United States: U.S. Companies Still Grappling With GDPR

Several months after the European Union's (EU's) new sweeping privacy law known as the General Data Protection Regulation (GDPR) went into effect on May 25, 2018, U.S. companies are still struggling to understand the implications for their businesses. This article highlights some of the key threshold issues that companies should consider in analyzing the potential impact the GDPR may have on their operations, including restrictions on the collection and use of personal information of EU residents.

What Is the GDPR?

The GDPR (or Regulation) is perhaps the most comprehensive privacy law of its kind in the world, emphasizing the growing social, political and legal concerns about the potential misuse and abuse of individuals' personal data. This is no surprise given the rapid advances in technology and the impact of the new economic reality of "big data" and data analytics on consumer information.

The GDPR has set a new precedent for the high stakes of protecting individuals' privacy, which is being watched closely and even shaping the privacy laws in other countries. The GDPR replaced the Data Protection Directive of 1995 and sets stricter standards for companies that collect or process data on citizens and residents of EU member countries. While considered a milestone achievement for individuals' data protection laws, the GDPR presents complex challenges for companies that must now take steps to become GDPR compliant or run the risk of being subject to audits, lawsuits and/or stiff financial penalties.

Which Organizations Are Subject to the GDPR?

There is a big misconception in the U.S. business community that the GDPR only applies to EU companies. The new Regulation expands the territorial reach of the GDPR to include companies established outside the EU. This means that a company that has no offices, staff or even customers in any EU country may nonetheless need to comply with the GDPR if it processes and stores personal data on EU residents in any way. In other words, U.S. companies may be subject to the GDPR if they control or process data of EU residents.

The GDPR focuses in particular on the activities of data "controllers" and data "processors." A data controller is an individual or entity that "determines the purposes and means of processing personal data." A data processor is any individual or entity that processes (i.e., collects, stores, uses) personal data at the direction of the data controller. A positive response (yes) to one or more of the questions below may signal that an organization is subject to the GDPR.

Does your organization process or store data on EU residents?

The GDPR broadly defines the term "data processing" to include "collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction." In reality, virtually any activity involving personal data of EU subjects may be closely scrutinized and classified as a processing activity within the definition of the Regulation, to the extent it is performed at the request of a data controller.

Does your organization offer goods or services to EU residents?

The GDPR expressly states that the Regulation applies to organizations outside the EU that offer goods or services to data subjects within the EU regardless of whether a fee is charged for such goods or services. Thus, an organization should consider whether it:

  • Offers services in a language or currency of a EU member state
  • Enables EU residents to place orders in such other language
  • References EU customers in its publications.

It is noteworthy that merely having a website that is accessible by EU residents is not conclusive for purposes of determining whether an organization is subject to the GDPR.

Does your organization monitor the behavior of EU residents as that behavior occurs in the EU?

The GDPR also applies to non-EU organizations that monitor the behavior and activities of EU residents within the EU. This includes tracking EU residents on the internet to create profiles or to analyze or predict individual preferences and behavior.

What Is Protected Personal Data Under the GDPR?

The GDPR protects "personal data," which is broadly defined in Article 4(1) to encompass:

"...any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier..."

The definition provides a broad range of identifiers, including "a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." For example, personal data may include a photo, racial or ethnic data, an email address, bank details, posts on social networking websites, political opinions, health and genetic information, a computer IP address and so on.

The GDPR also refers to sensitive personal data as "special categories of personal data," which include genetic data and biometric data, where processed to uniquely identify an individual, and data concerning health. Processing of such data is prohibited unless the data subject gives explicit consent.

When a data controller collects personal data from an individual, the controller must provide information to the data subject regarding processing activities, including:

  • Contact information for the controller and Data Protection Officer, if applicable
  • Purpose of the collection and processing of personal data
  • Intended recipients of the personal data, if any
  • Whether personal data will be transferred outside the EU
  • Time period for which the personal data will be stored
  • Individuals' right to request access to, correction or erasure of their personal data
  • Individuals' right to file a complaint with an EU privacy regulator (Supervisory Authority) with respect to the collection or use of their personal data.

