The European Union’s General Data Protection Regulation (“GDPR”) became effective on May 25, 2018. GDPR regulates personal information, particularly personal information gathered from individuals in the European Union (“E.U.”) or stored in the E.U. GDPR is a vaguely-written, 99 article document. Lacking interpretive jurisprudential guidance, entities had to implement GDPR compliance procedures without fully understanding GDPR’s extent and impact. Understandably, GDPR applies to multinational entities with headquarters or subsidiaries in the E.U. that gather and process personal data in the E.U. However, smaller entities without a physical presence in the E.U. can also be subject to GDPR. GDPR’s full scope might not be realized for several years, but GDPR has already influenced U.S. entities and has also started to influence domestic privacy laws.
The E.U.’s approach to privacy laws is drastically different from that of the U.S. E.U. law assumes personal information is protected unless a statute explicitly lists an exception to gather or monitor personal data, an approach that is likely rooted in Europe’s unfortunate history of dictators and special police, such as Nazi Germany’s Gestapo, completely disregarding personal privacy protections. GDPR certainly maintains, and even expands, Europe’s tradition of strengthening privacy rights and restricting access to personal information. Conversely, U.S. law permits gathering and monitoring personal data unless privacy laws, such as HIPAA or FERPA, expressly regulate access to personal information.
GDPR greatly increases E.U. privacy protections. GDPR restricts access to personal information and expands personal privacy rights. GDPR covers personal data and regulates the controllers and processors of personal data. GDPR’s definition of personal data is broader than the U.S. understanding of personal data as information that includes date of birth and Social Security number. GDPR personal data includes “any information relating to an identified or identifiable natural person . . . who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or” any data factor specific to an individual, such as “the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” ((Commission Regulation 2016/679, art. 4, 2016 O.J. (L 119) 33)) In other words, almost any data from an individual are personal data under GDPR. Even a randomized number identifier could be personal data under GDPR if an individual could be identified with that information.
GDPR applies to controllers and processors of personal data. GDPR Article 4 defines a controller as a legal person or entity that “alone or jointly with others, determines the purposes and means of the processing of personal data. ((Commission Regulation 2016/679, art. 4, 2016 O.J. (L 119) 33)) Controllers must “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with [GDPR].” ((Commission Regulation 2016/679, art. 24, 2016 O.J. (L 119) 47)) Multiple entities can be “joint controllers” under GDPR. ((Commission Regulation 2016/679, art. 26, 2016 O.J. (L 119) 48)) Joint controllers “jointly determine the purposes and means of processing.” ((Id.)) Joint controllers must be transparent about each entity’s responsibilities to ensure personal data collection and processing complies with GDPR. ((Id.))
GDPR also regulates personal data processors, although GDPR’s definition of a processor is vague. Processors are legal persons or entities that “process personal data on behalf of the controller.” ((Commission Regulation 2016/679, art. 4, 2016 O.J. (L 119) 33)) GDPR lists regulations for processors in Article 28. Generally, processors must ensure processing procedures are compliant with GDPR and only process personal data “on documented instructions from the controller.” ((Commission Regulation 2016/679, art. 28, 2016 O.J. (L 119) 49)) Processors must also be transparent with a controller and must delete or return personal data at a controller’s request. ((Id.))
