The EU’s General Data Privacy Regulation: What are the Primary Concerns for US Companies in the European Market?
Sam Crochet, Esq. · Hall Booth Smith, PC · SCrochet@hallboothsmith.com
As we all know, companies use, harvest, and benefit from the collection of our personal data — names, social security numbers, email addresses, telephone numbers, occupations, purchasing history, and more. They study, analyze, and trade this data to optimize efficiency and increase profits. Of course, with the rise in cyber attacks and data breaches, laws and consumer demand pressure companies to secure networks, scrutinize vendor usage–such as the security of one cloud processor versus another–and be transparent with collection practices. Data privacy within the US is controlled by a patchwork of state and industry-specific federal laws. However, US Companies across several industries (hospitality, retail, banking, and even healthcare to name a few) are racing against the clock to satisfy increased requirements of the European Union’s (EU) new General Data Protection Regulation (GDPR), which becomes effective May 25, 2018. The GDPR will replace the current Data Protection Directive, which was well-intentioned but inadequate in the face of growing technologies and cross-border data transfers. Though many domestic companies marketing to European citizens have safeguards to accommodate state/federal laws and the Data Protection Directive, there are notable changes and increased protections within the GDPR that these companies must accommodate or risk facing stiff financial penalties.
The GDPR is geographically expansive. Immediately, companies should understand the regulation broadly applies to the processing of EU residents’ data regardless of the company’s/processor’s location. If a company markets its goods or services to EU residents beyond merely having a commerce-oriented website, then it will likely be controlled by the GDPR.1 Practically speaking, app developers, e-commerce companies, and multinational corporations wishing to tap into the European market, regardless of whether they have European offices, employees, or equipment, will be subject to the regulation.2
US companies controlling or processing customer data of EU residents face increased penalties for violating the new regulation. Fines can reach 4% of annual global revenue, or 20 million Euros per violation.3 The regulation further grants European Supervisory Authorities the power to ban a company’s data processing altogether.4 Obviously, US companies cannot afford to mishandle security of EU residents’ data. As a result, domestic companies doing business abroad are undergoing operational reform regarding management of international customer-data. The requirements are as numerous as they are complex, causing in-house counsels and risk managers to painstakingly comb the articles and recitals or place their trust in the hands of expensive third-party compliance vendors. However US companies choose to navigate the GDPR, there are some primary concerns they must be sure to address. Again, while commentary on this subject could be extensive, US companies are well advised to focus on a few key areas outlined below:
- Stricter Technical and Organizational Security Measures;
- Data Subject Consent;
- Portability and Right to be Forgotten;
- Consumer-Friendly Breach Notification Rules; and
- Cross-Border Transfers away from EU states.
1. Stricter Technical and Organizational Security Measures
Unlike the Data Protection Directive and most US state/federal laws, the GDPR specifically outlines the steps companies should take to comply with the increased security requirement–(1) encryption and “pseudonymization” of personal data, (2) the ability to ensure confidentiality, integrity, and resilience of processing systems/services, (3) a contingency plan to restore/access data amidst a technical incident (such as a cyber attack or “ransomware” event), and (4) regular tests to evaluate effectiveness of technical/organizational security measures (i.e. a network “penetration test” or administrative fire drill).5
While many US companies will not achieve full GDPR compliance by the May 18, 2018 deadline, the GDPR indicates a company’s adoption of codes of conduct or certain certifications approved by the European Commission can help achieve compliance with security standards.6 These tools act as a form of communication to consumers and from third-parties that signal approved safe practices. Of course, GDPR requires accreditation be given to such codes of conduct and certifications only after they demonstrate expertise within the area of security/privacy and establish procedures for issuing and reviewing membership.7 Which certifications and codes of conduct to use are still unclear; although, it appears some well known “seals” will be honored (EuroPriSe, for example, evaluates security practices of organizations and grants the right to display its seal).8 Equally important as actual compliance is the angle that adoption of certain codes of conduct and certifications will almost certainly be viewed as a mitigating factor in the evaluation of penalties/fines by European Supervisory Authorities. Throughout the rollout of GDPR compliance, US Companies should assume every effort will be well-received by Supervisory Authorities in any subsequent investigation.
