In April 2016, the European Union laid the foundations for a new data protection law with the introduction of the General Data Protection Regulation (GDPR). This regulation standardizes and harmonizes the rules for processing personal data by private companies and public agencies across the EU.

One of the primary aims of the reform is to strengthen the rights of internet users, providing them with more control in the future over how internet companies (Google, Facebook, Apple, WhatsApp, etc.) use their personal data.

The previous EU Data Protection Directive 95/46/EC from 1995 that the new law will replace was considered to be out of date in many respects and difficult to apply from a practical standpoint. In addition, some key technical developments were not taken into account, either at all or to a sufficient degree. The new General Data Protection Regulation aims to consolidate the patchwork implementation of data protection in the national law of individual Member States to ensure consistency throughout Europe. Unlike the old directive, which had to be implemented individually by the EU Member States, the General Data Protection Regulation will be valid in all EU Member States with immediate effect from 25 May 2018.

Regulatory flexibility for Switzerland

At the same time, the GDPR provides Member States with substantial regulatory flexibility. However, implementation thereof will constitute a massive task for national legislature given the amount of time available – there is only one year remaining until the General Data Protection Regulation enters into effect, and the various national data protection laws need to be adjusted in conjunction with this.

Switzerland is well positioned in this regard because the GDPR and the Swiss Data Protection act are, according to an opinion offered by a group of attorneys, ‘comparable’ (German link). However, the GDPR must be assessed on the basis of the revision of the Swiss Data Protection Act that is currently underway. The EU will only recognize the Swiss law as adequate if the Swiss Data Protection Act largely conforms to the corresponding EU law. Otherwise, the critical exchange of data between companies in Switzerland with companies in the EU would be severely affected and made unduly difficult.

Political scope

Following the abolition of the Safe Harbor Agreement in October 2015, the new General Data Protection Regulation clearly points the way towards the restructuring of data protection in the EU. While it may not have been explicitly stated, the GDPR will expand EU data protection to the US, as even data giants such as Facebook, Google, Apple, etc. will be held to account to a much greater extent in the future.

In this sense, it is a positive development that the practice of US intelligence agencies (such as the NSA) – a practice that has rightly been criticized – will now finally face stiffer opposition. This is because transmitted data has never been sufficiently protected against access by the US authorities and intelligence agencies. Parallel to the Swiss-US Privacy Shield, the GDPR will now also ensure that Swiss transmissions of personal data to the US are subject to the same standards as the standards that apply in the EU. This is extremely important for the legal certainty of economic transactions and, in particular, the free exchange of data between Switzerland and the EU – especially in the commercial sphere.

Whether or not this will actually have an effect on the comprehensive monitoring activities conducted by the US authorities is questionable and remains to be seen. These monitoring activities are too massive and wide-ranging, because they include everyone and all electronic means of communication as well as all data transmitted (including the content of communications) without distinction, limitation or exception.

There is, however, an optimistic quote by the philosopher Peter Sloterdijk on this subject: Digital Colonialism – Europe’s Struggles on the Internet (German link):

Europe’s data sovereignty has been restored.

And:

If Europe were capable of speaking with one voice, it would long ago have been one of the major economic powers. It would have developed its own search engines and social media that would not be subject to a massive program of spying on citizens by paranoid security agencies. Our so-called “American friends”, by contrast, seem to continue to promote any development that turns Europe’s weakness into an additional basis for their strength.

Seen this way, one could interpret the objectives of the GDPR as helping to strengthen Europe’s newly gained data sovereignty.

However, we should be cautious about being to euphoric: This is because Europe, which currently finds itself under serious attack, will – given the overarching government objective of ensuring security – also increasingly place its legitimate security interests above its citizens’ liberties, including their right to informational self-determination. The GDPR will not change anything in this regard. (However, the European Court of Justice ruled in 2014 that the Data Retention Directive, an effort to combat terrorism, was invalid, therefore placing basic rights above the fight against terrorism.)

Social drivers or the information society and data protection

Data protection must be accorded a fundamental role in what is increasingly becoming an information society.

The fundamental right to informational self-determination protects citizens against the unlawful and improper use of their personal data and places an increasing obligation on companies to abide by this right. In addition, increasingly stringent legal requirements and the growing expectations of customers are creating greater challenges for companies.

