As of May 25, 2018, all companies that have operations in the European Union (“EU”), offer goods or services to EU residents, or monitor or profile EU residents (such as through online behavioral advertising) will be required to comply with the new EU General Data Protection Regulation (“GDPR”).
U.S. companies that currently have physical operations in the EU are bound by the EU Data Protection Directive (“Directive”), which will remain in effect until it is replaced by the GDPR. These companies are used to operating under EU data privacy law and understand the legal and cultural differences between the U.S. and EU approaches to privacy. To them, the GDPR will be familiar, even if it imposes onerous new requirements and significantly ups the ante for noncompliance.
The situation is more challenging for U.S. companies that merely offer goods and services to EU residents but do not have a physical footprint in the EU. That’s because the Directive in force today does not impose requirements on U.S. companies that do not have physical operations there. The experience of these companies with EU privacy law to date likely has involved, at most, compliance with a cross-border data transfer mechanism – such as the U.S.-EU Privacy Shield or standard contract clauses – that allows U.S. companies to transfer personal data from the EU to the U.S. lawfully. Compliance with cross-border transfer mechanisms do not entail providing the kinds of protections and making the system modifications that the GDPR will require, however.
Below are key elements of the GDPR that will prove most difficult for these companies:
Affects U.S. Companies That Do Business in the EU or That Process Data on Behalf of Such Companies. As explained above, the GDPR will expand the reach of EU data privacy law and will apply to a broader range of U.S. companies than the current EU does.
Sets High Bar for “Consent” to Collect Personal Data. Among other requirements, the GDPR will require companies to obtain freely given, specific, informed, and unambiguous consent before collecting personal data (i.e., information relating to an identified or an identifiable natural person, including a unique device ID or location data) from an EU resident. An individual’s silence, inactivity, or failure to uncheck a pre-checked box will not indicate consent. Companies that do not obtain consent to collect personal data must have another valid legal basis (defined in the GDPR) for doing so. Some of these legal bases are more limited than they appear on their face. The ability to process personal data necessary to defend against or maintain a legal claim, for instance, has been interpreted to apply only to claims under EU law, not U.S. law.
Requires New Mechanisms to Give Data Subjects Control Over Personal Data. In addition, the GDPR will give EU residents certain rights, such as the right to request removal of personal data that they have posted online and the right to data portability. Specifically, a company will be required to remove, erase, or otherwise delete the personal data of an EU resident upon request, subject to some exceptions, if, among other things, the data are no longer necessary for the purpose for which they were collected or the EU resident withdraws consent or objects to the processing, and there is no other legitimate basis to continue processing. In addition, a company will have to, at an EU resident’s request, transfer that resident’s personal data in a structured, machine-readable format to another company. U.S. companies will have to build this functionality into their systems and databases.
Establishes New Data Breach Notification Requirements. Companies that experience a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data will be required, subject to some exceptions, to notify (1) the relevant Data Protection Authority (i.e., the supervisory authority in the relevant Member State) within 72 hours of discovering the breach, unless the breach is “unlikely to result in a risk to the rights and freedoms of individuals,” and (2) the data subject, “without undue delay,” if the breach is “likely to result in a high risk to the rights and freedoms of individuals.” In the U.S., data breach notification is governed by 48 different state laws, none of which imposes such a short time period within which notification must be made. That’s because it often takes more than three days to determine the nature and scope of a breach.
Maintains Restrictions on Cross-Border Transfers of Personal Data. The GDPR will retain the Directive’s restrictions on cross-border transfers to countries (such as the U.S.) that the EU believes do not provide “adequate” data protection. The GDPR also will preserve the exceptions to those restrictions (for example, transfers made with explicit consent or that are in the public interest), and will continue to allow companies to use binding corporate rules and model contracts (and implicitly, the Privacy Shield) to ensure adequate safeguards for transfers to the U.S. The GDPR also envisions a more extensive menu of valid transfer mechanisms however, including codes of conduct and certifications, which, if and when approved by the EU, could help companies.
Requires Extensive Recordkeeping to Enable Proof of Compliance. The GDPR will require companies to maintain records of all processing of personal data. Companies will need to turn such records over to Data Protection Authorities, when requested, to verify compliance. Otherwise, they could be subject to the steep penalties described below. U.S. companies will need to put in place appropriate technical measures to ensure compliance with these requirements.
Imposes Steep Penalties for Non-Compliance. In terms of remedies and sanctions, the GDPR will up increase fines considerably for both controllers and processors of personal data. The GDPR will give the Data Protection Authorities “complete independence,” more resources, and greater powers. Moreover, the GDPR provides for potentially substantial fines for “infringements” of the GDPR’s provisions—in many cases, up to €20 million or 4% of a company’s total worldwide annual turnover, whichever is greater.
With the deadline for compliance fast approaching, and the unprecedented potential fines that companies face, it is time for all U.S. companies that sell goods and services to EU residents, or that monitor or track EU residents online, to get their houses in order.
By Nancy Libin is a partner at the law firm of Jenner & Block LLP
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.