Controllers and processors must cooperate with supervising data protection authorities, which are government designated officials who enforce GDPR and investigate potential GDPR breaches. ((Commission Regulation 2016/679, art. 33, 2016 O.J. (L 119) 52)) Generally, a controller or processor will designate a data protection officer under Article 37. A data protection officer monitors data processing and is likely the contact position for government data protection authorities. ((Commission Regulation 2016/679, art. 37, 2016 O.J. (L 119) 55)) Data protection officers must ensure data is securely stored and processed pursuant to Article 32. Data protections officers must also work with government authorities when a controller or processor experiences a personal data breach. ((Commission Regulation 2016/679, art. 33, 2016 O.J. (L 119) 52)) Controllers must notify a supervising authority with certain information related to a personal data breach within 72 hours of the breach. ((Id.)) In severe cases, “[w]hen the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” ((Commission Regulation 2016/679, art. 34, 2016 O.J. (L 119) 53))
GDPR prohibits collecting and processing personal data without a lawful exception. Controllers should only use processors that guarantee GDPR compliance. ((Commission Regulation 2016/679, art. 24, 2016 O.J. (L 119) 47)) Article 6 of GDPR establishes lawful exceptions for processing personal data. Processing personal data is lawful only if at least one of the following exceptions applies: 1) an individual gave consent for processing data, 2) processing data is necessary to fulfill a contract, 3) processing is necessary to comply with a legal obligation, 4) processing is data is necessary to protect vital interests of an individual, 5) processing data is necessary to perform a task that is in the public interest, 6) processing is done under official legal authority, 7) or processing data is necessary to fulfill the legitimate interests of the data controller or a third party, so long as the interests are not outweighed by “fundamental rights and freedoms of the data subject which require protection of personal data.” ((Commission Regulation 2016/679, art. 6 (1)(a)-(f), 2016 O.J. (L 119) 36))
GDPR Article 9 establishes specific regulations and exceptions for processing special categories of personal data. Special categories of personal data include data related to race, ethnicity, political or religious beliefs, genetic data, health information, and sexual orientation. ((Commission Regulation 2016/679, art. 9, 2016 O.J. (L 119) 38)) Many of the same exceptions that apply to general personal data also apply to special categories of personal data. However, consent must be explicit for processing special category personal data. ((Commission Regulation 2016/679, art. 9 (2)(a), 2016 O.J. (L 119) 38)) Further, Article 9 includes additional exceptions for medical and public health entities when processing personal information for medical purposes. ((Commission Regulation 2016/679, art. 9(2)(i)-(j) , 2016 O.J. (L 119) 38)) Additionally, GDPR regulations can become increasingly more complex because each E.U. member state has an option to provide additional provisions for certain GDPR regulations, such as for legal obligations and for processing genetic or health information. ((Commission Regulation 2016/679, art. 33 (4), 2016 O.J. (L 119) 52))
Consent is the broadest exception to GDPR’s prohibition on collecting personal data. However, consent is not an “easy way out” exception to GDPR regulations. Consent “should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written . . . or oral statement.” ((Commission Regulation 2016/679, 32, 2016 O.J. (L 119) 6)) GDPR regulations indicate that affirmatively selecting a consent box on a website is adequate for consent. ((Id.)) However, pre-selected consent boxes do not satisfy GDPR’s affirmative consent requirement. ((Id.)) Further, an individual as the right to withdraw consent at any time. ((Commission Regulation 2016/679, art. 7(3), 2016 O.J. (L 119) 37). Withdrawing consent must be as simple as giving it. (Id.))
GDPR also grants explicit rights to individuals. For example, GDPR grants a right of transparency—controllers must provide information regarding personal data collection and use to individuals “in a concise, transparent, intelligible and easily accessible form.” ((Commission Regulation 2016/679, art. 12(1), 2016 O.J. (L 119) 39)) Further, individuals have a right to know the contact information of controllers and the designated data protection authority. ((Commission Regulation 2016/679, art. 15, 2016 O.J. (L 119) 43)) Individuals also have a right to request that a controller provide information to explain the purposes for processing personal data and which personal data a controller will process. ((Id.))
GDPR also establishes rights of rectification and erasure. Article 16 explains that an individual has a right to rectify any inaccurate personal information and “to have incomplete personal data completed.” ((Commission Regulation 2016/679, art. 16, 2016 O.J. (L 119) 43)) Individuals also have a right to erasure, otherwise known as the right to be forgotten. If an individual contacts a controller to request that the controller erase the individual’s personal data, the controller musts “erase personal data without undue delay.” ((Commission Regulation 2016/679, art. 17(1), 2016 O.J. (L 119) 43)) The right to erasure applies when an individual withdraws consent, when data is “no longer necessary in relation to the purposes for which they were collected or otherwise processed,” or when data has been “unlawfully processed.” ((Commission Regulation 2016/679, art. 17(1)(b)-(e), 2016 O.J. (L 119) 44)) Further, an individual can request erasure if a person objects to processing personal data based on a public interest or a legitimate interest under Article 6. ((Commission Regulation 2016/679, art. 21(1), 2016 O.J. (L 119) 45)) Controllers must take reasonable steps to erase any personal data that was made public and contact all controllers and processors with access to the personal data that the data subject has requested an erasure.
