BB&K's Christina Morgan Talks About Data Privacy in Riverside Lawyer Magazine

Due to rising concerns about privacy in the digital world, in April 2016, the European Union adopted the General Data Protection Regulation (GDPR). The GDPR took effect 2 years later on May 25, 2018. The GDPR was designed to harmonize data privacy laws across Europe, to protect the “personal data” of EU citizens, and to give EU citizens greater control over how their data is used. Given the regulation’s breadth and strict penalties, it is important for entities in the United States to know whether the regulation applies to them and, if so, how to comply. This article is intended to provide a brief overview of the GDPR with those goals in mind.

Who Is Bound by the GDPR?
For purposes of the GDPR, personal data is defined as any information relating to an identified or identifiable living individual. The GDPR applies even if the information has been de-identified or encrypted, but could be used to re-identify a person. Examples of personal data include an EU’s resident’s name, address, email address, identification card number, location, data and IP address. The GDPR does not apply to personal data processing of deceased persons or of legal entities.

Any individual, company or organization that controls or processes the personal data of EU residents is subject to the GDPR’s mandates. An individual, company or organization qualifies as a data controller for GDPR purposes if it meets any of the following criteria:

• has a physical presence in the EU,
• has employees or contractors in the EU,
• sells products designed to meet EU market requirements (e.g., 220 volt products),
• purposefully directs its sales and marketing activities at the EU market, or
• monitors the behavior of consumers in the EU.

Many entities in the U.S. qualify as data controllers because they purposefully direct sales and marketing activities at the EU market. The phrase “data controllers” is broadly construed to include individuals, companies, and organizations that: have distributors or resellers in the EU, accept Euros or other member state currency or have translated their website or other marketing materials into member-state languages.

Behavior monitoring is also being broadly interpreted. It includes the use of technologies to track EU website users, using predictive analysis to anticipate buying patterns, and operating affinity or loyalty programs in the EU.

An individual, company or organization can also be subject to the GDPR as a data processor. Data processors do not collect personal data directly from EU residents. Rather, data processors receive personal data of employees, consumers, or others in the EU that was collected by their customers. Once received, the data processor, as its name implies, processes the personal data on behalf of its customer. Processing includes recording, organizing, structuring, storing, transmitting, and adapting.

Is Consent Required to Process Data?
Absent specific legal authority, personal data processing is generally prohibited without consumers’ consent. If a data controller processes the personal data of individuals under age 16, parental consent is required.

When data processing is based on consent, the data controller must be able to demonstrate that consent was obtained from each consumer. The request for consent must be presented in an intelligible and easily accessible form – no legalese allowed! Once consent is given, it must be as easy for the consumer to withdraw consent as it is to give consent.

What Rights Do Consumers Have?
Consumers have a right to access information about whether or not their personal data is being processed, where and for what purpose. If requested, a data controller or data processor must provide the consumer a copy of his or her personal data in electronic format free of charge.

Consumers also have a right to be forgotten. Consumers can ask data controllers to erase their personal data, cease further dissemination of data and, potentially, have third parties halt processing of the data. However, data controllers can weigh consumers’ privacy rights against the public interest in availability of data when considering such requests.

What If There’s a Data Breach?
A data breach occurs when there is a security incident resulting in a breach of confidentiality, availability or integrity. If the breach is likely to pose a risk to an individual’s rights and freedoms, data controllers must notify the Data Protection Authority without undue delay and no later than 72 hours after becoming aware of the breach. Data processors must notify their data controller customers of any breach.

If a data breach poses a high risk to the affected individuals, then the individuals should also be informed.

What Are the Penalties for Violating the GDPR?
The penalties for violating the GDPR are steep. Processors or controllers who fail to comply with the GDPR can be fined up to 4 percent of their total global revenue or €20 million, whichever is greater.

If a consumer believes their rights have been violated, they may lodge a complaint with their national DPA, who will then investigate the complaint and advise of the progress or outcome of the investigation within 3 months. If the DPA fails to do so, consumers can bring an action in court against the DPA. Consumers can also skip the DPA process and file an action in court directly against the controller or processor who allegedly violated their rights.

This article originally appeared in the November 2019 edition of Riverside Lawyer magazine, a publication of the Riverside County Bar Association. Reprinted with permission.

[View source.]