What does GDPR do?
Purewal & Partners' Jas Purewal and Peter Lewin provide an overview of the imminent EU data protection regulation - the first of three parts to be published this week
This is the first of three articles in which Purewal & Partners' Jas Purewal and Peter Lewin will explore the EU General Data Protection Regulation, an imminent reform that will have a huge impact on digital entertainment businesses all over the world.
Tomorrow, Purewal and Lewin will explore how it specifically effects companies in the games industry, and offer ten important tips to prepare for its arrival on May 25, 2018. On Thursday, the third part will address the most Frequently Asked Questions associated with GDPR.
Summary
1. The GDPR is a fundamental reform of EU data protection regulation which will impact any business using EU personal data (whether inside or outside the EU) and take effect in the EU on May 25, 2018.
2. Businesses processing data will be subject to greater regulatory requirements and individuals will have stronger rights, e.g. it will be harder to rely on consent as a ground for processing data. Data protection authorities will have greater enforcement abilities than before, including the ability to impose higher fines for breaches.
3. Businesses should update their internal data use and protection policies, start making data protection a core part of business thinking and review material business agreements. But in reality, there is a great deal of uncertainty still about what to do first, how to do it and how far to go. In practice, many businesses are looking to see what the major players do and what the regulators say about it.
"In reality, there is a great deal of uncertainty still about what to do first, how to do it and how far to go"
4. In our view, small to medium sized digital entertainment businesses (e.g. game developers and esports teams) should take a reasonable and proportional view on what improvements to make and keep an active eye on the wider industry trends, which we expect to provide more clarity and actionable changes in the coming months after GDPR comes into effect.
Overview
What is the General Data Protection Regulation? The GDPR is an EU regulation which will take effect from 25 May 2018 and introduce wide ranging changes on how personal data can be collected and used.
To whom does the GDPR apply? Both EU and non-EU based businesses that process EU "personal data".
What is "personal data"? In simple terms, it will continue to mean any data which can identify a living individual, but businesses will have to think even more carefully about what that means. Personal data will still include things like names, physical addresses, email addresses, age, gender, sexual orientation and health details, but businesses will also have to be careful around data like IP addresses or geolocation data. We will just say 'data' for short in this note.
What are the core data protection requirements currently? Under current EU data protection law, data controllers (more on them shortly) are required to follow eight data protection principles, including obtaining data only for lawful purposes and having measures in place to ensure the integrity and confidentiality of such data. There are also restrictions on transferring data outside of the European Union. There are a large number of ancillary laws and regulations, for example, regarding the use of cookies/tracking technologies (AKA the 'Cookie Directive'). These rules are not harmonised across the EU, with different Member States taking differing approaches.
Who is responsible for data protection compliance? All businesses involved in the collection or use of personal data will have some level of regulatory obligations, but there is a particular focus on 'data controllers' (i.e. parties who control the collection/processing/use of the personal data) as opposed to 'data processors' (i.e. parties who may carry out data regulated activities but on behalf of a controller). This will change under the GDPR where increased focus is being placed on the activities and responsibilities of data processors (see below).
(UK specific) What about Brexit? The current position is that the UK will implement the GDPR into UK law and the UK intends to maintain a close link between UK and EU data protection law. However, it is not clear yet what impact there will be from the ongoing UK/EU Brexit negotiations, above all whether the EU will regard the UK as having a sufficiently robust regulatory system to permit easy UK/EU data transfers.
What does GDPR do?
Accountability. A new principle of 'accountability' requires data controllers to demonstrate (with evidence) that they comply on a technical and organisational level with the GDPR (e.g. staff training, internal audits, data protection policies, maintaining records on processing activities and data breach procedures).
Privacy by Design. Businesses must proactively consider data protection issues at an early stage as part of their core business - e.g. games developers must consider data protection matters during the game development cycle and not simply as an afterthought. This may include:
- only gathering data that your product needs for its or your business' operation;
- conducting internal data protection impact assessments to assess the risks involved with any new proposed data processing;
- building your data storage arrangements in a way that gives you knowledge and control over what data you store and in a way that can comply with data subjects' rights (discussed below);
- improving consent collection and recording processes; and
- giving controls and information for children and parents/guardians (discussed below).
"Games developers must consider data protection matters during the game development cycle and not simply as an afterthought"
Processing Grounds (changes to consent). EU data protection law requires data controllers to have the authority to use personal data. By far the most common authority comes from consent (e.g. asking a user to agree to a privacy policy and the user ticking a box to approve their data being processed). Under the GDPR, businesses must see if their particular form of customer consent is valid or if there is another appropriate ground available on which they can process data without the need for consent.
