Twenty years on from the introduction of the EU’s data protection, Carol A.F. Umhoefer, head of intellectual property and technology at DLA Piper in France, explores four of the anticipated consequences of the General Data Protection Regulation for the payments industry, and particularly for IoT technologies developed by it

Coinciding with the rise of computing the first personal data protection law dates back to Germany in 1970. Then, twenty years ago, the 1995 EU Data Protection Directive was adopted, establishing the first legal standards for personal data protection across an entire economic region.

That started the EU’s slow but certain influence over how EU member states – and the rest of the world – look at individuals’ right to privacy in respect of their personal data. Now, in the coming months, more than forty-five years after the first personal data protection law, we are faced with the single most important event ever in the short history of personal data protection law.

The EU will once again set the pace for reform, raising the bar for data security and protection in the EU but also (indirectly) across the globe, by adopting the EU General Data Protection Regulation, or GDPR.

The GDPR will replace in its entirety the 1995 EU Data Protection Directive and the national laws it spawned, with its terms expected to be finalised by the Council and the Parliament by Q1 2016, if not earlier.

The GDPR could therefore possibly come into effect as early as 2017. Directly applicable in the Member States, and therefore requiring no national law to take effect, the GDPR it is intended to harmonise the data protection regime across the EU. The GDPR will also work numerous substantive changes for all businesses operating, or targeting consumers, in the EU.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

More detailed information for consumers

The GDPR will likely significantly expand the amount of information that must be given to individuals when collecting their personal data. While greater transparency is usually a good thing, providing consumers in situ with detailed information about unintuitive legal concepts will be a challenge for compact wearable devices.

Contactless payment systems operators will need to verify that onboarding processes adequately deliver required information.

Security breach notification

Today, under EU legislation only providers of publicly available electronic communications networks have the obligation to report personal data breaches. And while a few EU member states (notably Germany) have mandated general security breach notifications when personal data is compromised, there may be exceptions to those obligations.

Going forward, the GDPR will require data controllers to report personal data breaches to regulators, and likely to individuals as well, within a matter of hours of the controllers becoming aware of the breach. If the U.S. is any guide, the requirement will in all probability lead to an explosion in the number of reported breaches and an avalanche of media coverage, at least initially.

Contracts with data processors

The payments industry ecosystem includes many actors, some of which act as data controllers determining how and why personal data is processed, and others as data processors following instructions from controllers.

The Directive indicates only the broadest of obligations weighing on the controller-processor relationship: a contract or legal act must ensure that the processor acts only on instructions from the controller, and that the processor implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access.

The GDPR is likely to set forth detailed and prescriptive requirements for agreements between controllers and processors, such as requiring processors to make available to controllers all information necessary to demonstrate compliance and to allow for and contribute to audits conducted by the controller.

The market standard for controller-processor contracts, which has already risen significantly in the past five years, will move higher still.

Liability

The Directive places most of the responsibility, and liability, for personal data processing on the data controller. Significant industries – such as that supporting electronic payments – may exist with relatively few actors taking responsibility for why personal payment data are being processed.

The GDPR could considerably increase liability across this and other industries. For example, the European Parliament’s version of the GDPR provides that where more than one controller or processor is involved in processing, each of those controllers or processors shall be jointly and severally liable for the entire amount of the damage to an individual whose personal data is processed, unless the controllers and processors have an appropriate written agreement determining the responsibilities.

The Council’s approach has gone even farther, providing that where more than one controller or processor, or controller and processor, are involved in the same processing -and where they are responsible for any damage caused by the processing- each controller or processor shall be held liable for the entire damage.

Knowing that the GDPR will certainly increase administrative fines for controllers and processors – up to €100m or 5% of worldwide turnover, if the European Parliament’s version of the GDPR prevails.

It is vital that the industry makes plans to start preparing for the GDPR. If it doesn’t, it risks considerable penalties for non-compliance.