2. New Consent Rules
The GDPR requires companies to give consumers the chance to “opt in” (an affirmative selection) to data collection practices.9 This is a stark shift from the former regime and the opposite of many US state/federal laws. For example, silence, pre-ticked boxes, or inactivity will not trigger consumer consent. Importantly, when the data processing has multiple purposes, consent must be obtained for each purpose.10 Regarding presentation of the “opt in” request, it must be clear, concise and not unnecessarily “disruptive to the use of the service” for which it is provided.11 Additionally, Article 7 gives consumers the right to withdraw consent at any time.
US companies should also pay close attention to the age of their data subjects, as the GDPR requires parental consent for the collection of personal information from residents under the age of 16.12 This is a higher age limit than related US state/federal laws, such as the Children’s Online Privacy Protection Rule (COPPA), impose.13 Parental consent is especially important to those app makers and marketers using social media. Both start-up and revolutionary app owners alike must consider the consequences of the GDPR’s parental consent rule in order to avoid crushing fines and remain operationally efficient during the GDPR rollout. Additionally, companies should investigate whether they possess more sensitive data as specified under Article 9, which requires explicit consent from the consumer. Examples of sensitive data may be genetic and biometric data, data which reveals racial or ethnic origins, political opinions, and data concerning one’s sex life or orientation.14
3. Portability and Right to be Forgotten
The GDPR provides consumers a “right to portability” and “right to erasure.”15 The former requires companies to assist consumers in transferring their personal data to another controller, even if that controller is a competitor.16 For example, consumers can more conveniently change internet service providers when their data and profile are accessible and “portable.” The “right to erasure” (sometimes called the “right to be forgotten”) allows consumers to delete their personal data from a company or cloud database in some scenarios, such as when (1) the data is no longer necessary to serve its original purpose for being collected, (2) the consumer withdraws consent, or (3) the data reveals racial or ethnic origin, political/religious opinions, or genetic data.17
4. Consumer-Friendly Data Breach Notification Rules
Perhaps no section of the GDPR reflects increased consumer protectionism as much as the new data breach notification rules. US companies will face higher exposure to data breach reporting requirements for EU data than in the US since the definition of “personal data” is easier to meet under the GDPR. Article 4 defines “personal data” as “any information relating to an identified or identifiable natural person.” This could feasibly be IP addresses, online cookies, mobile device IDs, names, photographs, and/or email addresses.18 This definition places a higher burden on US companies operating under the GDPR since state/federal reporting laws often require the data in question to include a full name in addition to a social security, driver’s license, or financial account number.19 Domestic companies should immediately analyze the scope of the data they collect to determine how vulnerable they are to the GDPR’s definition of “personal data.” It is highly advisable to practice “pseudonymization” (referenced above) as data is only “personal” under the GDPR if it can be related to an identifiable person.20 By de-humanizing data, a company can generally avoid the obligations of the GDPR, costly breach reporting requirements, and the public relation storm that often follows a data breach.
In the event of a data breach involving EU residents’ data, US companies will have to report the event to European Supervisory Authorities within 72 hours of obtaining notice of the breach.21 This is more precise than many state laws, which generally include a “reasonable time period” or “without undue delay” standard. Further, whereas notification to the European Supervisory Authorities turns on whether there is “risk” to the consumer, notification to consumers turns on whether there is “high risk.”22 Therefore, US companies will be forced to determine whether a breach’s risk to a consumer meets this high standard, at which point it would have to provide immediate notice without undue delay. This ambiguity could trouble domestic companies struggling to respond in the hours and/or days following a data breach. The GDPR does offer some clarity, indicating “high risk” may incorporate severe vulnerabilities such as threat of discrimination, identity theft or fraud, financial loss, and/or damage to reputation.23 Therefore, under the GDPR, US companies will be more likely to report a breach to a public institution than directly to an EU resident, which is typically not the case under US state/federal laws.