Other potential grounds include "legitimate interest" (e.g. direct marketing communications about a game that a customer bought from you) and "performance of a contract" (e.g. responding to a player's query via the email address with which he/she contacted you). If consent is appropriate, consent must be granular and specific rather than just an all-encompassing grant of consent. Third parties with whom data will be shared should be identified by name and individuals' rights are strengthened against controllers. All of this means that businesses need to think much more carefully about how they obtain authorisation to process personal data.
ePrivacy Directive/Regulation. The ePrivacy Directive (eventually to be updated by the ePrivacy Regulation) sits alongside the GDPR but focuses primarily on the use of data and privacy in relation to electronic communications, including cookies. In short, due to the stricter requirements of consent under the GDPR, it is possible that the GDPR may have indirect consequences for how user consent is validly obtained to cookies and other similar technologies.
Data Subjects' Rights. Individuals (known here as 'data subjects') will have greater rights, including the right to be informed (i.e. to be provided with sufficiently detailed yet concise and understandable details of the processing at hand), the right to rectify data (i.e. to correct inaccurate/incomplete data), the right of deletion (i.e. where the data subject objects to data processing and there is no overriding legitimate interest to process) and the right to data portability (i.e. where the data subject wishes to transfer personal data from one service to another).
Rectification and deletion are practically achievable but will often require considerable technical and practical arrangements to enable them. It is not yet clear what 'portability' would look like in a digital entertainment context.
Children. Verifiable parental consent is required for use of a child's personal data (where consent is the processing ground). Any information addressed to a child (e.g. in-game notifications or privacy policies) must be in plain, clear language which a child could understand. There will be considerable real-world questions about how achievable this will be and how far in practice businesses will be able to go to verify parental consent.
Reporting Data Breaches. Data controllers will need to notify most data breaches to their national data protection authority, particularly if the breach is likely to result in a risk to "the rights and freedoms of individuals" (e.g. the loss of customer data which leaves them vulnerable to identity theft). Notification to the data subjects themselves is required in "high risk" situations (e.g. discrimination, reputation damage or financial loss). Data breaches include not only unauthorised access to personal data but also unauthorised disclosures, accidental losses and loss of access to data.
"Any information addressed to a child must be in plain, clear language which a child could understand"
Processor Liability. Under the GDPR, data protection obligations are no longer just the concern of data controllers. Processors will need to, for example, implement appropriate security measures, maintain records of personal data and ensure the reliability of their staff. Processors will have greater liability if they are responsible for a breach; for example, a games developer operating a game for a publisher, or a YouTube channel operating a channel for a traditional broadcaster, will have greater responsibilities regarding personal data with which they interact, even if they do not ultimately control it.
Contract Requirements. Contracts between data controllers and data processors will now need to contain certain minimum details regarding the data processing, including details of the subject matter and duration of the data processing, type of personal data involved, the categories of data subject involved and the obligations and rights of the controller.
International Transfers. The EU Commission will still decide which non-EEA countries have adequate levels of personal data protection to permit EU data transfers to them. If a country is not approved by the EU Commission, transfers may still be permitted on grounds of consent, but data subjects must be more explicitly informed of the risks of international data transfers than before. The GDPR also formally approves use of "binding corporate rules" (a complex system for the intra-group use, transfers and management of data) and "standard contractual clauses" remain a valid option as before.
Data Protection Officers. Under certain situations the GDPR requires appointment of a 'Data Protection Officer', an individual who would be responsible for overseeing a company's data protection strategy and implementation to ensure compliance with the GDPR. Even if not strictly required, anecdotal evidence suggests a number of large digital entertainment and tech businesses are moving ahead with appointing their own DPOs.
Representatives. All non-EU organisations (whether controllers or processors) that are obliged to comply with the GDPR must nominate a 'representative' within the EU who will act as the first point of contact for the national data protection authorities and EU data subjects on all issues related to processing. These representatives do not need to be solely employed by the non-EU organisation and it is likely a number of businesses will begin providing outsourced representative services, but care should be taken when appointing a partner for this important and potentially sensitive role. It is not yet clear what the representative's practical obligations will be and this may well vary by Member State.
Fines. The level of fines that can be imposed by data protection authorities will be broken down into two tiers:
- The higher of €10m or 2% of global turnover for breaches in areas such as reporting data breaches, implementing technical/organisational measures or the data controller/processor relationship; and
- The higher of €20m or 4% of global turnover for breaches in more 'serious' areas such as processing principles (including respecting the parameters of user consents), data subject rights or international transfers.