“The Impact of GDPR on Private Law – Challenges of Business Liability and Personal Data Protection in Albania”

One of the latest debates among the European Union (EU) institutions is related to personal data handling and processing. With the new forms of technology which have come in our way, new legal challenges are presented in every member state of the European Union (and not only within the EU, but in non-member states as well) to revise the legal framework with respect to the protection of personal data.

As a field of law, data protection law is constantly affected by new challenges; the more the technology evolves the greater the need to protect personal data, as well as greater challenges lie in every legal system. Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (General Data Protection Regulation) replaces Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The GDPR entered into force on 25^th May 2018 and the first court decisions based on its application and interpretation have just been released by some national courts such as a German court, Würzburg Regional Court[1], which issued on August 2018 an interim injunction against a lawyer who provided an incomplete Privacy Policy on her website as well as an unencrypted contact form. The court considered both the missing Privacy Policy and the lack of encryption of the website to be violations of the GDPR. But still, it is too early (at the time this article was written, April 2019) to have an interpretation of the EU GDPR provisions by the European Union Court of Justice, although there are several debates at the EU level.

Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. In Haec Verba, this concept means that if companies which are established in the EU have branches or otherwise collaborate with companies that are not located in an EU member state and if they process personal data they have to comply with the provisions of this Regulation as well, leading to new interpretations of the “connecting factors” from the private international law perspective.

Technology has digitalized at a wide range our everyday working processes, facilitating the communication of information and data through it. However, these developments and other concepts such as “big data” present to as legal scholars and practitioners, new challenges regarding the protection of data. The information we access is a transcript presented in a way that we, as human beings are able to understand, when actually it is written by software developers by using different codes of different programming languages. As a result, Artificial Intelligence is, in fact, a way to show us the very complex methods and routes through which our data are registered, collected, processed and stored by these systems which are at the end managed by a group of IT engineers and probably controlled by their supervisor or the company that is responsible for. That is how many subjects have access to our personal data. These data may be used by companies which collect personal data as part of their business activities or as part of a contractual agreement, for many purposes, which may or may not be according to, or serving the aim and purpose for which they were collected in the first place. In this regard, Article 23 of the GDPR[2] calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing. According to Article 4 (7) of the GDPR the definition “controller” refers to a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.[3] In that case, if their technological systems still store and have access to our information and personal data without any reason and purpose which we have agreed to, we are facing a concrete situation of a data protection breach and the whole burden lies within the company (i.e. the controller), which, according to the GDPR may be subject to huge fines.

Therefore, the legal instrument protecting personal data came on May 2018 in the form of a regulation, replacing the previous Directive. As a regulation it gives personal data protection more importance, since it is directly applicable to all member states. However, the novelty of the GDPR in this regard is its extraterritorial application, meaning that there is a need to have a harmonized legal framework not only in every state that these data are transferred to, but also in other non-member states such as Albania.

The growth of foreign business investments in Albania, as well as the establishment of trade relations between Albanian and foreign entities, require the implementation of  technological measures in the framework of business and commercial transactions, thus creating not only challenges for updating the legislation in this context, but also the need for training of legal practitioners or legal advisors of businesses regarding the data protection law  since these kinds of businesses, due to their relationship with foreign entities, are more or less subject to the application of new legal interpretations. In this regard, only for the year 2016 there were 5,637 foreign  and joint enterprises (Albanian and foreigner) operating in the territory of the Republic of Albania and the number of foreign joint ventures that exercise economic activity in our country was increased by 11.6% in 2017, compared to 2016. [4] Businesses from different parts of the EU want to be sure that the legislation in the countries where they are investing is in compliance with these data protection rules, otherwise the fines will create a huge loss for their capital investments, requiring both the attention of legal scholars’ but also corporate lawyers (that assist such businesses on daily basis) to these new regulations on processing personal data.

INNOVATIONS AND THE TERRITORIAL SCOPE OF THE GENERAL DATA PROTECTION REGULATION WITH REGARD TO ITS IMPLICATION IN ALBANIA AS A NON-EU MEMBER STATE. 

Some of the new aspects that the GDPR has brought as referred to the GDPR.org[5] consist of:

• Broadening the territorial scope of its legal effects.

