High-Risk Processing Triggers EU Data Reg Obligations

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

April 28 — When it comes to processing personal data in the European Union, companies will soon need to figure out whether it is “high risk” behavior or face significant fines.

Provisions in the forthcoming EU General Data Protection Regulation (GDPR) on data processing that involves a “high risk” to the data subject may lead multinational companies to increasingly view privacy through a European lens.

Under the GDPR, data controllers will be required to determine whether their processing operations are high risk—a determination that would trigger several obligations, including the requirement to carry out a data protection impact assessment (DPIA).

Philip James, a partner at Sheridans, a media law firm in London, said that “in assessing whether something is high risk, it's not necessarily a question of volume of data. It could be processing one data record.”

The GDPR high-risk assessment requirement could be relevant for an “innovative technology that hasn't been exploited before,” or an existing technology that is being applied to new data, James said.

Big data applications carry a “greater risk of infringing on people's privacy” and would require DPIAs under the GDPR, James said.

In addition, despite the new harmonizing regulation, each of the 28 EU member states may end up with their own definitions of what they consider to be high risk, attorneys told Bloomberg BNA.

What that all means for companies doing business in the EU is that they must carefully assess the types of data they are processing and whether they may be exposing the data subject to a risk of violating his or her fundamental rights.

Privacy Regulators' Guidance Due

The Article 29 Working Party of EU data protection officials from the 28 EU member states has promised to provide guidance on the notion of high risk and on DPIAs.

According to Ann J. LaFrance, co-leader of the data privacy and cybersecurity practice at Squire Patton Boggs LLP in London, the Art. 29 guidance can't come soon enough. While the directive mainly refers to risk as something that data controllers should take into account when deciding on data security measures, under the GDPR it “will be one of the most challenging areas,” she said.

Companies will have to be especially cautious because “this is an area that is likely to attract heavy sanctions if the new rules are not followed,” LaFrance said.

“In the event of a data breach where these rules have not been followed, the penalties and potential liability in follow-on damages claims, which are explicitly provided for in the GDPR, will likely be very substantial,” she added.

The GDPR will come into effect in mid-2018, after a two year transition period following its final approval by the European Parliament April 14 (15 PVLR 791, 4/18/16).

Violation of Rights, Freedoms?

High risk processing under the GDPR is considered to be processing that could impinge on the “rights and freedoms of individuals.”

These rights and freedoms are encapsulated in the Charter of Fundamental Rights of the EU, which includes both a right to protection of personal data and a right to respect for his or her private and family life, home and communications.

Erik Valgaeren, head of data protection at Stibbe in Brussels, said the protections set out in the GDPR “go to the heart of the European tradition of human rights.”

The EU has “always been out to export, these rights and freedoms,” and there is the potential for “cultural clashes,” he said.

High Risk Data Processing

Mary J. Hildebrand, founder and chair of the Privacy and Information Security Practice at Lowenstein Sandler LLP, in Roseland, N.J., said that there was the potential for misunderstanding about rights and freedoms because “you could put a dozen people in a room and they would come back with a dozen different answers on what that means.” Articles 33 and 34 of the GDPR, which set out obligations relating to the assessment of the level of data processing risk, were among the regulation's “most challenging or at least the most vague” provisions, she said.

U.S. companies might have to work to adapt to EU norms on data privacy rights because in the U.S. there is more acceptance of “the trade-offs” between privacy and the commercial benefits from the processing of personal data, she said.

There is a “more general acceptance” in the U.S. of the use of personal data in decision-making in contexts such as remarketing and behavioral advertising, for which in the U.S. “typically there's no express consent” given by data subjects, Hildebrand said.

That kind of data processing “translates pretty quickly into profiling,” which would fall within the category of high-risk processing under the GDPR and “would be a prime example of something that would require an assessment” of the risk to rights and freedoms, she said.

Among companies there is a “very strong willingness to comply with the GDPR,” and “over time the additional requirements imposed by the GDPR may translate eventually into more common practice in the U.S.,” Hildebrand said.

Valgaeren said that because non-EU companies will likely assimilate EU standards on privacy freedoms and rights as they move to comply with the GDPR, “maybe after all we will get to a more global framework on privacy matters.”

Take Precautions

LaFrance said that under the GDPR, “the burden will be on the data controller to demonstrate that the processing of high risk data can be carried out in a way that appropriately limits the risk.”

Companies will need to go through a three-step process—they must decide whether a DPIA is needed for a processing operation; consult with their supervisory authority if a DPIA identifies a high risk; and put in place risk mitigation measures.

The GDPR specifies that DPIAs will be required for any processing to analyze personal data that is “based on automated processing, including profiling,” and that results in decisions being made about data subjects.

Companies might opt for a precautionary approach to carrying out DPIAs. “The key message is: if in doubt, do one,” James said. He added that DPAs must be consulted if a DPIA identifies “a high level of unmitigated risk.”

LaFrance said it was “unclear how supervisory authorities will cope with what could be a very high volume of consultations in an efficient and effective manner.”

The GDPR states that when a data controller consults with a DPA over high-risk processing, and the DPA considers “the controller has insufficiently identified or mitigated the risk,” the DPA has eight weeks to issue advice to the controller, with additional six weeks allowed in particularly complex cases.

Hildebrand said that for small, high-tech companies developing new services or applications based on personal data, this “could be an eternity.”

In addition, the GDPR contains “no provision for confidentiality of the submission” to a DPA in a case of prior consultation over high-risk processing, Hildebrand said.

For companies wanting to safeguard their intellectual property, “that would be one major concern and that could be a disincentive to seek prior consultation,” Hildebrand added.

Member State Differences

The final text of the GDPR also embodies the possibility that what is considered high risk in one of the EU's 28 member countries might not be considered high risk in another.

To guide companies on processing that is likely to be high risk, the GDPR requires national DPAs to issue lists “of the kind of processing operations which are subject to the requirement” to carry out a DPIA.

Tomasz Koryzma, a partner with CMS Cameron McKenna LLP in Warsaw, said he is hopeful that the European Data Protection Board, which will replace the Art. 29 Party, will “help to somehow unify” the definitions.

In case companies might be tempted to seek approval of their data processing from DPAs with less prescriptive lists of high risk processing, they should consider that doing so would “not exclude any liability,” Koryzma said.

More Rigourous Data Management

The GDPR provisions on high risk processing should push companies towards more rigorous management of the personal data that they hold.

“At board level, there is not that much information on how data is actually handled, but this will dramatically change,” Koryzma said.

“The point for the data controller is let's get prepared and audit operations and see what they are processing,” he added.

Controllers will need to look at their relationships with data processors. When controllers issue contracts, there will “now be quite a lot of detailed questions about how processors manage the data,” Koryzma said.

Erik Luysterborg, privacy and data protection leader with Deloitte Enterprise Risk Services in Brussels, said “I don't think many companies yet have a specific privacy impact assessment process embedded.” They would need to put such a process in place “and then can consider ’when do I use it?’”

Many companies “are in one form or another profiling,” including in their management of employee and customer data, in which case they would be considered under the GDPR to be carrying out high-risk processing, Luysterborg said.

The general thrust of the GDPR was that “you will have to do privacy impact assessments as a rule,” he said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com