Unless you've been living on another planet, I'm sure you have all heard about the GDPR. Well, the GDPR came into force today and I thought I'd start the day with a GDPR quiz with the intention of clarifying a couple of misconceptions and misinterpretations about the GDPR.
Here it goes…
1. The GDPR is a new area of law that creates new rights for individuals
False. Data protection has existed since 1995 in the European Union and even longer under national Member State laws (Germany being one of the first EU Member States to adopt a data protection law in 1977). At an international level, the OECD adopted its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980 and the Council of Europe adopted Convention 108 for the Protection of Individuals with Regard to the Automatic Processing of Personal Data in 1981. So, as you can see, data protection is not a new area but it has evolved and become significantly more important with the adoption of the GDPR.
The GDPR does create some new rights for individuals (such as the right to data portability) but most of the data protection rights already existed under the EU Data Protection Directive of 1995.
2. I must now obtain prior and explicit consent from individuals before I can collect their personal data.
False. This is perhaps the most frequently misunderstood provision of the GDPR. The GDPR requires companies to collect and process personal data lawfully, meaning that any data processing activity must have a legal basis. Consent is one of them, but not the only one. There are six possible legal basis for processing personal data under the GDPR, including where processing is necessary for the performance of a contract with the individual or to comply with a legal obligation to which the company is subject.
Furthermore, contrary to what is often believed, consent is not required as a legal basis for processing personal data from employees in the employment context. Quite the contrary, the national data protection authorities have said for many years that consent cannot be deemed a valid legal basis for processing employee data because of the hierarchical relationship between an employee and an employer, which does not allow employees to "freely" give their consent.
Lastly, in general, consent does not need to be explicit. "Explicit" consent is required only in specific and limited cases, such as when you collect a person's sensitive personal data (racial/ethnic background, health data, religion, political views, etc.) or when you are transferring a person's personal data outside the European Union on the basis of their consent.
3. Direct marketing requires prior consent.
False. The GDPR does not require prior consent for marketing activities. Actually, it says quite the opposite under Recital 47: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest".
So what is all the fuss about "re-consenting" to mailing lists that we've all been receiving in recent weeks. Well, there is a separate EU text called the ePrivacy Directive that requires consent for direct marketing when it is carried out electronically. The term "electronically" is the key word here because the ePrivacy Directive actually aims at protecting privacy in the context of electronic communications. And so, if a company wants to send you marketing messages by email or sms, then indeed it must obtain your prior consent. Note, however, that there are some exceptions to this rule, so consent is not systematically required.
To learn more about the rules that apply to emarketing, check out Phil Lee's article on re-consenting to marketing.
4. As an individual, I can now exercise the right to be forgotten.
True. But the right to be forgotten is largely misunderstood. It is not an absolute right to ask any company to erase all your personal data. The right to erasure is limited to certain conditions, such as where personal data are no longer necessary to achieve the purposes for which they were initially collected, or if the personal data has been unlawfully collected. The right to be forgotten is a subset of the right of erasure that enables individuals to request the erasure of their personal data if their data has been made public by the data controller who collected the data. In other words, if a company collects your personal data and then disseminates it publicly on the Internet, then that company must take "reasonable steps" to inform all other companies which are processing this data that you have requested the erasure of your personal data. Make no mistake, this will be an extremely difficult right to exercise effectively in practise.
5.Companies can be fined up to EUR 20 million or 4% global turnover if they don't comply with the GDPR.
True. And this is an absolute game-changer. Before, there were no fines under EU law and enforcement was practically non-existent. Now, everyone is paying attention. And if you are wondering whether "global turnover" encompasses all the entities within a multinational organization, the answer is yes. So as a company, you are responsible for all your affiliates and local branches. If you have your headquarters in Belgium but your affiliate in Italy screws up, then the entire company can be held liable and the Italian Data Protection Authority can calculate the fine based on the organization's worldwide turnover.
To finish, I'd like to say that data protection is a highly technical and complex area of law. It looks quite simple, but it's not. Why? Because the GDPR is largely based on legal concepts and principles that are defined very broadly (and at times unclearly). As a result, it requires experience and expertise to apply these concepts to a given company and situation. At Fieldfisher, we are proud to have a globally recognized team of over 40 privacy experts across the firm who are all experienced, dedicated privacy experts who will gladly answer your questions and assist your clients with GDPR compliance.
If you want to learn more about privacy, check out the articles we post on our Privacy Blog here: https://privacylawblog.fieldfisher.com/
And if you really want to have the GDPR close at hand at all times, you can download our GDPR mobile app here: https://www.fieldfisher.com/media/2017/06/get-ready-for-regulation-download-the-fieldfisher-gdpr-app
I wish you all Happy GDPR Day!