The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. GDPR is a uniform data privacy law that applies to member states in the European Union (EU). So why should you be concerned if your business is not in one of the member states? The GDPR contains extraterritorial jurisdiction provisions designed to reach companies that are not based in the EU that process data of individuals in the EU and treats privacy as a fundamental human right. Its provisions will likely require companies subject to the law to create, or substantially overhaul, their privacy policies. Noncompliance can result in penalties up to 20 million Euros (approximately $24 million U.S. Dollars) or 4% of global turn-over, whichever is greater.
The GDPR covers any company that:
- Has an establishment in the EU and processes personal data in the context of activities of that establishment, regardless of whether the processing occurs in the EU;
- Does not have an establishment in the EU but processes personal data, and the processing relates to:
- the offering of goods or services to those data subjects, irrespective of whether a payment is required, or
- the monitoring of those as far as their behavior takes place in the EU.
Thus, most US companies with ecommerce sites, EU presence or track or monitor online activity and process personal data (not anonymous information) are subject to the obligations imposed under the GDPR, and those obligations are substantial.
The GDPR sets forth different obligations for “controllers” – companies that determine the purposes and means of the processing of personal data – and “processors” – companies that process personal data on behalf of controllers. Controllers must assure that they and their processors process data in compliance with the GDPR. Processors are responsible for assisting controllers in complying with the GDPR.
The six guiding principles under the Regulation are:
- Personal data should be processed lawfully, fairly, and in a transparent manner;
- Personal data should be collected for specified, explicit, and legitimate purposes;
- Personal data should be kept accurate; inaccurate personal data should be erased or rectified without delay;
- Personal data should be adequate, relevant and limited to what is necessary;
- Personal data should be kept no longer than is necessary for the purposes for which it is processed; and
- Personal data should be protected and securely processed through appropriate measures.
Two bases upon which most companies will rely for the processing of personal data are (1) consent of the individual and (2) legitimate interest of the company.
Clear notice of what is being processed and for what purpose is required to assure the consent of the individual is voluntary and knowing. Such consent will not be considered freely given if it is conditional upon consent to the processing of personal data that is not necessary to the performance of the contract between the company and the individual.
A company must have a legitimate interest in the processing of personal data, provided the interests and fundamental rights of individuals are not overridden, and it must take into consideration the reasonable expectations of the individuals based on their
relationship to the company. EU regulations already direct that certain operations, such as online behavioral or targeted advertising to be a legitimate interest.
The GDPR also requires the appointment of a Data Protection Officer (DPO) when (1) the core activities of the company consist of large-scale processing operations that require regular systematic monitoring of individuals, or (2) the core activities of the company consist of large scale processing of sensitive data or personal data related to criminal convictions and offenses. The DPO has specific core responsibilities set forth in the law and may be in-house or outsourced.
In light of the complexity of the GDPR are many practical steps and issues that a company subject to the law must consider and take that are far too complex for discussion in this newsletter. If you are concerned that the GDPR may apply to you immediately contact qualified legal counsel to help your business address compliance with this far-reaching EU regulation.
The information presented is not intended to be, and does not constitute, “legal advice.” Because each situation varies, and only brief summary information is provided here, you should not use this information as a basis for action unless you have independently verified with your own counsel that it applies to your particular situation.