By: Casey Suszynski
The General Data Protection Regulation (GDPR) adopted by the European Parliament went into effect in May 2018.1 Why is this news to American companies? Because GDPR regulations may apply to American companies which collect personal data on European Union (“EU”) citizens or monitor the behavior of EU-based data subjects – even if the companies do not maintain a physical presence in the EU. Accordingly, U.S. companies that do not understand and comply with the GDPR may be vulnerable to civil penalties or legal action.
The GDPR Affects Entities With – and Without – an EU Presence
The GDPR applies to all entities located within the EU regardless of whether the data processing occurs in the EU or not. It regulates all entities that employ EU citizens, or that have employees residing in the EU, regardless of the entity’s location.2
Importantly, the GDPR also can apply to organizations located outside of the EU if one of the following circumstances is present:
(1) The company processes personal data of EU citizens and the processing relates to “the offering of goods or services”;3 or
(2) The company monitors the behavior of EU-based data subjects, such as by tracking the subject’s internet usage.
Under either of the above scenarios, an American company that has no physical presence in the EU nevertheless must comply with the GDPR based on its data collection of EU citizens.
GDPR Terms Explained
An understanding of the following GDPR definitions is important when assessing whether the GDPR regulations apply to a U.S. company:
“Personal data” means any information relating to an “identified or identifiable natural person,” including “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,” as well as an individual’s IP address, email address, and GPS tracking data from mobile phones.4 Moreover, certain “special categories” of personal data – including data related to sexual orientation, political or religious affiliation, genetic and biometric information, and race or ethnic origin – are entitled to additional protections under the law.5
The GDPR uses “processing” to generally refer to any action with respect to personal data, including the use, transfer, disclosure, collection, storage, alteration, or destruction of data. “Controller” refers to an entity that determines how and why data is processed, such as a bank that uses customers’ personal data to offer banking services. Contrarily, the term “processors” refers to entities that process personal data on behalf of a data controller, such as a cloud provider.6
“Monitoring behavior” of EU-based data subjects relates to the profiling of a user to analyze or predict his or her preferences, behaviors, or attitudes.
For entities that are subject to the GDPR, the following requirements apply:
Protecting Data: The GDPR requires businesses to protect the confidentiality of personal data they process, including by adopting security safeguards and limiting the collection and use of data to only what is reasonably necessary.7 Moreover, each organization that controls or processes large quantities of data must appoint a “data protection officer” who is required to oversee the organization’s compliance with GDPR requirements.8 The GDPR also places a duty on organizations to review their existing security practices and procedures. Organizations must implement an “appropriate level of security” for personal data they collect and hold. The level of appropriateness is determined by looking at several factors, including the scope, nature, purposes, and context of the data processing, and the risks and severity of harm to the data subjects.9
Data Breach Notice: In the event of a data breach, data controllers must disclose a data breach to privacy regulators within 72 hours and, in some circumstances, disclose the breach to data subjects.10
Limitations on Processing: Per the GDPR, companies must have a “lawful” basis for all data processing. Processing must be necessary for the performance of a contract with the data subject in exchange for goods or services. Also, the data controller must have a legitimate interest in the processing that is not outweighed by the data subject’s rights and interests.11 Moreover, data controllers must demonstrate that a data subject has consented to the processing of his or her personal data.
Transparency: Companies must provide data subjects with information that clearly and concisely explains, among other things, what personal data is being processed, what that data is being used for, and the identity of the data controller.12 These notices must also include information about the data subjects’ rights and how to exercise them, including the subjects’ right to have their data erased, the right to have inaccurate data corrected, and the right to transfer personal data from one data controller to another.13
Penalties for Non-Compliance
The GDPR allows for causes of action by data subjects and regulatory agencies to seek remedies for noncompliance. A data subject may bring a lawsuit to collect damages from any harm resulting from a violation of his or her rights. A regulatory agency may also impose a fine of €20 million ($23,293,600 USD) or 4% of the company’s annual global revenue of the previous financial year, whichever is higher. It should be noted that there is a “tiered approach” to fines, i.e. the most serious infringements result in more severe fines than less serious infringements.14
What Can My Company Do?
In addition to complying with the above regulations, companies might consider hiring additional personnel or data security consultants (see Facebook) to ensure GDPR compliance. Another consideration is to conduct a Data Privacy Audit, which maps the location of data within an organization.15 Equally important, companies should ensure their consent and disclosure requirements are easily readable and understandable to allow users to affirmatively consent to the company using their data.16
Given the GDPR was only recently adopted, it remains to be seen how frequently or severely European agencies will sanction U.S. companies that are subject to the regulations. However, with the potential for steep financial penalties, an understanding of GDPR requirements and compliance therewith is critical. Companies should engage in individualized assessments to determine their respective compliance requirements and proper course of action under the GDPR.
If you have any questions regarding this content or other data protection trends, please contact the author or one of the other attorneys at HKM, (651) 227-9411.