Media Law Resource Center

Serving the Media Law Community Since 1980


GDPR: A Primer for Media Lawyers

By Bryony Hurst

This summary was presented at the 2018 MLRC Media Law Conference. The outline is intended as an overview and does not purport to include all aspects and provisions of, or exceptions to, the General Data Protection Regulation, but seeks to address generally those aspects most relevant to media companies and clients. For further background, please see https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-data-protection-regulation.pdf.

A. Overview.

The GDPR (See https://gdpr-info.eu/) significantly overhauls Europe's cornerstone data protection legislation at a time when information systems and digital business underpin human life. The changes that were ushered in by the GDPR beginning on May 25, 2018 are substantial and ambitious. The Regulation is one of the most wide-ranging pieces of legislation passed by the EU in recent years, and includes (but is not limited to) concepts such as the "right to be forgotten," data portability, data breach notification and accountability.

1. In summary, the Goals of the GDPR are to:

  • Put Data Subjects Back in Control of their Data
  • Increase Accountability, Data Governance and Record Keeping Requirements for Companies
  • Harmonize EU Data Protection Framework
  • Empower EU Data Protection Regulators

2. Summary Game Changers: The GDPR introduces significant changes and strengthens existing requirements, including via the following concepts:

  • Transparency and Consent: i.e., specific information that must be provided to and, in certain cases, permissions required from individuals to justify collection and use of their personal data. Consent has to unambiguous and cannot be assumed from inaction.
  • Children and Consent: for online services which rely on consent to processing, verifiable parental consent is required for use of a child's personal data.
  • Regulated Data: the definitions of "Personal Data" and "Sensitive Data" are broad and have been expanded.
  • Personal Data Breach: a new mandatory data breach notification requirement is introduced for all entities handling personal data.
  • Data protection by design and accountability: organizations are required to adopt significant new technical and organizational measures to demonstrate their GDPR compliance.
  • Data protection officers: In certain circumstances, entities may be required to appoint a Data Protection Officer, which must meet certain independence and qualifications requirements.
  • Enhanced Rights: Data subjects are given substantial rights including the right to be forgotten, data portability rights and the right to object to automated decision making.
  • Supervisory authorities and the European Data Protection Board (EDPB): If an organization has multiple EU presences, one regulator acts as lead authority and coordinates with others. EDPB oversees and determines disputes between Data Protection Authorities (DPAs). https://edpb.europa.eu/edpb_en

B. When Does the GDPR Apply?

1. The Scope is Extra-Territorial, and intended to have a broad scope. (Articles 2 and 3; Recitals 15-21; 22-25).

a. European Union:

i. A data controller or data processor falls into the GDPR's scope where personal data is processed "in the context of the activities" of an organization with an EU "establishment." (broadly defined)

ii. An organization may be "established" where it exercises "any real and effective activity – even a minimal one – through "stable arrangements" in the EU. Weltimmo v. NAIH (C-230/14). The presence of an EU branch or subsidiary or even a single representative may be sufficient.

iii. It is irrelevant now if the actual processing of the data takes place in the EU or not (GDPR can apply even if controller is based outside of the EU and the relevant processing takes place outside of it).

iv. Organizations with EU sales offices, which promise or sell advertising or marketing targeting EU residents will likely be subject to the GDPR, since the associated processing of personal data is considered to be "inextricably linked" to and thus carried out "in the context of the activities" of those EU establishments. Google Spain SL, Google, Inc. v. AEPD, Mario Costeja González (C-131/12).

b. For organizations outside the EU, the GDPR will still apply when:

i. Business offers goods or services: an EU resident's personal data is processed in connection with goods/services offered to him/her (payment is not required; but mere accessibility of a site from within the EU is not sufficient); or

ii. Business Monitors online behavior: the behavior of EU individuals is "monitored." Monitoring specifically includes the tracking of individuals online to create profiles, including where this is used to make decisions to analyze/predict personal preferences, behaviors and attitudes.

