High fines – up to four percent of global sales – threaten companies that violate the new EU rules on processing of personal data. "This revolutionary change in the rules covers all enterprises in the EU, as well as companies in the rest of the world that sell goods and services to people residing in the EU," says Erica Wiking Häger, chairperson of Mannheimer Swartling's Corporate Sustainability and Risk Management practice group.
The Swedish Personal Data Act (PDA) is based on the EU's Data Protection Directive of 1995. The purpose of the PDA is to protect individuals against violations of personal integrity when their personal data is processed. In pace with growing globalization and digitisation – especially the development of social media and other Internet-related services – the use of personal data by companies has increased at an explosive pace.
Against this background, the EU updated the data protection regulatory framework. In December 2015, the EU's two decision-making bodies, the Council of Ministers and the Parliament, reached agreement on the new data protection rules. The new rules, which will immediately apply as law in all Member States, will provide increased protection for individuals, while imposing significantly tougher requirements on all businesses that handle personal data.
The regulation will become applicable two years after it is formally adopted in the spring of 2016.
"Developments relating to personal data have come so far that it was high time to update the law," says Wiking Häger, who has worked on various aspects of the rules on processing personal data for over 15 years. "While 2018 may seem far away to some people, the new rules are so revolutionary that companies need to start preparing now. Previously, the worst that could happen to a company was negative media exposure – but now companies may also be subject to extremely heavy fines."
Global transfer of personal data – a unique challenge
According to Wiking Häger, companies must ensure that personal data sent to countries outside the EU is provided with the same protection as though they had been processed within the EU. This requirement poses a challenge for multinational companies where, for example, HR information is stored in global systems. In the US, the Safe Harbor Privacy principles – a collection of voluntary rules on privacy and data protection developed and adopted by the US Department of Commerce – had previously applied. The European Commission had concluded that these rules provide adequate protection and that transferring personal data from the EU/EEA to organisations in the US participating in the Safe Harbor programme
Previously, the worst that could happen to a company was negative media exposure – but
now companies may also be subject to extremely
was therefore permitted. However, on 6 October 2015 the EU Court of Justice declared the Commission's decision on this matter to be invalid. Consequently, transferring data to the US based on the European Commission's decision on the Safe Harbour framework is now illegal. The EU and the US have now negotiated a new set of rules – the EU-US Privacy Shield, which will provide greater protection for Europeans when their personal data is handled by US companies. For example, the US has promised to adopt clearer rules stipulating when US authorities should have the right to access Europeans' personal data stored by US IT vendors.
“We live in an increasingly digitised world, where information such as where we are and what we do is stored by everything from the cars we drive, to the shopping centres where we shop,” says Wiking Häger. “Such information is often stored in the cloud – which may mean that the information is stored in many different places around the world. To avoid violating the rules on third-country transfers, companies must understand the rules and review all of their internal privacy protection procedures.”
“More and more multinational companies are also beginning to prepare for the introduction of ‘binding corporate rules’ (BCR), which are internal company rules for global data transfers within a group.”
Some highlights of the new regulations:
• When a company is hacked the event must be reported to the Swedish Data Protection Authority within 72 hours. The Authority will maintain a public list of all notifications that are made and by whom they are made.
• All companies must conduct a risk and vulnerability analysis before processing personal data. New IT systems must have built-in privacy protection ("privacy by design").
• The "right to be forgotten" has been strengthened. Under certain circumstances, individuals may request to have their data deleted and companies must comply with this request.
• Companies that have privacy protection as their main activity must appoint a Data Protection Officer.
• "Data portability" requirements stipulate that there must be a simple way to copy personal data and move them. For example, individuals will have the right to transfer data from one service provider to another.
• All companies need to identify their risks and formulate a special compliance programme for handling personal data.