On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) took effect. Although EU laws typically don’t have a worldwide impact, the GDPR will impact business across the globe. The GDPR has an extremely broad application, as it was adopted as an effort to hold businesses, including those outside of the EU, accountable for the use and protection of EU citizens’ data.
Applicability
The GDPR applies not only to European entities but also to entities located outside of the EU that offer goods or services to people in the EU or that monitor the behavior of people in the EU. Any business with EU resident customers is required to comply. The GDPR applies to businesses offering goods or services to EU residents, regardless of whether payment for the good or service is required; thus, even a free website is implicated if it collects data from or monitors EU residents. The GDPR applies to both controllers (the entity that determines why and how personal data is being collected) and processers (the entity that processes the data on behalf of the controller).
Covered Data
The GDPR regulates “personal data” which is defined as any information related to a natural person or data subject that can be used directly or indirectly to identify that person. Personal data includes, for instance, a name, photo, email address, bank details, medical information, GPS location data, and IP address. Thus, a website that collects IP addresses of EU residents or tracks EU resident visitors using cookies or similar technology triggers the GDPR.
Enhanced Privacy Rights
The GDPR significantly increases data privacy obligations, increases penalties (including fines as high as the greater of 20 million euro or four percent of annual worldwide revenue), and is likely to increase enforcement activity. The significant enhancements include the following:
-
Consent: Controllers and processors are required to be transparent with how information is used and, as a generally rule, consent must be obtained from the individual. The request for consent must be in clear, plain language. Simply asking an individual to accept a privacy policy that is not provided is not sufficient.
-
Rectification/Erasure of Data: The GDPR confers rights to an individual to access his or her own data and rectify/erase inaccurate data.
-
Assessments: Controllers are mandated to conduct data protection impact assessments, involving routine evaluation of the potential impact of lost or diverted data.
-
Breach Notification: The GDPR mandates breach notification within 72 hours of awareness of the breach if the breach is likely to result in a risk for the rights and freedoms of individuals.
As mentioned above, the economic sanctions for noncompliance have the potential of being steep. The amount of the fine will vary depending on what provision is breached and the behavior of the organization, with the purpose of imposing an amount with is effective, proportionate, and dissuasive. EU residents can enforce the GDPR’s protections by lodging a complaint with the supervisory authority of the EU member state or by filing an action if the supervisory authority fails to address the complaint properly. Additionally, an EU resident may take direct action through class action proceedings. Thus, increased litigation of privacy issues in the EU is probable.
Compliance Tips
Given the expansive application of the GDPR and the practical difficulty of differentiating citizenship among customers, many companies with worldwide operations have opted to apply the GDPR principals to the management of all customer data. By comparison, the U.S. does not currently have an omnibus federal law regulating the collection, use, and disclosure of personally identifiable information (PII), but there are several sector-specific laws, such as the Health Insurance Portability and Accountability Act (HIPAA) applying to the use and disclosure of personal health information. However, all 50 states in the U.S. have enacted data protection laws, primarily governing cyber breaches. For a business with global operations, there is a patchwork of potentially applicable law and regulation. Defining a privacy policy that meets the most stringent requirements may likely be the best approach.
As an initial step, it is critical that companies conduct a comprehensive review of data collection and processing to ensure compliance with all applicable laws. Consider what information is collected, why, and whether collection is necessary. Also, evaluate what privacy laws are implicated, both domestically at the state and federal level and abroad. Stay up to date with changes in the law, including interpretations in case law, agency guidance, and enforcement actions.
Additionally, companies should revise privacy statements and requests for consent. All customer-facing documentation will require revision to comply with the GDPR, which requires providing detailed information to data subjects regarding the processing of personal data in a concise, transparent, intelligible, and easily accessible form.
Companies involved in e-commerce may want to invest in an insurance policy that provides cyber coverage, including protection for data breaches. Many traditional general liability insurers have added cyber liability exclusions to their policies. Companies should carefully read the terms of their insurance policies to fully understand what is covered and consider purchasing additional insurance.
Conclusion
The GDPR is said to be the most significant data privacy regulation that has been enacted to date, and the full breadth of GDPR is far beyond the scope of this article. It is essential that businesses take the time to understand the various requirements and take steps to ensure compliance with the GDRP as well as other applicable data privacy laws.