2. GDPR divides entities into "data controllers" and "data processors":

a. Data controllers: companies that determine how data is collected and used

b. Data processor: service providers

C. Principles for Processing Data (Article 5 and Recital 39)

1. Lawfulness, Fairness, Transparency

a. Need to have a valid, legal ground to collect and use personal data, these include, but are not limited to, consent (see infra), performance of a contract, compliance with a legal obligation, and the "legitimate interests" [1] of the data controller.

i. Examples of "legitimate interests" include:

Processing for direct marketing purposes or preventing fraud (Recital 47)

Transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data (note – international transfer requirements apply) (Recital 48)

Processing for purposes of ensuring network and information security, including preventing unauthorized access to electronic communications networks and stopping damage to computer and electronic communication systems. (Recital 49)

ii. The controller's legitimate interests must be weighed against the fundamental rights and freedoms of the data subject, and only when the data subjects' rights do not override the rights of the controller is the "legitimate interest" of the controller a valid ground for data processing.

b. The processing of sensitive personal data is prohibited unless an exception applies (Article 9(2)), including but not limited to:

i. explicit consent (9(2)(a));

ii. if it is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement (9(2)(b));

iii. the data is manifestly made public by the data subject (9(2)(e));

iv. necessary for the establishment, exercise or defense of legal claims or where courts are acting in their judicial capacity (9(2)(f));

v. it is necessary for reasons of substantial public interest on the basis of EU or Member State law, which is proportionate to the aim pursued and which contains appropriate safeguard measures (9(2)(g));

c. Be transparent, in notices required to data subjects:

i. Be concise;

ii. Use plain language;

iii. Ensure information is easily accessible.[2] (See Articles 12-14; Recitals 58, 60, 61, 62)

2. Purpose Limitation

a. Use personal data only for purposes that were stated

b. No processing for incompatible or secondary purposes

3. Data Minimization

a. Personal data collected must be relevant for purposes for which it was collected and not excessive (e.g., collect age vs DOB)

4. Accuracy

a. Need to keep personal data accurate and up-to-date

b. Take steps to correct or delete inaccurate or outdated Personal data

5. Storage Limitation (Data Retention)

a. Keep personal data no longer than necessary to accomplish purposes for which it was obtained

6. Confidentiality and Integrity (Security)

a. Maintain appropriate technical and organizational measures to protect personal data (risk-based approach)

7. Accountability

a. The GDPR requires all organizations to implement a wide range of measures to reduce the risk of their breaching the GDPR and to be able to demonstrate compliance with GDPR.

b. Some key obligations include:

i. Privacy by Design: organizations must implement technical and organizational measures to show they have considered and integrated data compliance measures into their data processing activities. (Article 25, Recitals 74-78)

ii. Privacy Impact Assessments (PIAs): GDPR requires that a PIA must be run on any "high risk" processing activity before it is commenced. (Articles 35-36, Recitals 89-94)

iii. Data Protection Officer (DPO): the appointment of a DPO, who ensures an organization's GDPR compliance, is required under certain circumstances. (Articles 37-39; Recital 97, Guidance from the Article 29 Working Party)

iv. Using Service Providers: GDPR imposes a high duty of care on controllers in selecting personal data processing service providers and requires specified contractual protections and obligations. (Articles 28-29, Recital 81)

v. Record of processing activities: organizations are required to maintain records of their data processing activities. (Article 30, Recital 82) Regulators may ask for a copy of these records.

D. Some Big Picture Issues

1. GDPR contains very broad definitions (Article 4, 9 and various Recitals)

a. Personal Data: "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

b. Stricter requirements for Sensitive Personal Data[3] (Article 9)

i. Race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning sex life or sexual orientation.

ii. Genetic or biometric data

iii. Health/medical data

2. GDPR Has Strict Rules Requiring Specific Consent (Articles 6(1), 7)

a. The consent of the data subject is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." (Article 4(11)).[4]

i. Unambiguous consent may be signified by "ticking a box when visiting a . . . website, choosing technical settings . . . or by any statement or conduct which clearly indicates . . . the data subject's acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent." (Recital 32)

b. There is an effective prohibition on "bundled" consents and the offering of services which are contingent on consent to processing.

c. Consent must be separable from other written agreements and must be clearly presented in clear and plain language. (Article 7(2); Recital 42) There are special and specific rules for obtaining the consent of children.

d. Data subjects must have the right to revoke their consent at any time, and it must be as easy to withdraw consent as it is to give it (Article 7(3)).

e. Where consent is relied on as the basis for lawful data processing, a data controller must be able to demonstrate that consent was provided (Article 7(1)).