GDPR lists exceptions to the right of erasure. For example, a data subject does not have a right to erasure when a controller must use personal data to fulfill a legal obligation. ((Commission Regulation 2016/679, art. 17(3)(b), 2016 O.J. (L 119) 44)) Further, personal data related to public health, defense of a legal claim, or scientific or historical research purposes are not subject to the right of erasure. ((Commission Regulation 2016/679, art. 17(3)(c), 2016 O.J. (L 119) 44)) Notably, a contractual obligation is not a sufficient purpose to obviate the right to erasure. ((Commission Regulation 2016/679, art. 17(3), 2016 O.J. (L 119) 44)) Companies must be wary to execute a proper right of erasure request through any up and downstream contracts with other controllers, such as vendors or agencies, and all processors.
Additionally, individuals have a right to data portability. Data subjects have a right to receive personal data provided to a controller in an easily accessible and readable format. ((Commission Regulation 2016/679, art. 20(1), 2016 O.J. (L 119) 45)) They also have a right to transmit that personal data to a different controller without objection from the original controller. ((Id)) A data subject can also request, if technologically feasible, that a controller transmit personal data directly to a different controller. ((Commission Regulation 2016/679, art. 20(2), 2016 O.J. (L 119) 45))
GDPR establishes an extraterritorial scope. GDPR extends to personal data gathered from monitoring behavior located in the E.U. and to personal data gathered while soliciting goods or services into the E.U. ((Commission Regulation 2016/679, art. 3(2), 2016 O.J. (L 119) 33)) GDPR’s extraterritorial scope presents two implications. First, GDPR regulates companies that process personal data gathered from monitoring individuals located in the E.U. or from personal data gathered while soliciting goods or services into the E.U. regardless of whether a company maintains a physical presence in the E.U. GDPR applies “regardless of whether the processing takes place in the [E.U.] or not.” ((Commission Regulation 2016/679, art. 3(1), 2016 O.J. (L 119) 32)) For example, a U.S. shoe company that doesn’t maintain any physical presence in the E.U. and that only sells shoes in the E.U. online would be subject to GDPR for any personal data collected from individuals who were physically in the E.U. at the time that the company collected the personal data. Second, GDPR applies to individuals regardless of residency or citizenship. GDPR applies to personal data related to “the monitoring of . . . behavior as far as [that] behavior takes place within the Union.” ((Commission Regulation 2016/679, art. 3(2)(b), 2016 O.J. (L 119) 33)) In other words, GDPR applies to personal information collected in the E.U. regardless of an individual’s residency or citizenship. For example, personal data collected by Amazon for a purchase made by an American tourist who is on vacation in the E.U. would be subject to GDPR. Conversely, any data collected from a German tourist while she is on vacation in New York City would not be subject to GDPR regulations.
GDPR establishes severe penalties for noncompliance. Data protection authorities determine penalties based on fact specific information such as the nature of the infringement, whether the breach was intentional, and an entity’s history of compliance. ((Jeff John Roberts, The GDPR is in Effect: Should U.S. Companies be Afraid?, Fortune: The 21st Century Corporation (May 25, 2018), http://fortune.com/2018/05/24/the-gdpr-is-in-effect-should-u-s-companies-be-afraid/)) However, GDPR establishes that penalties can extend anywhere from €10 million up to four percent of an entity’s worldwide annual revenue. ((Id.))