What Are Consent Requirements for Processing Personal Data?

Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. However, the requirements for validly obtaining consent have been increased to place a higher burden on data controllers. Article 7 sets out what is meant by consent, and the Information Commissioner's Office (ICO) has published detailed guidance on consent under the GDPR. In brief, consent must be "freely given, specific, informed and unambiguous." Organizations should review how they seek, record and manage consent, and whether they need to make any changes to their policies and procedures. In evaluating compliance with the GDPR's expanded consent requirements, organizations should note the following characteristics:

  • Active opt-in: There must be "clear affirmative action"; consent cannot be inferred from silence, pre-ticked boxes or inactivity.
  • Unbundled: Consent requests must be separate from other terms and conditions and should not be a precondition of signing up to a service unless necessary for that service.
  • Granular: Granular options to consent separately to different types of processing should be given wherever appropriate.
  • Named: Name your organization and any third parties that will be relying on consent; even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
  • Verifiable: Keep records to demonstrate what the individual has consented to, including what they were told and when and how they consented.
  • Easy to Withdraw: There must be simple ways for people to withdraw consent – tell people about their right to withdraw and offer them easy ways to withdraw consent at any time.
  • No Imbalance in the Relationship: Consent is not "freely given" if there is imbalance in the relationship between the individual and the data controller.

What Rights Do Individuals Have to Protect Personal Data?

One of the key premises of the GDPR is to expand the rights of individuals to protect their personal data. This includes an individual's right to access, rectify and/or seek erasure of their personal data.

Right to Access

Individuals have the right to access their personal data and request the following information from a data controller:

  • Copy of their personal data
  • Purpose of processing the personal data
  • Categories of personal data
  • Recipients of the personal data
  • Time period the personal data will be stored
  • Individual's right to request alteration (rectification), erasure and/or restrictions on processing their personal data
  • Right to file a complaint with a Supervisory Authority
  • Extent to which decisions about the individual are made based on automated processing or profiling of personal data
  • Appropriate safeguards for transfers of personal data outside the EU.

Right to Rectification

An individual has the right to request the data controller to correct their personal data without undue delay.

Right to Be Forgotten

The GDPR recognizes an individual's so-called "right to be forgotten," subject to limited exceptions. In other words, an individual has the right to request the data controller to erase their personal data without undue delay in certain circumstances, including the following:

  • Personal data is no longer required for processing
  • Individual withdraws consent to the processing of their personal data
  • Individual objects to the processing of their personal data
  • Personal data has been unlawfully processed.

What Are the Record-Keeping Requirements Under the GDPR?

Data controllers and processors must maintain written documentation of all activities related to the processing of personal data. These records should include the following information:

  • Contact information for the data controller
  • Purpose for processing the personal data
  • Description of the personal data
  • Recipients of the personal data
  • Safeguards to protect personal data transferred outside the EU
  • Anticipated time frame for erasing personal data
  • Technical safeguards employed to protect personal data.

These records of processing activities must be produced to a Supervisory Authority upon request. Notably, the GDPR's record-keeping requirement does not apply to organizations with fewer than 250 employees.

What Security Measures Are Required to Safeguard Personal Data?

The GDPR does not dictate specific technical security measures that must be implemented by data controllers or processors to safeguard personal data. However, the Regulation does require organizations to conduct a risk assessment to ensure an appropriate level of security based on a cost-benefit analysis. The size of the organization and the nature and scope of processing activities are key factors to consider. Such security measures may include the pseudonymization of personal data (so that data cannot be linked to a specific individual); encryption of personal data; ability to restore and back up personal data; periodic security audits to test and evaluate processing activities; and adherence to recognized industry standard certification requirements to protect data.

