thats been reached between the Council, Parliament and Commission safeguards the level
of proximity for a remedy in particular when the complaint of an individual is rejected and
therefore a decision has a negative impact on that individual.

At the same time, the one-stop shop maintains a key objective of having one interpretation
of the GDPR in cross-border cases and in many respects reinforces it.

GDPR is therefore likely to reflect the following mechanism for one-stop shop:

when the decision involve measures to be taken vis-a-vis the control of the processor,
the imposition of a fine, injunction or to put an end to certain processes, then that
decision is jointly agreed and will be formally adopted by the DPA of the main
establishment
when the jointly agreed decision has a negative impact on the individual by rejecting
their complaint, it will be adopted by the local DPA and in that way it ensures that the
decision can be challenged before a domestic court of the complainant.

5
Given this additional safety value, the European Commission feel that the Data Protection
Board wouldnt have to intervene except in a relatively few cases. Where the local DPA isnt
able to reach agreement with DPA for the main establishment, then the matter will be referred to
European Data Protection Board (EDPB) and that decision will be binding on all parties. And this is a
legally more robust position under the Fundamental Rights Charter perspective.

Q6: Is agreement on the other outstanding bits of GDPR likely to be achieved before the
end of 2015?

Good question and unfortunately we dont have a crystal ball!

Theres a fair amount of consensus already in place but nothing is agreed until everything is
agreed. Even as the critics slam the European Commission, Council and Parliament for
dragging their feet over the progress for data protection and privacy reform across the
European Union, it should be remembered that this is one of the biggest shake ups in data
protection and privacy for over a decade.

The litmus test will be to see how fast progress in the negotiations can be made after the
European Parliament, Council and Commission return to work after the summer recess in
September 2015.

Q7: What bits are there still significant disagreements on?

On paper, there appears to be a very long list of differences in opinion on what should and
shouldnt be included in GDPR.

For example, the Council favour a high degree of flexibility for EU Member States to
implement data protection laws in their territory as they see fit. But this smacks of being
more like a Directive rather than a Regulation and is unlikely to carry through to the final
version of GDPR.

In reality, all sides arent that far apart and well see this as the trilogue negotiations start in
earnest from 24 June 2015.

Q8: Where can the different versions of GDPR be read in a table format?

The idiom cant see wood for the trees comes to mind! Getting bogged down in the detail
of GDPR can be overwhelming, so this table takes the stress of trying to see where the
differences lie in each GDPR version.

However, from the 24 June many of the differences will start to get resolved so the
positions in the table will of course change and well report this on our website and on
Twitter.

6
Q9: What should companies and organisations do now to prepare for life under GDPR?

There are many things that companies and organisations should think about doing NOW and
these include:

Minimize data collection the proposed GDPR has strong requirements that
companies limit the data they collect from consumers
Report promptly data breach notification is a new requirement that EU companies
will have to handle
Retain carefully the GDPR minimization rules apply not only to the scope of the
data collected but also how long its kept. In other words, you shouldnt be storing
data longer than is necessary for its intended purposes
Beware the new definition of personal identifier GDPR expands the definition of
personal identifiers and this change is important because the EU law centres on
protecting these identifiers
Use clear and easy to understand language companies will need to obtain explicit
consentan opt-in from the consumerwhen collecting data
Find your delete key right to erasure means that when consumers withdraw
consent on data theyve given, the companies will have to remove it
Remember cloud computing doesnt escape from requirements under GDPR the
new EU Regulation follows the data.

Q10: How do I keep up to date with progress on the trilogue negotiations?

Our website has a load of information and news written in a friendly and jargon-free way so
please feel free to come and visit us anytime. Also follow us on Twitter @EU_Compliance
where we post breaking news. And you can email Ardi@godpo.eu with your questions and
we guarantee to answer all emails quickly!