Newsletter - January 2019

FIRST RESULTS OF THE IMPLEMENTATION OF THE REGULATION

For those wondering what could have happened after May 25, 2018, the start date of the new regulation in the EU, two numbers show that the regulation responds to a need and that the Supervisory Authorities have a powerful tool at their disposal: on one hand, we learned that over 95,000 claims have been filed with EU’s Supervisory Authorities since May 2018 and on the other hand, the French Authority, CNIL, has issued Google a $50 million fine for failing to provide enough information to its users about how their personal information is used.

As a reminder, the Regulation is in force throughout the EU even though 5 countries have not yet formally implemented their legislation according to their obligations as EU members.

In regards to the recorded complaints, the implementation of the new regulation clearly shows that the “data subjects”, defined by the GDPR as EU citizens whose personal data are collected and processed by the Controllers subjected to the Regulation, were affected not only by the practices put in place by such organizations but also by the difficulty to have direct access to the collected and processed information as well as access to the Supervisory Authorities if this information needed to be corrected. It will of course take time for these Authorities to process all the complaints and we can expect that they will tend to prioritize the most visible cases in order to establish their credibility and to bring awareness to both the public and the Controllers.

A prime example in that respect is the decision imposed by the CNIL on Google: not only is it based on Google’s failure to be transparent as a Controller, when transparency is one of the main requirements of the regulation, but also the amount of the fine gives something to think about: 50 million Euros is more than the maximum 20 million specified in the Regulation but less that the other maximum of 4% of Google global revenue for 2017. Controllers will quickly understand that even though Supervisory Authorities wish to remain accommodating, they will not hesitate to take action and impose heavy fines.

It can also be noted that Google is expecting another ruling from the CNIL regarding its practices in violation of the GDPR, which could increase the amount of fines. Even though $60 or $100 million represent only a fraction of Google’s profits, will investors be willing to accept such losses? Worse, other European Supervisory Authorities could also penalize Google and, in the end, the total amount of the fine for a single violation could reach $800 million. As expected, Google is prepared to appeal the CNIL’s decision.

At this time, the other two decisions taken concerning GDPR in the EU come from the German and Austrian Authorities and pertain to much smaller companies with lesser offenses resulting in smaller fines ($22,000 and $6,000 respectively).

A NECESSARY AND STRATEGIC PROTECTION: CONTRACTS WITH PROCESSORS

When analyzing the methods used to process personal information collected in your business, you often realize that this information is transmitted, then stored or partially processed by an external entity: the Processor. Therefore, for your own security and the compliance of your business with GDPR, it is strategically important to establish a written contract with the Processors and that such contract include the provisions mandated or suggested by GDPR.

On this matter, the General Data Protection Regulation specifies several provisions that need to appear in the contract for, if the Controller is primarily responsible for the GDPR obligations, transmitting personal data to a third party allows the Controller to discharge part of its responsibility when a violation of the regulations occurs at the Processor’s level.

Contracts with Processors must specifically include:

  • A complete description of the processing performed by the Processor (purpose, duration, objectives of the processing, types of data processed, types of person whose personal data is processed);

  • Important or mandatory provisions, including the facts that the Processor must access and process the personal data in strict conformity with the Responsible Party’s written instructions; that the Processor has implemented all the security measures to ensure the confidentiality of the data and to forbid any processing of the data outside of the contract; that the Processor cannot hand over the data to another sub-contractor without (1) the prior written authorization from the Responsible Party and (2) the existence of a written contract with the sub-contactor ensuring the sub-contractor’s full compliance with GDPR; that the Processor commits to fully cooperate with the responsible party when responding to legitimate inquiries regarding personal data; that the Processor must cooperate with the responsible party in order to keep the responsible party in full compliance with GDPR with regard to the outsourced personal data; that the Processor must consent to periodic inspections and audits; that, at the end of the contract period, the Processor is obligated to destroy or return to the responsible party all the personal data acquired during the term of the contract.

FIRST GDPR ADEQUACY DECISION

Japan is the beneficiary of the first adequacy decision adopted last week by the EU.

This decision will solidify the EU-Japan relationship with regard to the transfer of personal data.

All adequacy decisions existing under the prior EU rules are now being re-evaluated with the implementation of GDPR. One example is the notification by the EU to Switzerland that the current federal legislation about personal data protection, LPD rule, is not compatible with GDPR. In 2017, Switzerland issued a reform proposal of the LPD, but the EU rejected it as being insufficient and has since then asked Switzerland repetitively to come up with a bill that is compatible. As of now, the Swiss Confederation has not issued any new proposal nor communicated any work schedule on the matter, which could endanger the position of the country with regard to the transfer of personal data.

The invalidation of the adequacy decision currently in place could force Swiss companies subjected to GPDR (i.e companies collecting personal data from citizens located in the EU and processing or having them processed in Switzerland) to adopt “appropriate guarantees” meaning a mandatory code of conduct compatible with GDPR or other binding corporate rules (GDPR Art. 46 and 47). Such complicated procedures could lead to potentially high additional costs for the company.

WHO WE ARE

LegIT-Team is composed of legal and IT experts and specializes in providing GDPR compliance services to organizations. Services include:

  • Organizational review
  • Identification of the processes and procedures to improve or create
  • Identification of the short and long term priorities and resources to implement
  • Full management and implementation of the GDPR compliance requirements

Please contact us at info.legit-team.com to see how we can help you navigate and maintain your organization in compliance with the new Regulation.