3. GDPR has Mandatory Data Breach Notifications (Articles 33, 34, 70, 83, 84, Recitals 85-88)

a. Data breach is more than loss of personal data, it is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed"

b. Pressure is put on controllers and processors by short and often difficult deadlines for notification.

c. Notification obligations vary depending on the type of entity:

i. Data processor: must notify data controller without undue delay after becoming aware of breach

ii. Data controller:

Notify regulator within 72 hours after becoming aware of breach (unless breach is "unlikely to result in a risk to the rights and freedoms of natural persons")

Notify impacted individuals without undue delay if breach is likely to result in "high risk" to their rights and freedoms, unless the data was rendered unintelligible (e.g., encryption), or if measures taken so that the "high risk" to the rights is no longer likely to materialize.

d. Data controllers must maintain an internal breach register (documenting each incident "comprising the facts relating to the personal data breach, its effects and the remedial action taken").

e. Fines for violation of breach notification requirements:

i. Up to €10million or 2% of global annual turnover for the preceding financial year, whichever is the greater.

4. Restrictions on Transfers of Personal Data to "third countries" (Articles 40-45, Recitals 78-91; 101-107)

a. Transfers of personal data are restricted under the GDPR, and the Commission will have the power to determine whether certain countries, territories, etc. offer an adequate level of protection for data transfers.

b. Data transfers will be permitted where an approved code of conduct (Article 40) or an approved certification mechanism (Article 42)[5] is used, provided that binding and enforceable commitments are made by the controller or processor in the third country to apply the appropriate safeguards, including as regards the data subjects' rights.

c. Breach of the GDPR's data transfer provisions can lead to a fine up to 4% of worldwide annual turnover.

E. Data Subject Rights

1. Information

a. Notice at time of data collection

b. Specific disclosures are required (e.g., the purposes of processing, the categories of data processed, and the third party recipients or categories of recipients of the data)

2. Access (Article 15, Recitals 59, 63, 64)

a. GDPR grants data subjects the right to understand if their data is processed and on what legal grounds. Data controllers must have a process for dealing with such requests.

b. The data subjects are entitled to obtain a copy of the data free of charge (with limited exceptions), usually to be provided within one month from the date of the request.

c. The access rights are intended to allow individuals to check the lawfulness of processing and the right to a copy should not adversely affect the rights of others (Recital 63).

3. Rectification (Article 16)

a. Correct inaccurate or outdated data. In some circumstances, if personal data are incomplete, an individual can require the controller to complete the data, or to record a supplementary statement.

4. Erasure (Right to be Forgotten) (Articles 17, 19 and Recitals 65-66)

a. Individuals can require data to be "erased" in certain specified situations (in essence, where the processing does not meet GDPR requirements, including upon withdrawal of consent (and no other justification for keeping data)). The right to erasure applies when:

i. The data are no longer necessary for the purpose for which they were collected or processed;

ii. The individual withdraws consent to processing (and if there is no other justification for processing);

iii. If the processing is based on "legitimate interests" and the individual objects and the controller can't demonstrate that there are overriding legitimate grounds for the processing.

iv. When the data are otherwise unlawfully processed (i.e., in some way that is otherwise in breach of the GDPR).

b. Data shared with or disclosed to other data controllers: Data controller must inform other data controllers with whom it shared the data of the erasure request.

c. Exemptions: among others, there is an exemption if processing is necessary for the exercise of the right of freedom of expression and information, if not outweighed by subjects' rights (similar balancing act to previous test applied in privacy claims).

5. Restrict Processing (Articles 18, 19 and Recital 67)

a. Stops further processing of data: the controller may only store the data, and the controller must notify other recipients of the data if it has disclosed the data to others.

6. Data Portability (Article 20, Recital 68)

a. Data subjects can demand that their personal data be ported to them or a new provider in electronic format if their data was (1) provided by the data subject to the controller (interpreted broadly); (2) is processed by automated means (so no paper records); and (3) is processed based on consent or fulfillment of a contract.