Perhaps the biggest change in the regulatory landscape of data protection comes with the expanded jurisdiction of the GDPR’s effects. Previously, the territorial application of the Directive was unclear. The GDPR makes its applicability very clear. The GDPR will be applicable to the processing of personal data by controllers and processors that are located in the EU countries, regardless of whether or not the processing is carried out in these countries.

• Strengthening the criteria for granting consent.

There is a new approach to the concept of “consent” according to the GDPR. In the new Regulation, concrete practical aspects of consent and other related aspects are dealt with such as consent of minors or consent by electronic means.

• New Rights:

1. Right to be forgotten.

This right means the subject of it has the right to require the controller to delete the personal data about him or her, without delay, and the controller has the obligation to delete personal data based on the reasons set out in the EU Regulation;

1. Data Transferability Right – Data Portability.

The data subject has the right to obtain personal data that he or she has provided to the controller in a structured, widely used, and automatically readable format and those data are transferable to another unhindered controller.

• Strengthening accountability

The GDPR brings about a strengthening of accountability in relation to data processors. Controllers are required to show more attention to respecting the principles of protection of data and rights at each stage of data processing by creating a culture of monitoring, reviewing, and evaluating processing procedures or increased sanctions against non-enforcers of the law on the protection of their data.

• Increasing transparency

The principle of transparency requires any information that is directed to the public or to the data subject to be concise, easily accessible and easy to understand in a plain and clear language.

• Protecting the Data of Children

Children deserve specific protection regarding their personal information as they can be less aware of the pertinent risks, consequences, warranties and rights with respect to the processing of their personal data.

• Strengthening the independence of the Authority for the Protection of Personal Data.

The GDPR guarantees the full independence of the Personal Data Protection Authorities, suggesting increased human and financial resources.

• Appointment of Data Protection Officers (DPO)

The GDPR introduces as an innovation the obligation to designate Data Protection Officers who should be assigned to the purpose of monitoring the compliance of the data controllers or data processors with the GDPR and other data protection laws.

Meanwhile, as the role of DPO is detailed by the EU Regulation 2018/1725[6], by interpretation of articles 35, article 37 and article 39 of the GDPR, it requires that the DPO should be given adequate resources to stay informed, receive ongoing training, and develop and maintain connections with DPOs and privacy professionals around the world who face similar professional challenges[7], creating thus the opportunity to be organized in a network of DPOs. By joining a network of privacy professionals and attending events, a DPO can keep abreast of regulatory updates and exchange best practices and know-how.[8]

• Certification of data controllers – data processors

Pursuant to Article 43 of Regulation 2016/679, certification of controllers is a required protection of data at their request. In this sense, the supervisory authority must have created the necessary legal conditions for: – Drafting and approving the legal or sub – legal act “On Certification of Systems information security management, personal data and their protection”;

– Accreditation of the certification body; – Certification of controllers. The purpose of this objective is to harmonize the entire existing legal framework for the protection of personal data with the best EU practices in order to guarantee this right.

On the other hand, infringements of some provisions in the Regulation shall be subject to administrative fines up to 20 000 000 EUR or, in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

As it can be seen, the novelties of the GDPR are numerous. Although Albania is not part of the EU yet, not only as a country aspiring to integrate, but also because of the extraterritorial principle by way of example,  referring to the cumulative liability regime of Article 82 (4) of the GDPR reflects the general principles of tort law  regarding  multiple  tortfeasors and when any of the processes of personal data has taken place in Albania territory, it should follow the trend of harmonization of the national legislation with the acquis communitaire. In this regard, when any of par of personal data processing has taken place in Albania legal practitioners should be familiarized with the GDPR, notwithstanding their professional knowledge in the whole domestic law on personal data protection.

In conclusion, the general principle is that any of them: “the controller” who is liable for any processing activity under its control or/and “the processors” who should be directly liable towards data subjects, may be sued. It is a cumulative liability regime, in which the data subject has a choice whether to sue the controller, the processor, or both, at least in cases where both controller and processor are at least partially responsible for the damage.[9]

THE TERRITORIAL SCOPE INTERPRETATION 

“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union. 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”[10] This is expressis verbis the territorial scope of the Regulation as prescribed in its Article 3. This implies that even in states such as Albania, a non-EU Member State, if processing and storage of personal data are taking place, the Regulation will be applied.

