Do you know what happens on May 25, 2018? If you don’t, you better educate yourself quickly before it’s too late. May 25th is the deadline date for compliance with the EU General Data Privacy Regulation or GDPR. Make no mistake, the GDPR sets a new data privacy standard on a global scale and your business may face significant financial consequences for non-compliance. If your organization is established in the European Economic Area, targets natural persons residing in the EU for profiling purposes or offering goods or services, or is a service provider to an EU-based organization that receives personal data of EU consumers, the GDPR will likely apply to you. Failure to comply may result in significant civil exposure from consumer watchdog groups, individual plaintiffs and, of course, civil fines imposed by the European Commission of up to €20 Million or 4% of a company's total annual gross revenues, whichever is greater.
The GDPR is extremely broad legislation compared to US privacy laws and US-based entities should understand the breadth of its implications. With the recent Facebook Cambridge Analytica scandal over the past few weeks, the seriousness of data privacy continues to draw public attention as a global concern, warranting board room attention from a vast number of US-based enterprises. Unlike US data privacy laws, which prescribe personal data as information that identifies a particular person (i.e. name, address, phone number, email, social security number, health information, financial information, etc…), the GDPR expands that definition to encompass any information that is also identifiable to a natural person. This means to the extent that if any information can be used in conjunction with other data, to identify a person, it is considered “personal data.” Under the GDPR definition, web cookies, GPS trackers, GIF beacons, IP Addresses, photographs, age, gender, shoe size, hobbies, hair color, etc…) are considered personal data even if they are not treated the same under US law.
Further, while the US data privacy laws largely are designed to protect narrow categories of information such as health information under HIPPA, financial information under Gramm Leach Bliley and the personal data pertaining minors under COPPA, the GDPR applies to a broader scope of personal data with extremely complex rules on how to deal with them. For example, the GDPR provides for special categories of personal data that undergo a higher standard or protection than other personal data. Additionally, certain organizations may be required to develop a Data Protection Information Assessment (“DPIA”) and consult with the local supervisory authority and/or third party organizations regarding developing internal safeguards as to how to process and ensure the security of personal data. Some organizations will be required to employ the services of a data privacy officer who is specifically mandated to ensure that the organization is compliant with the GDPR and serves in the capacity as quasi-internal regulator within an organization.
Tthe GDPR prescribes various principles such as Transparency, Fairness, and Lawfulness in processing personal data, which include a data minimization and proportionality requirement to ensure that organizations only collect, use, share, combine, organize, adapt, transfer, retain, etc… personal data only to the extent necessaryto fulfill the lawful purposes prescribed under the GDPR.
As a further requirement based upon fairness, organizations collecting data directly from data subjects are required to provide clear and easy to understand privacy notices, specifying:
· the identity and contact details of the organization and, if applicable, its data protection officer
· the types of personal data being collected and the specific purposes and legal basis for processing each type of personal data
· the recipients of the personal data
· the organization’s intention to transfer the personal data to a third country or international organization, and whether such territory has been issued an adequacy determination by European Commission
· the legitimate interests of the organization if this is the legal basis for processing the personal data
· retention periods for storing personal data
· disclosure of a data subject’s rights to withdraw consent at any time (if the lawful basis is derived from consent), or otherwise request access, and object to, rectify, block, restrict or demand permanent erasure of their personal data
· disclosure of the data subject’s right to lodge a complaint with their local supervisory authority
· the specific nature of organization’s use of automated decision making with respect to personal data and consequences thereof
· if there are any statutory or contractual requirements to which the data subject is required to provide their personal data, and the implications for failing to do so
In addition to the above, if the organization directly obtained the data subject’s data with their consent through electronic processing, it must also afford the data subject the ability to port it to another platform in a machine readable format. This requirement fundamentally changes how companies should view their customers' personal data moving forward…. personal data belongs to the data subject, not the other way around, and organizations will be forced to facilitate transfers to their competitor’s products and services at the direction of the data subjects.
The GDPR also prescribes specific requirements for limiting the purposes for personal data processing, maintaining data quality and accuracy, limiting retention periods, ensuring the integrity and confidentiality of personal data through technical and organization measures, accountability for compliance with applicable EU laws and breach notification responses.
In some cases, however, US-based organizations processing data on behalf of EU entities may be able to comply with the GDPR through self-certification under the EU-US Privacy Shield. This program became available in 2016 after the EU Court of Justice struck down the Safe Harbor regime from the late 1990’s. The EU-US Privacy Shield requires participants to provide adequate protections for EU data subjects’ personal data under the following guiding principles:
· Notice Requirement
· Choice Requirement
· Accountability For Onward Transfers and Vendor Agreements
· Data Integrity and Purpose Limitation
· Recourse, Enforcement and Liability
· Appropriate Safeguards
The EU-US Privacy Shield notably provides EU data subjects the opportunity to object to the processing of their personal data and seek redress with their own local data protection authority, the Federal Trade Commission, the Department of Commerce and/or force binding arbitration within their own local jurisdiction. Further, the costs of such enforcement mechanisms will be borne by the organization processing the data.
While this article merely highlights some of the aspects of the GDPR, it could never adequately address the complexities of its detailed requirements, nuances and exceptions. As such, corporate legal departments, HR departments and executive teams should already be working to implement appropriate measures to ensure compliance before the May 25 deadline.
David Michail is CIPP-E Certified Data Privacy Expert by the International Association of Privacy Professionals and offers regulatory compliance and data privacy officer services for US-based and multi-jurisdictional entities. For more information visit www.metlawgroup.com.