7. Object to Processing (Article 21, Recitals 69, 70)

a. Right to object to specific types of processing:

i. Direct marketing: The objection to direct marketing is absolute: once the individual objects, the data must not be further processed for direct marketing. There are no exemptions that allow the processing to continue.

ii. Processing based on legitimate interests or performance of a task in the public interest/exercise of official authority (there are limited exceptions); and

iii. Processing for research or statistical purposes (again, there are limited exceptions).

b. Notification to individuals: In the case of processing for direct marketing and processing based on tasks in the public interest/legitimate interests, the individual's right to object must be explicitly brought to his or her attention (at the latest at the time of first communication with the individual). This must be presented clearly and separately from other information, and in the case of online services, the individual must be able to exercise his or her right to object electronically.

8. Contest "automated decisions" and profiling (Article 4(4), 22 and Recitals 71, 72)

a. Prevents potentially damaging decisions taken without human intervention.

F. Key Areas Where Media Organizations are Likely to Encounter GDPR

a. Data Subjects exercising their rights (in particular the Right to Erasure)

b. Damages claims based on data protection cause of action alongside claims for defamation/misuse of private information

c. Data Breaches – including the shorter notification periods, the investigatory powers of regulators and the potential fines

d. Handling of employee (HR) data: GDPR also applies to employee personal data processed by an employer.

G. Enforcement & Penalties

1. Data Protection Authorities (DPAs), the EDPB, cooperation, and One Stop Shop (Articles 60-76; Recitals 124-140)

a. Member States appoint one or more independent DPAs with enforcement powers and to monitor the application of the GDPR; one DPA per Member State serves on the new European Data Protection Board (EDPB). Generally, there are increased regulatory powers (e.g., no-notice audits, dawn raids).

b. If a controller or processor carries out "cross-border processing" in the EU, the DPA for the main establishment acts as lead authority in respect of that cross-border processing (One Stop Shop). The lead authority must cooperate with other "concerned" supervisory authorities.

2. Remedies and liabilities (Articles 77-82, Recitals 141-147)

a. Individuals have a number of rights against controllers and processors under the GDPR, including:

i. The right to lodge a complaint with supervisory authorities where their data have been processed in a way that does not comply with GDPR (with a right to appeal to national courts against a supervisory authority's legally binding decision);

ii. The right to an effective judicial remedy where a competent supervisory authority fails to deal properly with a complaint;

iii. The right to an effective judicial remedy against a relevant controller or processor; and

iv. The right to compensation from a controller or processor for material or immaterial damage resulting from infringement of the GDPR (individuals can bring claims for non-pecuniary loss, not just for compensation. The GDPR facilitates the potential for representative/class actions).

3. Administrative Fines (Article 83, Recitals 148-152)

a. Supervisory authorities are empowered to impose significant fines on both data controllers and data processors. Fines are discretionary and must be "effective, proportionate and dissuasive."

b. There are 2 tiers of administrative fines:

i. Some GDPR contraventions[6] will be subject to administrative fines up to €10 million or, in the case of undertakings, 2% of global turnover, whichever is greater. An example is the mishandling or failure to report a data breach to the regulator.

ii. Other GDPR contraventions such as those arising out of infringements of the rights of data subjects, the general data processing principles, or non-compliance with a DPA order[7] will be subject for fines up to €20 million or, in the case of undertakings, 4% of global turnover, whichever is greater. This type of fine could result from, for example, the failure to have a legal basis to process the data at issue.

c. Article 83(2) lists factors to be considered when imposing an administrative fine, including but not limited to:

i. the nature, gravity and duration of the infringement, and the nature, scope or purpose of the processing at issue, along with the number of data subjects impacted and level of damage suffered by them;

ii. whether the infringement is intentional or negligent.

iii. actions taken to mitigate the damage suffered by the data subjects;

iv. the degree of: the responsibility of the infringer and the cooperation with the supervisory authority;

v. the categories of personal data affected;

vi. whether the controller or processor notified the supervisory authority about the infringement;

vii. if there is any previous enforcement history;

viii. whether there was adherence to approved codes of conduct or approved certification mechanisms; and

ix. any other applicable aggravating or mitigating factors (e.g., financial benefits gained, or losses avoided, from the infringement)

H. Next Steps:

1. There have been a sharp rise in data breach and data privacy complaints from consumers:

a. France (CNIL) reported a 50% increase in complaints in the first month (largely by consumer rights organization Noyb against large companies such as Facebook and Google)

b. In Austria, there have been the same number of complaints and notifications in a single month (June) as they would have received in 8 months the previous year

c. See also the UK's Information Commissioner's Office (ICO) recent GDPR report.

