The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients.
Question: If I already drafted a privacy policy to comply with United States laws do I need to change that policy to comply with the GDPR?
Answer: Yes, although the degree to which your privacy policy will need to be changed depends on which United States laws it was designed to comply with.
There are a number of laws within the United States that require companies to provide people with a notice concerning the company’s privacy practices – a document that is often interchangeably referred to as “privacy notice,” “privacy policy,” or “information notice.” With regard to the federal government these include the Gramm Leach Bliley Act (“GLBA”), which requires financial institutions to provide privacy notices to customers, the Health Insurance Portability and Accountability Act (“HIPAA”), which requires health care plans, health insurers, and health care providers to provide privacy notices to patients, the Family Educational Rights and Privacy Act “FERPA”), which requires educational institutions that receive federal funding to provide privacy notices to students and parents, the Children’s Online Privacy Protection Act (“COPPA”), which requires that websites which collect information from children provide a privacy notice to parents. State legislatures have also enacted statutes that require that websites which collect from state residents online provide a privacy notice concerning their online privacy practices, and companies that collect Social Security Number provide a privacy notice specific to their collection and use of that data type.
The various statutes that mandate privacy notices in the United States contain a common core of similarities; almost all of them require that a company describe the type of information it collects, the third parties with whom it shares the information, and the steps that it is taking to secure the information. What must be included within a privacy notice diverges beyond that common core. For example, whereas a privacy notice drafted to comply with HIPAA, FERPA, or COPPA will discuss a person’s ability to access their data and to correct inaccuracies, a privacy notice drafted to comply with GLBA or state online collection laws will not.
The net result is that how close a United States drafted privacy notice is to complying with the requirements of the GDPR depends on the context in which it was drafted and which United States laws it was intended to satisfy. That said, there are certain provisions within the GDPR that contain no American analog and, as a result, are unlikely to be found in most privacy notices drafted within the United States. The following chart indicates which requirements of the GDPR are likely, or are not likely, to be found in a United States based privacy notice:
|
Summary of Information Required to be Included in Privacy Notice Pursuant to
GDPR Articles 13 and 14
|
It Is The Intention Required by
United States Law to be Included
In a Privacy Notice
|
|
1. Contact Info. Identity and contact information of the controller, and “of the controllers’ representative.”
|
Partially. Many United States laws require that a privacy notice provide an organization’s contact information; none require that they include a “representative” that would satisfy the requirements of GDPR Article 27.
|
|
2. Data Protection Officer. If the controller has a data protection officer, his/her name and contact information.
|
No. While some United States laws require the appointment of a privacy or security resource, none require that resource to have the qualifications or responsibilities described in GDPR Articles 38-39.
|
|
3. Description of purpose. The purposes of the processing (and the legal basis for those purposes). If one of those purposes is the “legitimate interest” of the controller, that legitimate interest must be described.
|
Similar requirements in most US privacy laws.
|
|
4. Description of recipients. Categories of people that will receive data.
|
Similar requirements in most US privacy laws.
|
|
5. Cross border transfers. If the data is going to leave the EEA that must be disclosed, as well as the “appropriate or suitable safeguards and the means by which to obtain a copy of them” for effecting such transfer.
|
No US analog.
|
|
6. Description of data retention period. The period for which the data will be stored, or the criteria used to determine when it will be deleted.
|
No US analog.
|
|
7. Access Rights. Information concerning the right to request access to the information.
|
Some US analogs (e.g., HIPAA).
|
|
8. Rectification Rights. Information concerning how to ask that inaccuracies be fixed.
|
Some US analogs (e.g., FERPA).
|
|
9. Erasure Rights. Information concerning how to ask that the data be deleted.
|
Some US analogs (e.g., COPPA).
|
|
10. Opt-out Rights. If there is a right to opt-out of a certain use, or withdraw consent, a description of how consent can be withdrawn.
|
Some US analogs (e.g., GLBA).
|
|
11. Complaints. A statement that the data subject has a right to lodge a complaint with a supervisory authority.
|
Some US analogs (e.g., HIPAA).
|
|
12. Automated decision making. A disclosure if automated decision making will occur.
|
No US analog.
|
|
13. Mandatory nature of data collection A description of whether the data is required by statute or contract to be collected, as well as the possible consequences for not providing the data.
|
No US analog.
|
[View source.]