Most apparently, GDPR regulates multinational entities with a physical presence in the E.U. and large technology companies that gather and process enormous amounts of personal data from individuals in the E.U. However, GDPR also applies to entities without a physical presence in the E.U. and entities that only occasionally collect data from the E.U. In fact, GDPR likely also applies to entities without any obvious connection to the E.U. Entities with more tenuous connections to the E.U. must evaluate data flows coming from the E.U. to assess liability risk and determine a lawful basis for controlling or processing personal data. Although many American entities might not collect personal data from the E.U., American entities should consider whether their contractual obligations with other entities require GDPR compliance. For example, an American entity that does collect personal data connected to monitoring behavior in the E.U. or offering goods and services into the E.U. must consider whether contracted entities are subject to GDPR. Since GDPR grants individuals significant privacy rights that are unaffected by contractual obligations, U.S. entities will likely have to comply with individual or third-party requests to comply with GDPR rights such as the right of erasure. An entity with connections to the E.U. might write into its service contracts that all contracted associates must be GDPR compliant. The American entity to the contract would need procedures in place to fulfill requests for the right to erasure or requests to produce transparent information related to data use. In other words, all American entities should conduct GDPR risk assessments regardless of how tenuous an entity’s relationship is to the E.U.
GDPR is arguably already a major win for the E.U. E.U. data authorities have not yet implemented fines to entities for noncompliance, and it may be years before the E.U. issues any penalties. Further, even when the E.U. begins to enforce GDPR, E.U. officials will likely enforce it slowly and focus on egregious noncompliance. ((See Sarah Jeong, No One’s Ready for GDPR, The Verge (May 22, 2018), https://www.theverge.com/2018/5/22/17378688/gdpr-general-data-protection-regulation-eu)) E.U. officials must be aware that many entities were not fully compliant by the May 25, 2018 deadline. ((See Id.)) However, due to the E.U.’s enormous market size, entities of all sizes are on notice and restructuring data privacy procedures. For example, Facebook announced that it would be fully GDPR compliant by the deadline. ((Id.)) In other words, with a single privacy law, the E.U. has essentially changed data privacy for a large portion of the world. Again, the E.U. has not yet issued fines, but thanks to the E.U.’s market size and its recent precedent of issuing major fines to large entities for violating E.U. law (the E.U. recently fined Google $5 billion for violating E.U. antitrust laws), entities are on notice and adjusting to comply with GDPR. ((Adam Satarino and Jack Nicas, E.U. Fines Google $5.1 Billion in Android Antitrust Case, N.Y. Times (July 18, 2018), https://www.nytimes.com/2018/07/18/technology/google-eu-android-fine.html))
GDPR is also arguably a win for the consumer. Consumers divulge personal data almost daily, and many jurisdictions likely do not provide the consumer with adequate personal data protections and rights. Although GDPR is E.U. law, consumers in many countries around the world will benefit from the new regulation because many entities, especially multinational companies, will likely find uniform compliance with GDPR administratively simpler than adjusting compliance procedures only for E.U. data. Although GDPR rights only extend to individuals who transmitted personal data within the E.U., GDPR’s required security and consent procedures will likely better protect consumers and help consumers become better aware of their personal data transmissions. Finally, for Americans, personal data privacy law might be shifting toward a GDPR-lite legal approach. California recently passed a personal data privacy law that is similar in many ways to the E.U.’s GDPR. ((Luke Irwin, California’s “GDPR-like”Privacy Law Passes: What You Need to Know, it governance (July 16, 2018), https://www.itgovernanceusa.com/blog/californias-gdpr-like-privacy-law-passes-what-you-need-to-know)) Given California’s market size and economic influence, U.S. entities might have no choice but to comply with California’s privacy standards.
GDPR’s influence will likely continue to expand as the E.U. produces GDPR jurisprudence. However, all entities, regardless of connection to the E.U., should establish GDPR compliance procedures because GDPR will likely start impacting U.S. entities in less obvious ways in the future. Larger entities with a presence in the E.U. likely face the most risk, but GDPR’s influence on world privacy compliance will likely force smaller entities to comply, particularly for contractual purposes with third party entities, such as third-party vendors. Further, GDPR compliance will prepare entities for likely privacy law reform in the United States.
Latest posts by Bryan Pistorius (see all)
- Getting to a Financial Stress Test Equilibrium - March 31, 2019
- Breaking Down GDPR and its Influence on U.S. Entities and U.S. Privacy Laws - March 17, 2019