Failure to comply with or observe data protection requirements is now a serious risk factor that may, in addition to the damage it could cause to a company’s image or reputation, lead to personal liability on the part of management staff. Nevertheless, demonstrating compliance with data protection requirements offers companies a competitive advantage and an excellent way to stand out from the rest.

Because of their role as data processors, companies are now finding themselves increasingly thrust into the public spotlight. A number of scandals related to data protection has led customers to respond more critically and made them realize that compliance with data protection requirements is an important quality characteristic. As such, they want to see demonstration of such compliance. These developments require greater awareness on the part of management and new ideas for developing appropriate strategies for dealing with the fresh challenges presented by data protection.

Technological drivers

Information technology is now ubiquitous, pervading all aspects of life. As a result, personal data is now collected, processed and used almost everywhere. In addition, technological innovations, particularly in the areas of the Internet of Things (Evernet), cloud computing and mobile computing with Big Data, are leading to exponential growth in the volume of data. Contextual awareness will, by way of example, allow IoT components (with the help of sensors and special communication devices) to collect information about users and their habits, environment and location as well as great amounts of other sensitive data (e.g. health information such as heart rate, weight, blood pressure, etc.) and adjust their behavior accordingly. As a result of these trends, genuine threats to informational self-determination are not being recognized or are being recognized too late and with a considerable delay (data breaches).

At the same time, there seems to be a new level of nonchalance, with users handling their own personal data and the data of others with clear insouciance (social media). For example, carefully crafted messages on social networking platforms provide a simple entry point for social engineering or the systematic collection and aggregation of social relationships and personal data for the purpose of, for example, identity theft or the assumption of a false identity by exploiting the detailed information that is revealed.

Due to these trends and rapid technological progress, it is easier than ever to gain access to relevant personal data. The concept of the transparent consumer, patient, customer, employee and citizen has, unfortunately long since become a reality through the use of modern analytical tools and Big Data aggregation.

The notion of data protection as a means of safeguarding an individual against the unauthorized and inappropriate use of their personal data is a subject of major interest once again thanks to the new EU GDPR. Many people now understand that the right to informational self-determination is a basic democratic right that society and its citizens must demand in order to ensure that it does not become lost.

New elements in the EU’s General Data Protection Regulation

Some key aspects surrounding the regulation for companies and individual informational self-determination will be discussed below. The full text of the regulation is available at privacy-regulation.eu.

• Data protection officer: Companies whose core business consists of the regular and systematic monitoring of data subjects on a large scale or that collect, save and process large volumes of personal data are obligated to appoint a data protection officer.
• Record-keeping obligation: Companies must maintain clear records of their data processing activities.
• Notification obligation and faster reporting: Data breaches, such as the loss or disclosure of personal data to third parties and unauthorized recipients as well as targeted data theft or hacking incidents, must be reported to the competent data protection authorities within 72 hours, unless the data breach is not expected to result in a risk to the personal rights and freedoms of the affected persons.
• Privacy by design and privacy by default: Products and services must be technically structured so that by default they only process the personal data necessary for that particular purpose, i.e. they must adhere to the principle of proportionality. It will be extremely difficult to apply these admittedly very abstract principles. As a result, they are often dismissed as buzzwords. However, it seems important to address these approaches in order to improve privacy right from the outset, so that they can be gradually established within the legal framework.
• Data protection impact assessment: Processes that involve the processing of personal data and that may therefore pose a risk to the rights and freedoms of the persons affected must be reviewed internally in advance, especially in the case of the use of new technologies and trends (see, for example, electronic patient records). In general, this involves establishing a risk-based approach for data protection similar to the approach for information security.
• The right to be forgotten and the right to deletion: Enforcement of a user’s right to have information deleted will be made significantly easier. For example, if users do not want their data to be processed further, they now have simpler options available to them – provided all of the legal requirements are in place.
• Portability: Users must have the option of switching their data from one provider to another. The aim is to make it easier to access personal data, including data stored with third parties. Data portability must categorically ensure that personal information is easier to transfer from one service provider to another.
• Youth protection: Logging in to social media sites such as Facebook, Instagram, Twitter, etc. should only be possible for young people aged 16 and over. Alternatively, if people younger than 16 are able to log in, they should be able to do so only with the consent of their parents. However, EU Member States
  are free to set a younger minimum age. That said, the absolute minimum age is 13.
• One-stop shop and strengthening national supervisory authorities: In the future, affected persons will be able to contact the data protection authorities in their home country in their language, even if the data protection problems occur in another Member State. This will also strengthen the competence of national data protection authorities, thereby enabling them to actually implement the new EU rules. For example, they will be able to prohibit individual companies from processing data, or stop certain data flows and impose penalties on companies.
• Less government overhead and a reduction in red tape: Companies will only have to deal with a single supervisory authority, namely in the city where their headquarters are registered.
• Penalties: Penalties imposed against companies that violate the new data protection rules can amount to as much as 4% of the company’s global annual revenue or EUR 20 million – whichever is higher. However, such penalties will not be imposed against smaller companies if the violations involve a first-time offense or they are inadvertent or minor violations.
• Opt-in instead of opt-out: If personal data is processed, users must actively consent to such processing rather than actively opposing it as before. This means that companies active in the European market will have to obtain the express consent of users to make use of their data.
• Transparency: Users have a right to transparency – they may find out at any time what data is being collected about them, what the intended purpose is, and how this data is processed.
• Expanded cross-border scope: The new EU Directive is valid for companies that are not headquartered in the EU once they start offering their products or services in the EU. It also applies even if they simply conduct online market research among EU citizens. Users may report every instance of the misuse of data to their competent national supervisory authority – even if the relevant data was processed in another country (see also one-stop shop).

