Many companies have exactly 1 year to get their privacy house in order. On May 25, 2018 the European Union’s General Data Protection Regulation (found here in its entirety, the reg itself without precursors is here: GDPR regulation only) goes into effect. It brings tremendous changes to the previous data protection rules, but in this short post I discuss what I consider to be the “Big 3” issues that the new rule presents, and why even though US privacy law is almost non existent (in the general consumer privacy context), these EU rules will become more and more important even for smaller companies operating solely in the US, due to globalization of data exchange. Ok, the Big 3:
- Huge fines for small errors. The GDPR allows for fines of up to the greater of 20,000,000 Euros, or 4% of annual global turnover. And, there is every indication that the privacy regulators will be very harsh in doling out these fines, even for fairly innocuous errors. That has certainly been the trend in the U.S. for sensitive data like protected health information.
- Information included within the rule is almost everything. The regulation (Article 4, Section (1)) defines “personal data” to mean “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” It is clear this definition encompasses far more information than just “identifying” information – for example, an “online identifier” is just about any technology that tracks a user.
- Extra-territorial scope. The regulation (Article 3) extends the reach of the GDPR well beyond the borders of the EU. First, it states that it “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” So, any data processed by a controller or processor who is located in the EU is subject to this rule, even if the data subject is not a EU resident. Next, it states “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.” So, regardless of the location of a business, if the business offers goods or services, whether paid or unpaid, the GDPR applies. Finally, “[t]his Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” The US has not yet adopted public international law that accedes to this rule, but other countries may do so. Operating in those countries would impose the rule on the controller or processor.
There is a separate issue about whether the EU could enforce the GDPR against a US based entity in the EU, or whether it would have to try and come to the US and file such claim; and there is also a separate question of whether a US court would enforce a foreign law against a US based business without an enabling treaty or other enabling statute. However, a company that operates solely in the US would probably have to play ball with the EU authorities if they ever wanted to be able to actually do direct business in the EU. Most large companies have already made that decision. Smaller companies that are wholly located in the US will have to consider whether they would want to take the risk of GDPR enforcement, and whether they want to ever expand direct services into the EU.
One year seems like a long time, but the GDPR has been known for some time (it was adopted in 2016), and now the time is short and companies that might be subject to it really need to be well on their way of making an assessment of what data they are collecting, how they are using it, what efforts they have made to obtain consent to that use, and how they will meet the 6 principles in a timely fashion.
For more information, contact Mike Oliver.