By Susan Kohn Ross and Aaron Wais
On May 25, 2018, important European regulations regarding data privacy and protection go into effect that will have a major impact on American companies, many of whom don’t realize they will be subject to compliance with its requirements. The General Data Protection Regulations (the “GDPR”) will have severe penalties for non-compliance (as high as €20 million or 4% of annual worldwide turnover). The GDPR will also have very broad territorial reach applying not only to European entities, but also to entities located outside of Europe (including those in the U.S.) that process the personal data of living European individuals residing in the covered countries, including if the company:
- Offers goods or services to individuals in the covered countries (e.g., e-commerce, capital raising, fund raising, immigration);
- Employs individuals in one or more of the countries;
- Monitors the behavior of individuals in any of these countries; and
- Collects, stores, or processes the personal data of affected individuals on behalf of others.
For these purposes, the European definition of personal data mirrors nicely the American definition of personally identifiable information. Given the severe penalties and broad reach, it is important that each company in the U.S. consider whether the GDPR applies to its operations and, if so, how best to comply.
The EU member countries are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom (collectively the “covered countries”). Iceland, Lichtenstein, and Norway are also impacted due to their domestic laws which adopted the GDPR principles.
For those business entities which have a presence in one of the covered countries, you are likely well on your way to working out your compliance program. However, few companies with no presence in Europe have focused on the potential impact of the GDPR. In this vein, achieving compliance will be no small task, particularly because, while it is true the new regulations are intended to provide uniformity among the various countries, EU law permits each country to enact its own domestic regulations, and so what you are required to do may be different depending on the countries involved. And, the answer may not be evident and may depend on your relationship with third-parties; for example,
- Are you purchasing contacts from a European-based data merchant and data mining those contact lists?
- Does your agreement with the data merchant include any representations about that provider’s compliance with European privacy laws?
- Does that agreement provide you with indemnity?
- If you hire local independent vendors who arrange events for you (e.g. fundraising) and from those events, you obtain personal information about living European individuals, have you determined who is holding the data?
- Are you an America production company or movie studio that facilitates visa applications for European based talent?
- Are you engaged in a dispute with a European based adverse party? How are you going to handle the documentation/information produced during discovery or as part of the trial or other proceeding?
Article 4(7) of the GDPR defines data controllers as: “ the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …” The burden is on the data controller as the party with principal responsibility for compliance, such as collecting consent, managing consent-revoking, enabling right to access, and so on. Have you also incorporated into your process the means by which a data subject will be able to revoke consent for his or her personal data, even if such data lives on servers belonging to third parties (i.e., the data processor)? There are a host of responsibilities placed on the data processor that the data controller is expected to manage, including but not limited to, data processors must provide prompt notice to data controllers in the case of a breach; data processors may not use or mine a person’s personal data unless the intended purposes are permitted by the data controller, including the use of sub-contractors; and take reasonable steps to secure data (including encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing).
Compliance is expected to be complex. For example, it is likely you will need a clear and plainly written policy which covers a number of issues, including advising those European citizens whose data you have about their rights, why you are collecting their data, how long you plan to retain it, how they may make corrections to the data in your possession, and that they have the right to be forgotten. Also, if your system is hacked and there is a breach, you are obligated to give notice within 72 hours, including to those in Great Britain, even once Brexit is finalized.
On Wednesday, April 18, 2018, Susan and Aaron presented via live webinar on the GDPR requirements, best practices for meeting these new compliance obligations and the severe penalties for non-compliance. To view/download a PDF of the webinar slides, click here.