What Is a Data Protection Officer?

The GDPR requires data controllers and processors to appoint a Data Protection Officer (DPO) when an organization's "core activities" consist of processing personal data on a "large scale." An organization may designate an employee or hire a third party to serve as a DPO, based on their expert knowledge of data protection laws and regulations. A DPO is responsible for monitoring an organization's compliance with the GDPR, training employees and staff, oversight of any data protection impact assessments, cooperating with the Supervisory Authority, and acting as the liaison between the organization and the Supervisory Authority. In addition, the DPO may be responsible for responding to inquiries by individuals concerning their personal data.

Is an Organization Required to Report a Data Breach?

The GDPR introduces mandatory data breach reporting requirements. A data controller must report security breaches to the relevant Supervisory Authority "without undue delay, and where feasible, not later than 72 hours" after it first becomes aware of the incident. If the notification is made after 72 hours, a reasonable justification for the delay must be provided. The breach only needs to be reported if it is likely "to result in a risk for the rights and freedoms" of data subjects – if, for example, the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.

A data controller also must notify individuals of a security breach "without undue delay" where the breach "is likely to result in a high risk" to the rights and freedoms of data subjects. However, notification to individuals is not required if (1) the organization has implemented appropriate security measures that render the data unintelligible to any unauthorized person (i.e., encryption); (2) the organization has taken subsequent measures to ensure that a high risk to data subjects does not materialize (i.e., remediation); or (3) it would involve a disproportionate effort, in which case a public communication will suffice (i.e., media notice or publication on the organization's website).

The contents of the breach notification communication should include the following information where available in "clear and plain" language:

  • Nature of the incident
  • Type of personal data
  • Number of affected persons
  • Number of personal data records
  • Contact information for the DPO
  • Likely consequences of the data breach
  • Steps taken by the organization to contain and mitigate the exposure.

Notably, the breach notification requirements set forth above apply to data "controllers." However, in the event of a breach experienced by a data "processor," the processor is required to notify the controller "without undue delay."

Are There Any Repercussions for Failure to Comply with the GDPR?

The most serious infringement of the GDPR can result in administrative fines by a Supervisory Authority of up to €20 million or 4 percent of the offending company's global annual revenue, whichever is higher. For lesser noncompliance offenses, company audits and a tiered fine structure may be imposed.

Under the GDPR, data controllers and processors also may be subject to liability and damages for legal proceedings commenced by a data subject in a court of law or a complaint lodged with a Supervisory Authority. Such complaints may be filed in the jurisdiction where the data subject resides or works, or the location of the alleged infringement of the Regulation concerning the processing of the individual's personal data. Data controllers and processors may have joint liability for compensatory damages awarded to an individual to ensure they are made whole.

The GDPR also grants Supervisory Authorities the following powers to:

  • Conduct investigations of data controllers and processors
  • Perform data protection audits
  • Issue warnings or reprimands
  • Order an organization to comply with a data subject's request regarding personal data (including rectification, erasure and restrictions on processing)
  • Require an organization to bring its processing activities into compliance with the GDPR
  • Order an organization to notify individuals of a data breach
  • Order the suspension of data flows.

Summary

In summary, U.S. companies are well advised to consider their compliance obligations, if any, under the GDPR. The extraterritorial reach of the EU's new privacy Regulation means that non-EU companies may be subject to the law. A critical factor in evaluating the potential application of the GDPR to U.S. companies is whether a company collects, stores, transfers or otherwise processes personal data of EU residents. If so, the company may be required to obtain an individual's express consent to the use of their personal data, in addition to maintaining internal records of the company's personal data processing activities. Moreover, companies may have a mere 72 hours to notify EU regulatory authorities of a data breach involving the personal data of EU residents. Failure to comply with the GDPR's extensive requirements may result in regulatory investigations, legal proceedings, compensatory damages, injunction orders or hefty administrative fines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Cooley LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Cooley LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions