This Friday May 25, 2018, the EU General Data Protection Regulation (the “GDPR”) takes effect in all member states of the European Union.
The GDPR will affect a significant number of organizations across the globe, even if they are not located in the EU. The GDPR also strengthens the conditions for consent to personal data processing, creates direct obligations and liability for processors of personal data and imposes significantly increased penalties for non-compliance.
In this advisory, we provide key information to help impacted organizations understand their obligations under the GDPR, highlighting potential implications for non-EU entities, and in particular those that do not have a presence in the European Union but that interact with natural persons who are in the European Union.
1. What is the GDPR?
The GDPR is the EU’s new regulatory framework governing the collection, use, storage, and destruction of personal data of EU data subjects.
Data protection is a fundamental right for EU data subjects. To address the realities of globalization of information on the one hand, and fragmentation of implementation of existing data protection laws on the other hand, the EU’s legislative bodies prepared an updated and more harmonized data protection legislation, backed by strong enforcement, to protect an individual’s personal data and the free movement of such data, which is known as the GDPR.
Compliance is required by May 25, 2018. The risks of non-compliance include fines of up to 4 percent of global annual revenues or 20 million euros, whichever is greater. Under the GDPR, designated authorities have increased enforcement powers to impose fines on organizations that do not comply with GDPR.
2. Does GDPR apply to you?
The GDPR applies to any organization that is a processor or controller of EU residents’ personal data, including both for-profit and nonprofit organizations.
The GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” In essence, the controller is the entity that makes decisions about processing activities, regardless of whether it actually carries out any processing operations. The processor is any person or entity which carries out the processing on behalf of the controller.
The GDPR applies to organizations of all sizes that process personal data of EU residents or monitor the behavior of EU residents in the EU, although small and medium sized businesses may be exempt from record-keeping requirements under limited circumstances.
3. How will the GDPR affect organizations that are not based in the EU?
The GDPR will have a significantly broader territorial scope than the current EU Data Protection Directive 95/46/EC (and national law implementing this Directive).
Whereas the Directive only applies to the processing of personal data by data controllers established in the EU and data controllers established outside the EU using (automated or non-automated) means located in the EU, the GDPR will also apply to the processing of personal data by data processors established in the EU. In addition, the GDPR will apply to the processing of personal data by data controllers and processors outside the EU. This is the case where the processing activities relate to the offering of goods and services to data subjects in the EU (whether against payment or for free) or to the monitoring of their behaviour on EU territory.
Example: a US SaaS vendor or e-commerce platform (with no EU establishments or subsidiaries) will fall under the scope of the new EU legal framework regarding data processing as soon as such company offers its services to and/or targets EU residents.
3.1 Processing
Processing is defined as “any operation or set of operations which is performed on personal data or on sets of personal data.” This wide definition encompasses a range of data usages, such as the collection, recording, organization, structuring, storage, adaptation, disclosure by transmission and use or deletion of any information relating to a data subject.
3.2 Offering goods or services
In order to determine whether a controller or processor is “offering goods or services to data subjects in the EU,” one should assess whether the controller or processor has intention or envisages offering services to data subjects in one or more EU member states.
The mere accessibility of the controller’s, processor’s or an intermediary’s website in the EU of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established will most likely be insufficient to show such intention (as stated in the recitals). However, if the controller or processor of personal data uses the language or currency of an EU member state and facilitates ordering of goods or services in that other language or currency and allows shipping to local addresses or mentions customers who are in the European Union, it may “make it apparent that the controller envisages offering goods or services to data subjects in the EU.”
3.3 Monitoring behavior
A processing activity may involve monitoring of behavior of data subjects when they “are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”
In theory, a controller or processor not established in the European Union would most likely not be viewed as engaging in monitoring of behavior of EU data subjects if it simply maintains a website, which may be visited by EU data subjects, without the controller or processor taking further steps to process the information obtained on such data subjects through the website. However, as almost any website uses cookies to track the activity of their website users, including those who are in the EU, in practice most service providers will be classified as monitoring behavior of EU data subjects.
3.4 Personal Data
Personal data is defined as data relating to a data subject who can be identified or is identifiable from the data. The GDPR definition of personal data encompasses a wider range of data types as it covers not only the typical personal data, such as names, addresses, dates of birth or telephone numbers, but also includes the use of on-line identifiers, such as login information, IP addresses and cookies. In addition, any data that has undergone pseudonymization but could be attributed to a natural person by linking with additional information should be considered personal data.
On the other hand, the GDPR does not apply to processing of any anonymous information (i.e., information that does not relate to an identified or identifiable natural person), including for statistical or research purposes.
3.5 Processors and controllers
The GDPR divides legal and natural persons (including public authorities, agencies and other bodies) that process personal data into two categories: (i) controllers that determine “the purposes and means of the processing of personal data” and (ii) processors that “process personal data on behalf of controllers.”
The GDPR significantly expands the obligations of controllers and processors and, most notably, imposes direct compliance responsibility not just on controllers but also on processors of personal data.
This could be of importance to non-EU entities (in particular, technology companies) that may have taken on a role of data processor since in the past such entities were not directly responsible for compliance with EU data privacy laws. Under the revised regime, such entities have expanded obligations and are directly responsible for compliance with the GDPR if they process personal data of individuals who are in the European Union, irrespective of where such processing occurs, how small or large they are or how significant the processing is to their business overall.
4. Basic principles of the GDPR
Article 5 of the GDPR lists the key principles relating to the processing of personal data of data subjects:
- lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject;
- purpose limitation: personal data should be collected for a specified, explicit and legitimate purpose and processed only in a manner that is compatible with such purpose;
- minimization: personal data collected and processed should be limited only to what is necessary in relation to the purposes for which the data are processed;
- accuracy: personal data that are processed must be accurate and, where necessary, kept up-to-date, and to the extent that the data are inaccurate they should be erased or updated without delay;
- storage limitation: personal data must be kept in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed;
- integrity and confidentiality: personal data must be processed in a way that ensures appropriate security of such data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage; and
- accountability: controllers of personal data are responsible for demonstrating compliance with the above principles.
5. Security measures
The GDPR imposes strict security standards on data processors and data controllers relating to the processing of personal data, and delineates the separate duties and responsibilities of data controllers and data processors towards meeting these security standards.
Data controllers are obligated to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. Processors must also take various measures to implement the GDPR’s “security of processing” standards.
Data controllers and processors must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” while “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing” as well as the risk of likelihood and severity of impact to the rights and freedoms of individuals.
The GDPR identifies those factors which may constitute security measures “appropriate to the risk” to include eg pseudonimization and encryption.
6. Privacy by Design
Privacy protective settings should be the default in any product.
Under the GDPR, data controllers bear the responsibility for assessing the degree of risk that their processing activities pose to data subjects and in implementing controls that map to the risk. In that regard, one of a data controller’s significant responsibilities include the duty to implement data protection by design and perform mandatory privacy impact assessments as appropriate.
The GDPR requires that controllers utilize appropriate technical and organizational measures which are designed to implement data protection principles, and this implementation is required to be considered at the time of determining the means for processing and at the time of the processing itself. Controllers should design products with privacy in mind rather than addressing it after an incident occurs that poses a potential or actual personal data breach. Controllers are also required to “implement technical and organizational measures to ensure that, by default, only personal data which are necessary for each specified purpose of the processing are processed.” Accordingly, privacy protective settings should be the default in any product.
7. Individual Consent
Consent remains the lawful basis for obtaining and processing personal data under the GDPR, but individual consent may be harder to obtain. Given the tightening of consent rules under the GDPR, this will be one of the leading operational impacts for many organizations under the GDPR.