5. Third-Country (Cross Border) Transfers
Often, a US company will seek the assistance of a European vendor to process payments, manage HR responsibilities, or provide cloud servicing. Unless contractually restricted, these third-party processors can seek further support from non-EU based organizations provided they first establish appropriate safeguards.24 Such a scenario triggers significant implications under the GDPR. Primarily, US companies will be liable for GDPR violations of their vendors, including the non-EU vendors.25 While the new cross-border data transfer rules somewhat mirror those of the current Data Protection Directive–such as the approval of transfers to countries deemed “adequate” by the European Commission26–the GDPR states European Supervisory Authorities shall now approve uniform “binding corporate rules” (BCR) and standard contractual clauses to simplify this process. BCRs or standard clauses should be implemented by US Companies and EU vendors to enforce safeguards among all participating parties in a data transfer away from the EU and protect the US company from potential penalties.27 Importantly, the GDPR requires BCRs to expressly confer enforceable rights on consumers with regard to the processing of their personal data. Notwithstanding the use of BCRs and standard clauses to facilitate transfers to non-EU organizations, US companies are free to negotiate cross-border transfer issues directly with their EU-based processors ahead of time to set expectations and limit liabilities.
Given the increased obligations and significant penalties for US Companies violating the GDPR, it is paramount to update technical and administrative security, policies for obtaining consent, and breach reporting practices. Along the same lines, when collecting, transferring, and entrusting data to/from third-parties, US companies can reduce liability through adopting EU-approved codes of conduct, certifications, BCRs, and/or standard contractual clauses. Even if full GDPR compliance is not on a company’s radar by May 2018, organizations have a financial incentive to address the foregoing issues as EU investigators will consider the level of effort the company exhibits in their decision to levy penalties.
Sam Crochet, Esq.
Hall Booth Smith, PC
O: (404) 954-6930
C: (404) 702-0998
1 Regulation 2016/679/EC of the Parliament and of the Council on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, O.J. L 119, Art. 3 (adopted Apr. 27, 2016) (effective May 25, 2018) [hereinafter GDPR].
2 Courtney Bowman, A Primer on the GDPR: What You Need to Know, Proskauer Privacy Law Blog (Dec. 23, 2015), http://privacylaw.proskauer.com/2015/12/articles/european-union/a-primer-on-the-gdpr-what-you-need-to-know/.
3 GDPR Art. 83(5). It should be noted consumers have a right to judicial remedy against companies and processors under the GDPR.
4 GDPR Art. 58.
5 GDPR Art. 32; GDPR Recital 49.
6 GDPR Art. 40-42.
7 GDPR Art. 43(a)-(c).
8 EuroPriSe (May 31, 2017), http://http://www.european-privacy-seal.eu/EPS-en/Home.
9 GDPR § 32.
12 GDPR Art. 8.
13 COPPA, 16 C.F.R. § § 312.2/312.3 (2015) (generally require parental consent for children under the age of 13).
14 GDPR Recital 91. Large scale collection of “sensitive data” requires companies to undergo a “data protection impact assessment” to identify possible vulnerabilities related to processing this type of data.
15 GDPR Art. 18, 20.
16 GDPR § 20.
17 Id.; GDPR § 65.
18 Philip Brining, What is Personal Data?, Data Protection People (Apr. 20, 2016, 7:46 AM), http://www.dataprotectionpeople.com/what-is-personal-data/.
19 Ariz. Rev. Stat. Ann. § 44-7501; Cal. Civ. Code § 1798.80 et seq.; N.Y. Gen. Bus. Laws § 899-aa.
20 GDPR Art. 4.
21 GDPR Art. 33.
22 GDPR Art. 34. US Companies are used to conducting a “risk of harm” analysis in deciding whether to report a data breach to a state agency, federal department, or consumer. The GDPR only requires notification to consumers in the event of a “high risk” to the rights and freedoms of natural persons.
23 GDPR Recital 75.
24 GDPR Art. 46 (stating “a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”).
25 GDPR Art. 83.
26 GDPR § 103.
27 GDPR Art. 47.