NEW EUROPEAN REGULATIONS REGARDING DATA PRIVACY WILL IMPACT HOW U.S. BUSINESSES COLLECT AND USE PERSONAL DATA
February 12, 2018
By: Angela Bandich, Esq.
The European Union’s (“EU”) new data privacy rules, called the General Data Protection Regulation (“GDPR”), will become effective on May 25, 2018 and will impact how U.S. businesses collect and use personal data.
1. Geographical Scope of the GDPR
Despite being a European regulation, the scope of the GDPR reaches far beyond just the EU. In fact, any company that (i) offers goods and/or services to individuals (called “Data Subjects”) who are located in the EU (even if there’s no payment involved) or (ii) monitors the behavior of Data Subjects in the EU will be subject to the GDPR if the company collects and processes their Personal Data. This means the GDPR rules will apply to companies even if the companies are not located in the EU.
“Personal Data” is defined in the GDPR as any information relating to an identified or identifiable natural person (someone who can be identified, directly or indirectly, by reference to data such as name, an identification number, location, an online identifier, or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).
The GDPR will therefore likely apply to most companies, particularly those in e-commerce, travel, software or media industries that are global in their reach. For example, in response to the GDPR, Facebook recently notified its users that it will be updating its data policies and procedures (https://newsroom.fb.com/news/2018/01/control-privacy-principles/).
2. Obligations of Companies
As a result of the GDPR, companies now need to ensure that Personal Data of Data Subjects is (i) collected for specified, explicit, and legitimate purposes, (ii) limited to what is necessary in relation to those purposes, (iii) accurate and up to date, (iv) kept no longer than necessary for the purposes, and (v) processed in a secure manner.
Furthermore, the collection and processing of Personal Data is only lawful under the GDPR if the company satisfies one or more of the following:
- The Data Subject has given consent to the processing of his personal data for the specific purpose(s); or
- Processing is necessary:
- for the performance of a contract for which the Data Subject is a party;
- for compliance with a legal obligation;
- to protect the vital interests of a Data Subject or other natural person;
- for the performance of a task carried out in the public interest or under official authority; or
- for purposes of legitimate interests, except where such interests overridden by the fundamental rights and freedoms of a Data Subject that requires protection of his or her Personal Data.
Consent. If a company claims that the Personal Data was collected and processed based on consent from the Data Subject, the company must be able to prove it. If a request for consent is included in a written document with other matters, the request must be clearly distinguishable from the other matters and presented intelligibly and in clear and plain language. The Data Subject also has the right to withdraw his or her consent at any time and the Data Subject must be informed of such right prior to giving consent. Finally, the GDPR states that consent must be freely given, particularly in situations where the performance of a contract, including providing services, is conditional on the Data Subject giving consent to the collection and processing his or her Personal Data which is not necessary for the performance of the contract.
There are also specific rules in the GDPR related to the collection and processing of data of children (Article 8) and special categories of Personal Data (Articles 9 and 10).
Article 30 also requires that each company and any third party representatives that assist with the processing of Personal Data maintain records of processing activities, unless the company qualifies for exemption. Designating a Data Protection Officer may also be required under Articles 37-39 if the company’s processing activities require regular and systematic monitoring of Data Subjects on a large scale or of special categories of Personal Data.
Security Measures and Breaches. Companies must implement technical and organizational measures to “ensure a level of security appropriate to the risk” associated with the likelihood and severity of impact to the rights and freedoms of Data Subjects upon a breach (Article 32).
If there is a breach of Personal Data, a company is required to notify an appropriate EU supervisory authority within seventy-two (72) hours after becoming aware of the breach, unless the Personal Data involved in the breach is unlikely to result in a “risk to the rights and freedoms” of the Data Subject or other natural persons. If the security breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the company must notify also the Data Subject of the breach without “undue delay” (Articles 33 and 34). This means that companies and their IT teams must be able to evaluate every breach to determine which level of notice is required, if any.
3. Rights of Data Subjects
Data Subjects have specific rights under the GDPR, including but not limited to:
- Access to Data (Articles 12 – 15): the right to obtain information about their Personal Data, free of charge (with exceptions), if requested. Companies should also be aware that some information should also be provided to the Data Subject at the time when the Personal Data is collected, such as: the identity and the contact details of the controller of the Personal Data, contact details of the data protection officer, if applicable, the purposes of the Personal Data processing; the recipients of the Personal Data, if any, and whether the Personal Data is to be transferred to another country.
- Right to rectify (Article 16): the right to have companies rectify any inaccurate Personal Data that is collected without undue delay.
- Right to be Forgotten (Article 17): the right to request that Personal Data be erased, without undue delay.
- Right to Restrict (Article 18): the right to restrict the processing of their Personal Data in the future.
- Data Portability (Article 20): the right to receive the Personal Data collected about the Data Subject in a commonly used, machine readable format to transmit the Personal Data elsewhere.
- Right to Object (Article 21): the right to object to the processing of Personal Data, particularly if profiling is based on the automatic processing of the Personal Data under Article 6(1)(e) or (f).
4. Penalties for non-compliance
Data Subjects have the right to file complaints with supervisory authorities in the EU, as well as right to receive compensation for damages suffered as a result of non-compliance with the GDPR (Article 82).
Administrative fines are also possible, depending on the specific circumstances of each individual case. Depending on the type and severity of the non-compliance, the fine can be as much as 20,000 EUR or four percent (4%) of the company’s total worldwide annual revenue, whichever is higher. How the EU plans to enforce such penalties against non-EU companies, however, is not clear.
As a result of the GDPR, companies should implement changes to their data collection and data privacy policies that allow for enough flexibility to be able to analyze and report security breaches, as well as respond to requests by Data Subjects. Companies should also understand what types of Personal Data is being collected from Data Subjects, where the Personal Data is being stored, what the security measures are in place around the Personal Data and who has access to the Personal Data.
Click here for the full GDPR text: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN