The General Data Protection Regulation (GDPR) is finally here. After a two year “grace period” where companies were given the time to adapt, it came into force last May 25.
It has been a very challenging period for companies: indeed, the GDPR brings a set of changes to the European rules on the processing of personal data that requires the adoption of very tough rules and processes whenever you deal with personal data. To make things even more urgent, the GDPR sanctions infringements with fines up to 10 million euros or 2 percent of the total worldwide turnover of an undertaking in the preceding financial year, whichever is higher.
The GDPR aims at making data protection provisions more cohesive and unified across the European Union, making it simpler for businesses to operate. It has further been lauded for its strong stance in favor of individual control of data and what companies can do with it, all the more important in the light of recent data scandals and the Big Data and Internet of Things (IoT) revolutions. But it also has generated a string of panic attacks and night-time terrors in conscientious private and public entities, faced with the countless challenges of the GDPR. No reason to panic, though. A careful and organized implementation of the GDPR is possible. This article will guide you through the main aspects of the GDPR and how it applies to satellite operators.
TO WHOM THE GDPR APPLIES
Scope of application of the GDPR
This is one of the main changes brought by the GDPR: it has extraterritorial effect, which means that it applies not only to European companies (i.e., companies established in the EU), but also to the processing of personal data of individuals who are in the EU by any company (wherever it is located), where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. Hence, entities headquartered in a third country and/or processing data through means located outside the EU would still be subject to the terms of the GDPR, as long as EU member states’ data subjects are at stake. In this case, non-EU companies need to have a data protection representative in the EU.
Here, one point shall be made to dispel all doubts: it is not because space objects are in space (which is not under the sovereign control of any state, in accordance with the Outer Space Treaty) that the GDPR does not apply. In addition, it is not because space objects are under the control and jurisdiction of the state of registry (once again, in accordance with the Outer Space Treaty), that the GDPR does not apply when the jurisdiction of the object is not that of an EU member state. What matters is if the entity processing personal data is in the EU or if it is processing data from individuals who are in the EU.
It is important to note, however, that the GDPR does not apply in certain circumstances. We highlight, with special relevance, the fact that the GDPR does not apply to the processing of personal data by member states when carrying out activities covering national security. This exclusion may raise questions when it comes to space activities, in the light of the increase of dual-use space activities and the practice of states to assign security tasks to private entities: when an activity pursuing security purposes is carried out by the same entity pursuing civilian commercial purposes, then it may be difficult to determine to what extent the GDPR applies.
The GDPR does not apply also to the processing of personal data by EU institutions, bodies, offices and agencies — in which case Regulation 45/2001 applies. Hence, to the extent that space operators are processing personal data on behalf of such entities, then the GDPR does not apply to such processing.
Controller and Processor
The two main concepts when it comes to entities processing data continue to be the controller and the processor, where the controller is the one that determines the purposes and means of the processing of personal data, and the processor is the one processing the data on behalf of the controller.
What is new, however, is that the processor now has direct obligations under the law: each category is subject to specific obligations, including with relation to data security, data subject rights, internal processing registries and data breach notifications (see below). The determination of whether or not a given operator is acting as data controller or processor has a significant impact on internal logistics and procedural policies, budget allocations and risk assessment analysis under the GDPR.
The GDPR further details the provisions that the contract between the controller and the processor shall have. This is very relevant for space operators that may not have a direct relationship with the data subjects but that process personal data on behalf of the controller. Indeed, data processing is a broad concept — including collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, erasing or destroying personal data. Hence, the use of satellites for the above operations is a processing of personal data. As a result, collecting satellite data where personal data may be inferred — e.g., images of people, license plates; or transmitting data via satellite including personal data; or providing location data of an individual — is likely to constitute “processing” for the purposes of the GDPR.
Therefore, satellite operators will (all other requirements being met) foreseeably be subject to the GDPR, even if only as a processor and thus with the main scope of its obligations having to be reflected in the contract with the controller.
In any case, it is always important to assess the role played by space actors (data controllers or data processors) as this will impact the obligations applicable to them, as seen above.
