The GDPR revolution
Dear clients and friends,
This May, the GDPR came into effect ushering in what many call "the beginning of a new privacy era".
The GDPR is a set of rules and regulations surrounding data privacy that was designed to protect and empower all EU citizens data privacy which is held by organizations. The GDPR’s purpose is to reshape the way organizations use data all across Europe, and redefine what is considered personal data and the way in which such data is collected.
On May 8th new privacy rules and regulation, took effect in Israel.
In this memo by the Technology and life science department at Hamburger Evron & co. you can find a full review of this matter, with an emphasis on the application of data protection regulations in Israel.
Have a good read,
Adv. Yaron Sobol
This May, major changes to the privacy and data protection laws in both Israel and the EU will enter into force. In Israel, recent amendments to the Protection of Privacy Regulations (Data Security), 5777-2017 (the “Data Security Regulations”), will come into effect. EU law will undergo a larger overhaul with the replacement of the Data Protection Directive 95/46/EC with the General Data Protection Regulation (the “GDPR”).
ISRAEL - Current and New Data Security Regulations
The Privacy Protection Law, 5741-1981, addresses both defining what constitutes an invasion of privacy and providing for the proper handling of personal information. Together with regulations promulgated thereunder (together, the “Privacy Law”), it is the basic legislative framework for the protection of privacy in Israel, regulating inter alia, data security, retention of personal data, rights of access, amendment and deletion of one’s personal data, transferring personal data outside of Israel, and database registration.
In addition, the agency tasked with enforcing the Privacy Law, the Privacy Protection Authority of the Ministry of Justice (the “PPA”, formerly known as the Israeli Information and Technology Authority, or ILITA), issues guidelines indicating how it views, and looks to enforce, various rights and obligations under the Privacy Law, including through database audits, evidence collection and seizure, database registration suspension and revocation, administrative fines, and criminal liability.
There are also sector specific laws that provide additional protection with regard to certain types of information, including but not limited to the Patients’ Rights Law, 5756-1996, which regulates, among other things, the collection, use and handling of patients’ medical, health and treatment related information.
The Privacy Law protects individuals’ right to privacy, and places the responsibility of protection on individuals, entities, and the state when collecting, owning, possessing or managing “personal data”, which includes data on an individual’s (i) personality, (ii) finances, (iii) intimacy, (iv) health, (v) opinions and beliefs, (vi) family and (vii) professional qualifications, with (i) through (v) comprising a further defined subset of “sensitive data”. The difference between mere personal data and sensitive data lies not only in heightened data security requirements but also in that possession of sensitive information will require the owner to register the database even in the absence of other thresholds requiring registration.
Case law further expands the definition of “personal data” to include one’s name, address, other contact information, friends and place of work. Additionally, while the Privacy Law does not explicitly place responsibility on foreign entities and individuals to comply with its provisions, recent case law shows that Israeli and foreign entities alike, collecting personal information from Israelis, can be held liable for breaches of the Privacy Law.
Registration and Maintenance Requirements
A database must be registered if it includes personal data (i) on over 10,000 individuals, (ii) collected without informed consent, (iii) constituting sensitive data, (iv) used to provide a direct mailing service to third parties, or (v) used by a public body. In addition, regardless of whether a database needs to be registered when meeting one of the above triggers, all database owners must maintain the right to privacy of the individuals whose details are included in the database, from both technical and legal perspectives.
Legal maintenance includes without limitation obtaining informed consent for the collection and use of personal data, facilitating the right to access, amend and delete the data, obtain sufficient undertakings from third parties to whom personal data is being transferred, and database registration as noted above. Technical maintenance includes, inter alia, creating data policies with respect to the collection, use, transfer and secure storage of personal data, managing access to the database, documenting security events, limiting the use of mobile devices and storage units with access to the database, assessing the risks involved in engaging a third party to process personal data prior to approving the engagement, and executing an agreement with sufficient contractual undertakings on the part of the data processor.
Databases used in certain types of industries, or that include certain types of personal data, are subject to additional requirements. For example, owners of databases which include sensitive information, such as medical information, must notify the national database registrar of security breaches, and conduct regular data security audits.
Some Amendments to the Privacy Law
The Data Security Regulations to take effect in May 2018 amend and add a number of provisions to the current regulations, emphasizing broader substantive responsibility over compliance with bureaucratic requirements. For example, the Data Security Regulations remove the distinction between employees and other third parties with access to a database, with regard to a database owner’s obligation to ensure that such access is being given subject to compliance with the Privacy Law. In addition, the Data Security Regulations provide an express requirement to store the database for 24 months, create a backup of the database, and analyze documented security events at least once a year, and broaden the definition of “authorized person” (i.e., a person with authorized access to the database) to include persons with authorized access to (i) the data, (ii) the database systems or (iii) any information or component required to activate or access the database.
EU - THE General Data Protection Regulation
The GDPR is a part of the of the EU data protection framework, that aims to standardize and strengthen data protection policies, while replacing the Data Protection Directive (95/46/EC). While introducing clarity and updates to the current framework, the GDPR’s overall effect on organizations will be increased expenditures of time and resources required to attain and maintain compliance. As opposed to the Data Protection Directive, the GDPR is defined as a “regulation”, instead of a “directive”, and accordingly, it will apply immediately without requiring individual execution by member states.
