In a previous post on the Flexera blog we discussed the new EU data protection law coming into force: the EU Data Protection Regulation, also known as the General Data Protection Regulation. In December 2015 the EU Parliament, EU Council, and EU Commission came to an agreement on the final drafting of the new framework, which means that it will now be adopted in early 2016, and come into force in early 2018.
A number of changes to the draft have occurred throughout the process, so we’ll take a quick look at those and what they mean for you if you are working with or using the data of EU citizens.
First we’ll go back through a brief overview of what the Regulation is, and then we’ll look at the more important details. Finally, we’ll examine what this means for you if you are using Usage Intelligence or other call-home software.
EU Data Protection Regulation
First let’s look at what the Regulation is, and some of the changes it will make. The EU Data Protection Regulation is being put into place to take over from the EU Data Protection Directive, which we discussed in our earlier post.
Its status as a Regulation rather than a Directive means that when it comes into force it will automatically become the law in the EU, while a Directive requires implementation by individual member states to become the law. This means that you need to be aware of its requirements now, and get ready in advance, before it comes into force.
Some of the main new features that have been agreed upon for the Regulation are as follows.
Expansion of Reach and Definitions
One of the major changes that the Regulation is making is that the reach of the law will be much greater than the Directive has been in the past. The Directive only applies to businesses operating within the EU, but the Regulation will apply to anyone collecting the data of EU citizens, regardless of where they are based.
The Regulation is also expanding the definition of “personal data”. We discussed “personal data” previously, but the Regulation will also add additional categories, including an individual’s genetic, mental, economic, and cultural identity. This could include things such as physical location, IP address, RFID data, social media information, and other online identifiers such as usernames or account names.
The data protection requirements of the Regulation are only slightly different to the Directive, but include:
- individuals whose data is being collected must be told that their data is being collected and/or processed.
- they must also be told what purpose or purposes their data is being collected for
- any request for the individual’s consent must be clear, concise, and obvious
- data must not be kept for longer than necessary
- the person collecting the data (the data controller) must identify themselves clearly and transparently.
- individuals should be told about any risks or safeguards in place in relation to their data being collected and processed
- data controllers must allow data subjects to request access to their personal data, and provide a process to do so
- individuals must be told about any profiling taking place that uses their data, and what the consequences of that profiling will be
- if a data controller uses a separate data processor such as a cloud service provider, the processor must also meet the requirements of the Regulation
- if a data breach takes place, data controllers must notify individuals whose data has been collected, within 72 hours of the breach taking place
- data transferred outside the EU for processing is still subject to the Regulation
Right to be Forgotten and Age Consent
Two of the more interesting changes that the Regulation has made is that it has confirmed a user’s “right to be forgotten” also known as the right to erasure, and increased the age of consent for sharing personal data from 13 to 16.
Article 17 of the Regulation sets out that the person whose data has been collected has the right to request the erasure of their personal data on several grounds. These are:
-if it is no longer needed for the purpose that it was collected
-if it was collected unlawfully or consent was withdrawn
-if the person objects to the processing of their data
Data Protection Officer and EU Representative
One of the most practical aspects of the new Regulation is the requirement for your business to have a Data Protection Officer (DPO). The DPO is a dedicated staff member whose role focuses on ensuring that the business complies with the Regulation. Their appointment lasts for 2-5 years, and can be reappointed for up to a maximum total service of 10 years. Their primary duties are:
- holding training sessions for other employees
- participating in meetings of senior management, and reporting on data compliance
- preparing information guides and disseminating information around the company
- developing internal guidelines and policies
- keeping a register of processing operations on personal data performed by the company, and ensuring that the register is accessible to anyone
Another new role required by the Regulation is the EU Representative. An EU representative is required when a data controller is not based in the EU. This is required by the Regulation “unless the processing [outside the EU] is occasional and unlikely to result in a risk for the rights and freedoms of individuals”.
Increased Fines and Penalties
The Regulation also comes along with an increase in penalties for non compliance, with the largest fines up to 4% of a business’ worldwide turnover. There are three tiers of penalties, depending on the type of offence and severity.
The lowest tier offense is for failing to respond to a data subject’s request for access to their data or charging a fee for access; the middle tier is for failing to be transparent, not implementing the right to be forgotten, or failing to listen to users’ requests for their data not to be used; the final tier (with 2% penalties) is for processing data illegally, failing to notify users of data breaches, or transferring the personal data outside of the EU to a country that does not have adequate safeguards.
Safe Harbor Removal
The other aspect of these developing laws is that the EU-US Safe Harbor provision has now been removed – though not by the Regulation itself. The Regulation had intended to remove or significantly alter the Safe Harbor framework, but the issue was dealt with via another avenue.
The European Court of Justice struck down the Safe Harbor provisions in 2015 before the Regulation text had been agreed on, which removed the need for the Regulation to deal with this aspect of EU-US data storage. This meant that the US and EU had to agree on new provisions that the European Commission was satisfied with.
This was achieved within a few months, and a new agreement has already been put in place between US and the EU, called the EU-US Privacy Shield. The EU Commission approved this agreement on 2 February 2016, but the Privacy Shield is still facing criticism from various parties. The root of the criticisms seems to be that the Privacy Shield is not sufficiently clear and does not outline in enough detail how it will protect consumers, which means that some changes to the Privacy Shield may still be in the works. Nonetheless, the Privacy Shield means that those storing the data of EU citizens can continue to store it in the US, even though the Safe Harbour has now been struck down.
What Does This Mean For Users of Usage Intelligence?
All the metrics collected by Usage Intelligence are anonymous, and end-users are not personally identified. Instead, they are allocated a unique ID generated by the Usage Intelligence SDK. However, Usage Intelligence does collect an IP address which is used to query a GEO-IP database to determine user location. The IP address is not retained, but it is discarded as soon as it is processed by the Flexera servers.
This means that you’ll need to comply with the EU Data Protection Regulation if you are using this aspect of Usage Intelligence, no matter where in the world you are located.
Second, you may need to consider whether you need to create new roles in your organisation: first, you may need a DPO; second, if you aren’t in the EU, you’ll need an EU Representative.
Third, with the changes to the age of consent provisions, if your software is targeted at young people, you’ll now need to be extra careful that you don’t collect their data without consent. If your software is used by people who are under 16, or is likely to be used by people who are under 16, keep in mind that for the purposes of the Regulation they cannot consent to your collection of their data. In these cases, you’ll need to get the permission of their parents or guardians.
Finally, be aware of the penalties that come alongside the new Regulation, and ensure that your organisation’s risk officer and general counsel have factored these potential penalties in to any organisational processes and insurance policies.