REQUIREMENTS FOR PROCESSING PERSONAL DATA
The GDPR also brings news in this area.
One of the most important relates with “consent,” which remains the central (but not only) requirement for processing personal data. But, now, consent needs to be affirmative — meaning “unambiguous” (mere tacit consent is not possible) and the request for consent must be given in an intelligible and easily accessible form, using clear and plain language. Hence, pre-ticked opt-in or opt-out boxes will no longer be allowed, since consent must be expressed through a statement or by a clear affirmative action. In addition, controllers will need to demonstrate that consent was issued, thus having to keep a record of consent, when and how it was given. Data subjects will be able to withdraw their consent at any point. When it comes to special categories of personal data (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), consent shall be further explicit — in this scope, the European Commission clarifies that nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
The “right to be forgotten” and the “right to data portability” are also two of the most visible and most well-known changes brought by the GDPR. The right to be forgotten grants the data subject the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data when, among others, it is no longer needed for the purposes it was collected or consent is withdrawn. Note that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
The “right to data portability” grants to the data subject the right to receive from the entity processing data relating to him such data in a “structured, commonly used and machine readable format” and transmit it to another control. It is, in practice, the same principle long established in the telecommunications field, where subscribers can exchange their telecom provider seamlessness and without having to change their phone number.
In addition to the above rights, the right to access is also very important, with the data subject having the right to obtain from the data controller confirmation as to whether or not personal data concerning him is being processed, where and for what purpose — which grants data subjects an additional level of data control, transparency and empowerment.
Other principles for data processing and other data subject’s rights are detailed, which broadly correspond to what existed before the GDPR. Hence, personal data (i) shall be processed in a lawful, fairly and transparent manner; (ii) be collected for specified, explicit and legitimate purposes and not be processed in a manner incompatible with those purposes (purpose limitation); (iii) be adequate, relevant and limited to what is necessary for the purposes (data minimisation); (iv) be accurate and, where necessary, be kept up to date (accuracy), (v) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation); and (vi) be processed in a manner that ensures appropriate security (integrity and confidentiality).
In addition, the data subject continues to have the rights to information and rectification, as well as to object to the processing of his data in certain circumstances, including when the data is processed for direct marketing purposes. He further has the right to restrict the processing of his personal data subject to certain requirements (such as when the data subject contests the accuracy of his data).
AUTOMATED INDIVIDUAL DECISION-MAKING
Automated decisions that produce effects concerning the data subject or that significantly affects him/her and are based solely on automated processing of data intended to evaluate certain personal aspects relating to him, are not permitted.
The GDPR has introduced new provisions to address the risks arising from profiling and automated decision-making. Mainly, under the GDPR, one may only carry out this type of decision-making where the decision is either necessary for the entry into or performance of a contract or authorized by EU or member state law applicable to the controller, or, finally, based on the individual’s explicit consent. Where one of these grounds applies, additional safeguards must be introduced, as well as disclosure of specific information about automated individual decision-making, including profiling. Note also that there are additional restrictions on using special category of data for such data processing.
One of the central topics of the GDPR relates with security. Indeed, data security is an absolutely central feature of the GDPR. Compared with the prior regime, the GDPR imposes stricter obligations on data processors and controllers with regard to data security while simultaneously offering more guidance on appropriate security standards. The GDPR brings, in a nutshell, security obligations requiring companies to invest in cybersecurity plans, audits and checks in accordance with the applicable legal provisions.
In this scope, the GDPR places upon both the controller and the processor the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The GDPR provides specific suggestions on risk-appropriate security actions, including, among other measures, the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
In this respect, note also that the GDPR enshrines the principles of data protection by design and by default. The so-called “privacy-by-design” relates with the obligation, by the controller, to implement appropriate technical and organizational measures from the onset in the design of systems and processes in an effective way in order to meet the requirements of the GDPR. “Privacy-by-default” relates with the implementation of technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
In addition, breach notification is now mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. Hence, in the event of a data breach, the controller shall notify the competent data protection authority (“without undue delay and, where feasible, not later than 72 hours after having become aware of it”) and the data subject in the case where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. The processor is, on its turn, under the obligation to notify the controller “without undue” delay after becoming aware of a personal data breach.