7.1 Conditions of Consent
The GDPR places conditions for consent and requires that the controller be able to demonstrate that the data subject consented to processing of his or her personal data. The GDPR requires the data subject to demonstrate consent by a “statement or a clear affirmative action” establishing that the consent was “freely given, specific, informed and unambiguous”. The consent may include ticking a box on an internet website, choosing technical settings for “information society services,” or another statement/conduct which clearly indicates the data subject’s agreement for the proposed processing of his or her personal data. Where data controllers previously may have relied on implicit and “opt-out” consent, the GDPR specifically does not allow “silence, pre-ticked boxes or inactivity” to confer consent (recital 32).
In the course of obtaining the data subject’s statement or a clear affirmative action, the GDPR requires that the consent must be specific to each data processing operation. A request for consent to data processing must be “clearly distinguishable” from any other matters, and it must be provided “in an intelligible and easily accessible form, using clear and plain language.”
There is a presumption that consent is not freely given under the circumstances where there is a “clear imbalance between the data subject and the controller, in particular where the controller is a public authority” and it is unlikely that consent was freely given under the circumstances. Significantly, a controller may not make a service conditional upon consent, unless the processing is necessary for the service.
7.2 Individual Right to Withdraw Consent/Right to Erasure
Importantly, the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” The GDPR requires that controllers inform data subjects of their right to withdraw consent before it is given. Once consent is withdrawn, data subjects have the right to have their personal data erased “without undue delay” and no longer used for processing under certain circumstances. The data subjects also have a right to obtain a copy of their personal data and restrict its use.
8. Notification in case of Data Breach
The GDPR provides strict data breach notification rules. The GDPR defines a “personal data breach” as being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In the case of a personal data breach, GDPR requires the data controller to notify the appropriate supervisory authority of all data breaches without undue delay and where feasible not later than 72 hours after having become aware of it, unless the data breach is unlikely to result in a risk for the rights and freedoms of the individuals. Proper notification to the affected data subject must be given “without undue delay”.
Notification to the authority and to the affected data subject must include certain types of information as set forth in detail in the GDPR. The GDPR also provides exceptions to the requirement to notify data subjects under certain circumstances such as if the data was encrypted and unintelligible to an unauthorized user, or that a high risk for the rights and freedoms of data subjects is unlikely to materialize, or when notification to each affected data subject would involve “disproportionate effort” in which case a data controller may use alternative communication measures.
In addition, the controller must comply with documentation requirements to record any data breaches including the facts relating to the personal data breach, its effects and the remedial action taken .This documentation is intended to enable the supervisory authority to verify the controller’s compliance.
To help comply with the GDPR’s breach notification rules, an organization should have in place the appropriate policy and procedure to ensure that any detected breach of personal data is not only timely reported to the appropriate supervisory authority and affected data subjects, but also a process for identifying the individual(s) who will be responsible for performing the investigation of a personal data breach and proper recordation of the incident and the organization’s corrective action taken.
9. Vendor Management
Controllers are liable for the actions of the processors they select and are responsible for compliance with the GDPR’s personal data processing principles. When selecting a processor, controllers must use processors that provide sufficient guarantees of their abilities to implement the technical and organizational measures necessary to meet the GDPR requirements. Accordingly, it is critical that the controller take measures to ensure that the processors they select equally comply with the GDPR requirements.
Importantly, once selected, the controller is required to have an appropriate service contract in place to govern the relationship between the controller and processor to ensure that the processor handles the personal data in compliance with GDPR.
Appropriate contractual provisions must include the “subject-matter and duration of the processing” (i.e., the details of the processing and how and when data will be returned or deleted after processing), the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The GDPR lists specific obligations of the processor which must be included in the contract.
10. Transfer of data outside of the EU
The GDPR allows for transfers of personal data out of the EU as long as certain conditions are met.
First, the data controller and processor must comply with the data protection security standards and measures set forth in the GDPR. Second, the controller and processor must obtain the European Commission’s decision that the transferee country or international organization maintains an adequate level of protection, by evaluating a myriad of factors set forth in the GDPR. This is referred to as an “adequacy decision”.