When the GDPR will come into effect in May 2018, it will apply to anyone, regardless of their location, holding or processing the “personal data” of data subjects (EU residents, which post-Brexit may or may not include UK residents), particularly where such activities relate to the offering of goods or services to such data subjects. Non-EU data processors and controllers will also have to appoint an EU representative. In other words, organizations using cloud storage services to store “personal data” will not be exempt from GDPR enforcement. The GDPR defines personal data to include any information that can be used to directly or indirectly identify an individual, including photos, social networking posts and computer IP addresses.
Rights of Data Subjects
The rights of data subjects have been expanded from the soon to be replaced legislation in several key areas. Thus, for example the GDPR requires greater openness and transparency with regard to the processing of personal data. Key examples of this include the right of a data subject to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where it is being processed, and for what purpose. Further, the controller must provide a copy of the individual’s personal data, free of charge, in an electronic format, at the request of the individual. Other expanded rights include the right to access and rectify one’s personal data, the right to be forgotten, and the right to require that one’s personal data transmitted to another.
The GDPR also introduces a stricter definition of “consent”, making consent more difficult at a time when technology advances such as the Internet of Things, or IoT, “big data” analytics, and machine learning are making reliance on consent increasingly impractical in many instances.
Under the GDPR, consent must be: (1) freely given; (2) specific, informed, and unambiguous; (3) clearly affirmative (i.e., given by an action - according to the GDPR, “silence, pre-ticked boxes or inactivity should not therefore constitute consent”). Therefore, consent must be truly optional for the data subject. If an organization withholds services or offers a degraded version of services to subjects who refuse or later withdraw consent, such consent would not be valid. In such a case, an organization looking to meet the “legitimate interest” criterion for processing personal data must be able to show that the processing is necessary for one of the reasons articulated in Article 6(1), such as that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” (Article 6(1)(b)).
Where informed consent must be obtained prior to the collection and use of personal data, the request for consent must be easy to locate, access and understand, and include an explanation of the purpose for collecting and/or using the information. In addition, it must be equally as easy to withdraw consent. In the case of data subjects under 16, parental consent will be required. Processing sensitive data, such as data concerning the health of a data subject, requires “explicit”, as opposed to merely “unambiguous” consent, or other exemptions such as where the information is needed in order to provide health care services.
As mentioned earlier, an organization’s obligations under the GDPR are not limited to the interface with customers, end users, employees and other individuals about whom data is collected and processed. The GDPR’s implications on an organization’s responsibility for the security of the data it collects are far reaching, and will in some instances require an overhaul of some or all of an organization’s infrastructure, internal policies, and relationships with service providers.
Expanded Obligations and Enforcement
Under the GDPR, data controllers and processors must implement both organizational and technical measures to ensure and maintain the security of personal data (such as “privacy by design”). Organizational measures include not only ensuring that no collection or processing is done without the existence of a legitimate interest for such activities (such as the consent or necessity requirements discussed above), but also limiting access to personal data and authorizing only those individuals and organizations who are engaged in and responsible for the processing of the personal data, and taking measures to ensure that everyone with authorized access will implement and comply with appropriate data security measures. For instance, an organization that uses cloud storage and processing services should ensure that it and the service provider execute a “data processing addendum”, or DPA, as part of the agreement. This should be done prior to entering new agreements, and also added to agreements currently in effect. Many such service providers already provide their own standard DPAs, but it is the responsibility of the organization engaging such a service provider to review the DPA and ensure it enables the organization to meet its own data security obligations imposed by the GDPR.
In terms of implementing technical measures, the GDPR introduces the concept of “privacy by design” (Article 25), which at its core, calls for the inclusion of data protection from the onset of the designing of systems, rather than adding protective measures to existing systems. Further, while Article 25 provides that certification may be used pursuant to Article 42 as a way to demonstrate compliance with the “privacy by design” requirements, Article 42 itself authorizes member states to turn the certification process into an enforcement mechanism if organizations will tend to choose processors that have been certified over those that are not.
Where data subjects are being systematically monitored or sensitive data about them is being processed on a large scale, such as the processing of patient data in the regular course of business by an institution (but not by an individual physician), a “data protection officer” must be appointed. The data protection officer must meet certain qualifications, be able to act with autonomy, and generally ensure that the data controller or processor achieves and maintains data protection compliance.
Organizations may find it difficult to bring their business operations into compliance with the GDPR, unless they take its requirements seriously, and commit sufficient time and resources to satisfying those requirements.
The consequences of non-compliance with the GDPR include fines even for minor infractions such as failure to keep their records in order. Depending on the infraction, fines can reach up to (and possibly exceed) EUR 20 million, or 4% of worldwide turnover - numbers that are seemingly specially designed to attract the attention of organizations’ senior level executives.
This memo, which we believe may be of interest to you, is for general information only. It is not, and does not attempt to be, comprehensive in nature and a full analysis of the matters presented, Due to the general nature of its content, it should neither be regarded nor relied upon as legal advice.