2. Since the GDPR's May 2018 enactment, certain DPAs have announced investigations, for example:

a. France (CNIL): announced it intends to conduct 300 investigations in 2018 to assess GDPR and French data protection law compliance. https://www.cnil.fr/fr/quelles-thematiques-prioritaires-et-quelle-strategie-de-controle-pour-2018. (in French) As of August 1, CNIL had issued formal warnings to two companies regarding the processing of data for targeted advertising. https://www.cnil.fr/fr/applications-mobiles-mises-en-demeure-absence-de-consentement-geolocalisation-ciblage-publicitaire (in French)

b. Dutch DPA: expected to undertake preliminary investigations to assess GDPR recordkeeping compliance in 30 randomly selected companies. https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-start-onderzoek-naar-naleving-privacyregels-door-private-sectoren

Bryony Hurst is a partner at Bird & Bird in London


[1] Article 6(1)(f): where "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests or fundamental rights and freedoms of the data subjects which require protection of personal data, in particular where the data subject is a child." (emphasis added)

[2] Controllers must tell individuals the following: the identity and contact details of the controller; the contact details of the Data Protection Officer; the purposes of processing and legal basis for processing (including the "legitimate interests" if that is the legal basis); recipients or categories of recipients; details of data transfers outside the EU (including how the data will be protected and how the individual can obtain a copy of the Binding Corporate Rules or other safeguards, or where such safeguards have been made available); the retention period of the data or, if not possible, then the criteria used to set this; that the individual has a right to access and port data, to rectify, erase and restrict his or her personal data, to object to processing and, if processing is based on consent, to withdraw consent; that the individual can complain to a supervisory authority; whether there is a statutory or contractual requirement to provide the data and the consequences of not providing the data; if there will be any automated decision making (including profiling) – together with information about the logic involved and the significance and consequences of the processing for the individual.

[3] Recital 51 suggests that the processing of photographs will not automatically be considered as sensitive processing; photographs will be covered only to the extent they allow the unique identification or authentication of an individual as a biometric (such as when used as part of an electronic passport).

[4] The UK Information Commissioner's Office, or ICO, has published specific guidance for UK organizations on GDPR consent. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/

[5] On May 25, 2018, the EDPB issued Guidelines on certification and certification criteria. See https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_1_2018_certification_en.pdf

[6] Contraventions subject to these maximum fines include infringement of the following obligations:

  • To obtain consent to the processing of data relating to children (Article 8)
  • To implement certain measures to ensure data protection by design and default (Article 25)
  • on joint controllers to agree to their respective compliance obligations (Article 26)
  • on non-EU controllers or processors for failure to designate representatives (Article 27)
  • on controllers in relation to engaging processors (Article 28)
  • on processors for certain failures in the subcontracting process with controllers (Articles 28-29)
  • to maintain written records (Article 30)
  • on failure to cooperate with supervisory authorities (Article 31)
  • for failures regarding implementation of technical and organizational measures (Article 32)
  • to report GDPR breaches when required (Article 33-34)
  • for failures in the privacy impact assessment (Article 35-36)
  • for failures in the appointment of Data Protection Officers (Articles 37-39)
  • imposed on certification bodies (Articles 42-43)
  • imposed on the monitoring bodies to take action for infringement of codes of conduct (Article 41)

[7] Contraventions subject to these maximum fines include infringement of the following obligations:

  • the basic principles of processing, including failure to provide notice or have a legal basis to collect and use data (Article 5, 6, 7, 9)
  • data subjects' rights (Articles 12-22)
  • international transfers (Articles 44-49)
  • obligations under Member State laws adopted under Chapter IX; and
  • non-compliance with an order imposed by a supervisory authority (Article 58(1) and 58(2))
Joomla Templates: by JoomlaShack