This will prevent communication with data giants such as Facebook, Google, Apple, WhatsApp, etc. from being accessed by others and strengthen enterprise-friendly rules for the domestic digital market (under the motto of EU reform: Better protection of privacy online and new business opportunities).

Conclusion

Developments in data protection will continue to preoccupy companies in the future and pose major challenges. In a first step, they will have to modify current mandatory documentation and procedures by May 2018 in conjunction with the GDPR.

In doing so, it must be made clear that the regulation in no way affects legal departments alone. Senior management will also be directly involved. In particular, management must establish the importance of data protection and build the necessary pressure and offer support for modifying internal rules, developing case studies and specific scenarios and providing the necessary tools and resources. In doing so, a risk-based approach is essential.

Companies should therefore deal with data protection questions fundamentally and at an early stage:

• What is the significance of data protection now and in the future from a corporate perspective?
• What are the principles on which data protection is based and what are its objectives?
• What concrete legal considerations need to be taken into account for the specific corporate environment regarding data protection?
• What impact do the data protection regulations have on operational practices and how can the legal and operational requirements be aligned?
• What other data protection requirements does the company have to address
  once again?

Depending on the business activity in question, other international standards will have to be taken into account that – in the worst case – may be in conflict either with one another or with national regulations as well as with the GDPR. A well-known example in this regard is the US Sarbanes-Oxley Act (SOX), which is rooted in an Anglo-American culture that – as previously noted – attributes much less weight to privacy protection than is customary in Continental European.

Data protection incidents must be recognized as an important risk factor in risk management. This is not limited solely to the direct consequences of a violation of the above standards and laws. Dealing with the aforementioned risks requires adequate risk management on the part of companies. Data protection is now an important quality factor that all companies need to take seriously.

• The importance of data protection in the information society will continue to increase.
• The basic right of the individual to informational self-determination must be ensured by companies.
• Ever more stringent data protection laws and special rules in specific business areas place additional strict requirements on companies.
• Data protection incidents must be classified as a serious risk factor that needs to be addressed through appropriate risk management. Ad-hoc approaches are not an option.
• The expenses for implementing and ensuring an adequate level of data protection must be assessed realistically.

As such, updating current internal directives, regulations and policies regarding data protection policies is not a one-off act in response to the switch to the GDPR in May 2018 – it involves the continuous implementation of data protection in the future as part of the company’s business processes and data protection efforts. This will only be successful if the management of data protection risks is institutionalized throughout the company across all corporate levels and units.

About the Author

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

• http://europa.eu/rapid/press-release_IP-17-16_de.htm
• http://www.homburger.ch/de/aktuell/publikationen/dataprotection
• http://www.nzz.ch/meinung/kommentare/die-abhaengigkeit-des-friedfertigen-vom-schlagfertigen-ld.2328
• http://www.privacy-regulation.eu/en/
• https://www.edoeb.admin.ch/datenschutz/00626/00753/01405/01406/index.html?lang=en
• https://www.nzz.ch/schranken-fuer-datenspeicherung-auf-vorrat-1.18280354