TRANSFERS OF PERSONAL DATA
One of the most important topics in the GDPR relates with transfers of personal data outside the EU.
Provisions on transfers of personal data apply when personal data moves across borders outside the Union, as in this case there can be increased risk for the ability of natural persons to exercise data protection rights.
In principle, transfers are only permitted to countries or international organizations that ensure an adequate level of protection, as determined by the European Commission. However, transfers may also be allowed provided certain requirements are met, which include binding corporate rules (which are personal data protection policies that are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity) approved by the competent data protection authority; and the standard contractual clauses adopted by the European Commission or by the competent authority and approved by the Commission.
In this scope, it is also important to take note of the Privacy Shield provisions, which establish the requirements that shall be met to transfer data from the EU to the US. Privacy Shield applies to entities headquartered in the USA, as this mechanism refers solely to international data transfers to the USA.
To the extent that satellites are used to sending, storing or accessing data on a satellite – or satellite systems are used to process personal data – then the transfer mechanisms under the GDPR and/or the Privacy Shield provisions may need to be looked at taking into account who is the controller and the processor, whether they are subject to the GDPR and whether the satellites are under their control, all in the light of the fact that transfers of personal data aim at regulating transfers to third countries or international organizations.
DPIAS AND DPOS
The GDPR brings two other news: the first one relates with Data Protection Impact Assessments (DPIAs): in accordance with the GDPR, the controller is under the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data when the processing is likely to result in a high risk to the rights and freedoms of natural persons. DPIAs are in particular required, among others, in the case of a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling; processing on a large scale of special categories of data; or a systematic monitoring of a publicly accessible area on a large scale.
The appointment of Data Protection Officers (DPOs) by the controller and the processor is now mandatory in certain circumstances, including when the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data. The DPO is an essential feature to guarantee more control and transparency in the light of the challenges of the GDPR, as well as to spread awareness across the company.
Another relevant change brought by the GDPR relates with notification of data processing. Under the previous legal framework, controllers were required to notify their data processing activities with local Data Protection Authorities (DPAs), which would entail, for multinationals, the multiplication of notifications across member states where processing was taking place. Now, under the GDPR, it will not be necessary to submit notifications / registrations to each local DPA of data processing activities. Instead, there are internal record keeping requirements – under which the controller and processor shall maintain records of processing activities under their responsibility and cooperate with the supervisory authority, including by making such records, on request, available to it.
Note also that where the processing of personal data takes place by a controller or processor established in more than one Member State, or where processing substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. The lead authority is the one that adopts binding decisions affecting the controller and processor and shall closely involve and coordinate the remainder supervisory authorities.
AND THEN THERE ARE OTHER EU RULES…
The GDPR brings a set of new obligations and requirements to data controllers and processors when it comes to personal data, with impact on satellite operators. It is important however to note that a e-Privacy Regulation is coming.
Indeed, a proposal for new rules for telecom operators when handling personal data is under discussion. This proposal aims at updating current rules to technical developments and extending their scope to all electronic communication providers and adapting them to the GDPR. Unlike the current e-Privacy Directive, the proposed e-Privacy Regulation is much broader and it includes, for example, interpersonal communications, Machine to Machine (M2M) communications and certain Over the Top (OTT) services. Hence, the e-Privacy Regulation will not only cover traditional telecoms operators, but also new providers of electronic communications services. Note that, much like the GDPR, the proposed e-Privacy Regulation will apply to both EU and non-EU companies providing services in the EU. Likewise, there are exclusions in the same line of the GDPR. The proposal also contains security requirements, including notification to end users of security breaches.
Satellite operators may need to take into attention also the above legal framework to determine whether they are subject to it and, if yes, the obligations arising therefrom. But this is a story (and an article) for another time. VS