Twenty years on from the introduction of the EU’s data protection, Carol A.F. Umhoefer, head of intellectual property and technology at DLA Piper in France, explores four of the anticipated consequences of the General Data Protection Regulation for the payments industry, and particularly for IoT technologies developed by it
Coinciding with the rise of computing the first personal data protection law dates back to Germany in 1970. Then, twenty years ago, the 1995 EU Data Protection Directive was adopted, establishing the first legal standards for personal data protection across an entire economic region.
That started the EU’s slow but certain influence over how EU member states – and the rest of the world – look at individuals’ right to privacy in respect of their personal data. Now, in the coming months, more than forty-five years after the first personal data protection law, we are faced with the single most important event ever in the short history of personal data protection law.
The EU will once again set the pace for reform, raising the bar for data security and protection in the EU but also (indirectly) across the globe, by adopting the EU General Data Protection Regulation, or GDPR.
The GDPR will replace in its entirety the 1995 EU Data Protection Directive and the national laws it spawned, with its terms expected to be finalised by the Council and the Parliament by Q1 2016, if not earlier.
The GDPR could therefore possibly come into effect as early as 2017. Directly applicable in the Member States, and therefore requiring no national law to take effect, the GDPR it is intended to harmonise the data protection regime across the EU. The GDPR will also work numerous substantive changes for all businesses operating, or targeting consumers, in the EU.
More detailed information for consumers
The GDPR will likely significantly expand the amount of information that must be given to individuals when collecting their personal data. While greater transparency is usually a good thing, providing consumers in situ with detailed information about unintuitive legal concepts will be a challenge for compact wearable devices.
Contactless payment systems operators will need to verify that onboarding processes adequately deliver required information.
Security breach notification
Today, under EU legislation only providers of publicly available electronic communications networks have the obligation to report personal data breaches. And while a few EU member states (notably Germany) have mandated general security breach notifications when personal data is compromised, there may be exceptions to those obligations.
Going forward, the GDPR will require data controllers to report personal data breaches to regulators, and likely to individuals as well, within a matter of hours of the controllers becoming aware of the breach. If the U.S. is any guide, the requirement will in all probability lead to an explosion in the number of reported breaches and an avalanche of media coverage, at least initially.
Contracts with data processors
The payments industry ecosystem includes many actors, some of which act as data controllers determining how and why personal data is processed, and others as data processors following instructions from controllers.
The Directive indicates only the broadest of obligations weighing on the controller-processor relationship: a contract or legal act must ensure that the processor acts only on instructions from the controller, and that the processor implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access.
The GDPR is likely to set forth detailed and prescriptive requirements for agreements between controllers and processors, such as requiring processors to make available to controllers all information necessary to demonstrate compliance and to allow for and contribute to audits conducted by the controller.
The market standard for controller-processor contracts, which has already risen significantly in the past five years, will move higher still.
The Directive places most of the responsibility, and liability, for personal data processing on the data controller. Significant industries – such as that supporting electronic payments – may exist with relatively few actors taking responsibility for why personal payment data are being processed.
The GDPR could considerably increase liability across this and other industries. For example, the European Parliament’s version of the GDPR provides that where more than one controller or processor is involved in processing, each of those controllers or processors shall be jointly and severally liable for the entire amount of the damage to an individual whose personal data is processed, unless the controllers and processors have an appropriate written agreement determining the responsibilities.
The Council’s approach has gone even farther, providing that where more than one controller or processor, or controller and processor, are involved in the same processing -and where they are responsible for any damage caused by the processing- each controller or processor shall be held liable for the entire damage.
Knowing that the GDPR will certainly increase administrative fines for controllers and processors – up to 100m or 5% of worldwide turnover, if the European Parliament’s version of the GDPR prevails.
It is vital that the industry makes plans to start preparing for the GDPR. If it doesn’t, it risks considerable penalties for non-compliance.