The following countries have so far received an EC adequacy decision: Andorra, Argentina, Canada (commercial entities), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
If a country is not considered to have adequate protections, such as the United States, then in order to transfer the personal data outside the European Union such country must fall within one of the derogations in the GDPR or the controllers and processors must provide adequate assurances that the personal data will be protected. The requirement for provision of adequate assurances applies not only to the initial third country transfer but must also be carried over for “onward transfers” down the chain.
Listed below are the various ways in which controllers and processors can provide adequate assurances of EU personal data protection:
- 2016 EU-U.S. Privacy Shield
The Privacy Shield program negotiated between the European Union and the United States provides a mechanism that allows participating entities (i.e., those subject to enforcement authority of the FTC or the U.S. Department of Transportation) to transfer EU personal data to the United States. The participating entities must self-certify compliance with the Privacy Shield by committing to process data only in accordance with the program’s principles.
The US Department of Commerce started accepting Privacy Shield registrations from US companies on 1 August 2016. Businesses generally welcomed the Privacy Shield and the restoration of certainty to EU–US data flows. However the Article 29 Working Party noted that some of its concerns about earlier drafts of the Privacy Shield remained in the final, approved version. In addition a number of legal actions highlight continuing uncertainty surrounding transatlantic data transfers.
While it is expected that some changes and updates to the Privacy Shield, in particular in the area of controls and safeguards, may come in the future, for the time being the Privacy Shield continues to be the easiest method for U.S. entities to comply with the EU requirements on transfer of personal data out of the EU.
- Standard data protection clauses
These contractual clauses, which must be approved by the EC, need to be embedded in contracts between data controllers and processors. They provide means for the parties to guarantee an adequate level of protection for the personal data being processed in satisfaction of the GDPR requirements.
- Binding corporate rules
These are legally binding internal rules that can be adopted by either multinational groups of undertakings or groups of enterprises engaged in a joint economic activity.
- Codes of conduct and certifications
Compliance with the GDPR may also be demonstrated through codes of conduct (prepared and approved by associations or bodies representing controllers and processors) and certification mechanisms, seals or marks (established by supervisory authorities).
It is important to note that in practice these adequate assurance mechanisms come with significant challenges and inherent difficulties for the transfer process, in addition to being time-consuming to implement.
11. Penalties for non-compliance with the GDPR
The GDPR revises the EU compliance mechanism for data privacy laws and imposes significantly increased penalties for failure to comply with its requirements. Under the GDPR rules, the fines for noncompliance are up to the greater of €20 million or 4% of the entity’s worldwide annual turnover.
A noncomplying entity risks facing action from both the relevant supervisory authority, which may result in not just fines, but also enforcement orders (designed to block noncompliant entities from accessing the EU markets) and other sanctions, as well as from individuals, which may result in damage claims.
Even if fines and other penalties are not ultimately imposed, simply being investigated for potential GDPR violations and having to comply with a supervisory authority’s requests to produce records documenting compliance could be burdensome and costly for the affected entity.
12. Conclusion
Data protection is a fundamental right for EU data subjects, long before the GDPR will have entered into effect.
Given the expanded reach and complexity of the GDPR, almost any company or service provider that is doing business with EU data subjects will now fall within its purview. Since the GDPR provides for a stricter regulatory regime, an increased number of obligations for both data controllers and processors, and significantly increased penalties, the new regulation could be seen as a risk.
On the other hand, US companies can look at GDPR as an opportunity. Compliance to new regime brings a competitive advantage in European and other markets, as consumers in the EU and elsewhere will recognize companies that build on thrust and seek to protect personal data in accordance with the high data privacy standards under the GDPR.
If you have any questions about the GDPR, The CommLaw Group can help. To learn more, please contact Erik De Herdt, outside consulting attorney, European law, at edh@commlawgroup.com; Linda McReynolds, Certified Information Privacy Professional/United States, at 703-714-1318 or lgm@commlawgroup.com; or Alexander Schneider, Certified Information Privacy Professional/United States, at 703-714-1328, or ais@commlawgroup.com.