Copyright © Media Law International 2018. All Rights Reserved.
Specialist Guide to the
Global Leaders in Media Law Practice
EU data protection regulation was called to existence in the 90s to coordinate Europe’s varying personal data protection regimes as these were no longer adequate in a standalone capacity for the changing environment and the internal market realities in the Union.
To this degree, the GDPR reflects on the last 20 years of legislative experience by establishing a single EU regulation on the protection and free movement of personal data, introducing universal principles and definitions for key terms in the area and elevating individuals, i.e. data subjects’ rights to a new degree of protection enforceable not only against companies in the EU, but also in the rest of the world.
The first way in which the new EU data protection regime affects the business is by its increased territorial scope. Firstly, the GDPR applies to every company established in the EU which processes personal data, or outside of the EU, but in a place where Member State law applies by virtue of international public law, regardless of whether the processing itself takes place in the Union or not.
Secondly, the GDPR applies to every data controller and processor that processes personal data of data subjects residing in the Union. This ensures that as of 25 May 2018 the definitions, principles and provisions of the GDPR shall be enforceable towards any company so long as it processes personal data. That is, collects, records, organises and in any other way operates with information that relates to an individual residing in the Union.
The second and most direct way the GDPR affects media businesses is by introducing a series of new obligations for them in their capacity as data controllers/processors. The most significant of these relates to the new obligation for accountability, i.e. the ability of the controller at any given moment to demonstrate compliance with the GDPR principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
For example to prove that the principle of lawfulness is fulfilled, the controller ought to be able to provide legal grounds for processing personal data (such as freely-given consent, performance of contract, legal obligation, interests of the data subjects or other persons, etc.)
Thirdly, in order to be able to demonstrate compliance with the regulation, data controllers ought to adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.
To reach data protection by design, the company ought to have ensured its legal compliance with the regulation by mapping data flow inside company processes, performing a gap analysis, writing down and implementing an action plan that might include the following: minimising processing of personal data to ensure transparency with regard to the functions and processing of personal data, enabling data subjects to monitor data processing, joining an approved data controllers/ processors code of conduct, and other steps, required to reach full compliance with the regulation.
The companies may perform the abovementioned steps by themselves using in-house resources and/or use outside help from specialists with deep understanding of the regulations in the area. From a technical point of view companies should also find the most adequate IT solutions to ensure full compliance.
In fourth place, the GDPR also introduces obligations for the controller relating to the reinstated data subjects’ rights such as the right to information, whether an individual’s personal data is being processed as well as access to the stored data, the right to rectification and erasure (‘the right to be forgotten’), the right to restriction of the processing as a temporary measure in the course of data processing disputes resolution, the right to objection to automated individual decision-making, right to data portability and notification in case of serious data breach.
The final and perhaps most media-savvy way the GDPR affects businesses of companies in the area is by its notoriously high sanctions in cases of non-compliance with the regulation (administrative fines up to EUR 10 million, or in the case of an undertaking, up to 2 per cent of total worldwide annual turnover of the preceding financial year, whichever is higher: or in special cases up to EUR 20 million, or up to 4 per cent of total worldwide annual turnover of the preceding financial year, whichever is higher).
In conclusion, it bears mentioning that even though the issue of data processing regulation is widely regarded as one that is about striking the balance between the interests of companies and individuals. While not untrue, this point can be misleading as it induces the belief that companies and consumers find themselves at opposite ends of the spectrum, struggling to force their ways onto each other. Yet it is to be noted that when it comes to personal data, they are partners rather than competitors.
While companies utilised the personal data market as a way to increase their profits, they only started collecting and processing personal data in the first place to answer consumer demand for a faster, more intuitive way of consuming media content.
Providing sensible personal data regulation is thus not only about company margins and data analytics, it is also an issue of improving user experience in a world where consumers are increasingly more likely to communicate with screens rather than paper magazines, and where media interaction is just a ‘share’ away.
Processing Personal Data Under the New European Union
General Data Protection Regulation
Counting the last few remaining months until 25 May 2018 repeal of the EU Directive 95/46/EC of 24 October 1995 on the protection of individuals, with regard to the processing of personal data and on the free movement
of such data, and its replacement with the new GDPR, businesses in Europe and their consultants are heading towards the most significant reform in EU. This would most certainly affect the way companies operate even - or especially - in the media sector. But why does the GDPR even exist in the first place?
Yoanna Ivanova is one of the leading lawyers at Gugushev & Partners Law Office in the area of the intellectual property and media law. She has a masters degree in law from Sofia University St. Kliment Ohridski and is a member of the Sofia Bar Association. Ms Ivanova is an Industrial Property Representative and European Trademark and Design Attorney. Her work is focused on intellectual property, media law and data protection law. She actively participates in preparation of different kinds of legal statements with regards to developments in the websites and the electronic transfer of data in internet. Ms Ivanova also advises and drafts various copyright, advertising, brand protection and on-line services documents.
Petko Angelov is co-founder and partner in Gugushev & Partners Law Office. Before establishing Gugushev & Partners Mr Angelov worked for several law offices including CMS Reich-Rohrwig Hainz - Sofia and Aliena Consult. He has a masters degree in law from Sofia University St. Kliment Ohridski and is a member of the Sofia Bar Association and PONTES Legal Network. Mr Angelov has also specialised American business law with the Texas University professor Sheila Hochhauser. He is head of the Intellectual Property and Media Department at Gugushev & Partners Law Office. Mr Angelov leads various projects relating to telecommunication, information technology, internet and online services and has significant experience handling different kinds of intellectual property matters and related litigation procedures.