The decision of the Court of Justice of the European Union (CJEU) on Google Spain and Google[11]  implies the territorial scope interpretation. The case reveals a situation where the dispute in the main proceedings concerned the personal data of a Spanish national resident, Mr. Costeja González, appearing in links to the daily newspaper La Vanguardia. He was mentioned in relation to a real estate auction which had a connection with attachment proceedings concerning the recovery of social security debts. He requested that his personal data be removed or that this personal data no longer appear in the links to La Vanguardia. The CJEU was requested to give a preliminary ruling and one of the questions was regarding the territorial scope of Directive 95/46/EC, since this Directive also refers to the same concept more precisely the interpretation of Article 4(1)(a) Directive 95/46/EC was also requested.

The national court started with asking whether an entity is to be considered as an “establishment” when “the undertaking providing the search engine sets up in a Member State an office or subsidiary for the purpose of promoting and selling advertising space on the search engine, which orientates its activity towards the inhabitants of that State”.[12] The CJEU noted that Article 4(1)(a) should not be interpreted restrictively and that the provision prescribes a particularly broad territorial scope.[13] The reasoning of the CJEU  was mainly focused on determining the meaning of “in the context of the activities” of an establishment, instead of the notion of ‘establishment’.

The CJEU stated that “carried out in the context of the activities” in Article 4(a) of the Directive cannot be given a restrictive interpretation, since the provision needs to be read in light of the objective of Directive 95/46/EC. Furthermore, the CJEU noted that the goal of this Directive was to ensure the effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data.

Similarly, the objective of the Regulation is the same and, in this regard, we can interpret that if the same case were to be brought before the CJEU after the entry into force of the GDPR, the interpretation of territorial scope would still be the same and would be even more detailed. It is also important to note that the GDPR applies when the processing activities are related to either offering of goods or services to data subjects in the EU, or to the monitoring of their behavior. In this case, in my opinion, the term related to seems to be a vague notion that does not require any strong connection between the processing activities and the offering of goods or services or the monitoring of the behavior. However, this does not cause any problem with the notion of related to since it requires that there is a connection between the processing activities and the offering of goods or services or monitoring of the behavior. In this interpretation, if there is a connection between the processing activities with companies that operate in the territory of Albania, then the Regulation applies. Another argument and ratio for this application is found at the Recital 23 of the GDPR itself, “In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment…”.”

REGARDING THE LEGAL FRAMEWORK IN ALBANIA 

We have a dynamic process and reform ahead, with the adoption of the Additional Protocol for the Modernization of Convention 108 of the Council of Europe and the launch of the implementation of the General Data Protection Regulation, which require engagement for adopting reforms in legislation data protection in Albania.

However, some of the most important laws in this regard are governing data protection in Albania are the Constitution of the Republic of Albania; Law No 9887 date 10.03.2008, “On Protection of Personal Data”, as amended; Law No 119/2014 “On the right to information”; Law No.9288, date 7.10.2004 “On the ratification of the Convention” On the Protection of Individuals from Automatic Data Processing”; Law No.9287, date 7.10.2004 “On the ratification of the Additional Protocol to the Convention “On the Protection of Individuals from the Automatic Processing of Personal Data, regarding the supervisory authorities and the cross-border transfer of personal data; “Law No. 9918, date 19.05.2008,” On electronic communications in the Republic of Albania”, as amended; Law no. 8839, date 22.11.2001, “On management of collection and storage classified as state secret information”; Law No.8839, date 22.11.2001 “On the collection, administration and preservation of Classified Police Information”; Law No.10 371, date 10.2.2011 on “Ratification of the Memorandum on the legal Guarantee and legal remedies against the illegal processing of personal data”.

The Albanian Constitution in its Article 35 states that “No one can be obliged, except when required by the law, to disclose information relating to his or her person. 2. Any collection, use and disclosure of the data about the person is done with his consent, except in cases of provided by law. 3. Everyone has the right to be acquainted with the collected data about him, with the exception of cases provided for by law. 4. Everyone has the right to request the correction or deletion of untrue or incomplete data or collected in violation of the law”.

Comparing to the EU data protection law some of the provisions on our legal frame is structured on the same basis. Law No 9887 date 10.03.2008, “On Protection of Personal Data”, as amended states in its Article 3 the definition of personal data, where the personal data according to is defined as any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. “Sensitive data” shall mean any piece of information related to the natural person in referring to his racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, criminal prosecution, as well as with data concerning his health and sexual life. 

CONCLUSIONS 

Notwithstanding the territorial scope of the GDPR, but also as a country aspiring to EU integration all the Albanian organizations/businesses offering paid or unpaid goods and/or services to EU citizens fall under the scope of the GDPR. In this regard, the Albanian Commissioner on the Right to Information and Personal Data has set up the strategy[14] which focus on the harmonization of the current Albanian legislation on data protection with the GDPR. This is in my opinion a very important step for actually mapping the current issues addressed and regulated by our domestic law in the viewpoint of the GDPR in order to having a harmonized legislation. The harmonization of the legislation with regard to personal data protection will consequently offer a more secure legal environment for foreign investments to collaborate with the Albanian enterprises. The later will also present the need for legal practitioners to be up to date not only with the new harmonized legislation and the GDPR in general, but also to be up to date with the latest interpretations of the CJEU, which will interpret the GDPR provisions that will be applied the same on similar cases.

Raising awareness of the legal practitioners, as well as of the businesses’ legal advisors on the harmonized data protection law will enable them to implement and comply with such personal data protection rules in their business’ operations and prevent any breach of them. In addition, preventing measures saves them from potential time-consuming court procedures, which affect to a considerable degree, the reputation of the said company. Efficiency of a company and the reputational risk are of a great importance for foreign enterprises to evaluate before any collaboration.

 

[1] Landgericht Bochum, I-12 O 85/18, judgment of 7/8/2018.

[2] General Data Protection Regulation, (fn. 2), Art. 23

[3] General Data Protection Regulation, (fn. 2), Art. 4

[4]     Albanian Statistical Institution, INSTAT http://www.instat.gov.al/media/3663/foreign-enterprises-in-albania.pdf

[5] GDPR Key Changes – An overview of the main changes under GDPR and how they differ from the previous directive https://eugdpr.org (accessed on 20^th of May 2019)

[6] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC

[7] European Data Protection Supervisor – Network of DPOs  (accessed on 20^th of May 2019) https://edps.europa.eu/data-protection/eu-institutions-dpo/network-dpos_en

[8] From Here to DPO: Building a Data Protection Officer, (accessed on 20^th of May 2019) https://iapp.org/media/pdf/resource_center/From_Here_to_DPO_FINAL.pdf

[9] “Liability under EU Data Protection Law”,accessed on 9^th of May, 2019www.jipitec.eu/issues/jipitec-7-3-2016/4506.

[10]    Article 3 of the General Data Protection Regulation, (fn. 2).

[11]    CJEU, case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2014:317.

[12]    Ibid., para. 20.

[13]    Ibid., para. 54.

[14] 2018-2020 Strategy for the Right to Information and the Protection of Personal Data (accessed on 14^th of May 2019)

http://www.idp.al/wp-content/uploads/2018/02/Strategjia_per_te_Drejten_e_Informimit_dhe_Mbrojtjen_e_te_Dhenave_Personale.pdf

 

* * * * *

Megi Kurti

Megi is a lawyer, graduated in Master of Science in Civil Law at the Faculty of Law, University of Tirana. She is a lawyer and since 2017, she works as an Assistant Professor of EU law at the University of Tirana, Faculty of Law.

She is engaged in research studies with focus on human rights, civil law, private international law, EU law, personal data protection and has participated in various national and international scientific conferences both as a speaker and as an author of several research papers.

Megi is attracted by innovation in law in the digital area and the challenges that technology nowadays presents to the legal regulations. One of her innovative presentations and very well assessed by the participants in the National Scientific Conference (December 2018) in the University of Tirana consisted in her article on “Blockchain and smart contracts as new forms of contracts”.