On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) will take effect. The primary objectives of the GDPR are to return control of "personal data" to EU citizens and residents and to simplify the regulatory environment for international business by unifying regulations within the EU. In practice, the GDPR will be, by far, the world's most comprehensive and complex data protection law, and it will not apply only to businesses in Europe. Instead, the GDPR will require any business that offers goods or services to EU citizens, or that monitors EU citizens' behavior to comply with its rules or face hefty penalties.
The Digital Insights blog has published a comprehensive, seven-part guide to the GDPR, which can be viewed here. The purpose of this article is to provide a brief synopsis of the critical aspects of the GDPR.
Key GDPR Terms
The GDPR broadly defines "personal data" as information relating to an identified or identifiable natural person (referred to as the "data subject"). Unlike U.S. breach notification laws, which are concerned with narrow classes of statutorily defined "personal information" such as Social Security numbers or driver's license numbers, "personal data" under the GDPR can be virtually any information that identifies the data subject. The GDPR's definition can overlap with U.S. law, but it can also be far broader to include information about a data subject, location data on a mobile device, or an IP address, just to name a few.
As far as personal data is concerned, the GDPR applies when data is "processed", meaning "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." This too is a broad definition and applies virtually any time personal data is used with automated means.
The identity of who controls the processing is another key aspect of the GDPR. A "controller" is a legal or natural person who controls the "purposes and means" of processing data. A "processor" is a legal or natural person who processes personal data on behalf of a controller. The GDPR strictly governs the controller-processor relationship, and the relationship can be complex.
Additionally, the GDPR defines "sensitive personal data" as "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation." This data is subject to even higher restrictions on processing.
Is My Business Subject to the GDPR?
As discussed above, the GDPR applies not only to businesses within EU member states, but also to businesses anywhere in the world that offer goods or services to EU citizens or monitor the behavior of EU citizens. The determination about whether a U.S.-based business is subject to the GDPR must be made on a business-by-business basis.
Assuming a business outside of the EU or European Economic Area, the GDPR specifies that data may be transferred by that business (or the country in which the business is located) only if the controller and processor comply with certain conditions. Most notably, external data transfers can be effectuated where there has been an "adequacy decision" by the European Commission, finding that the target country has adequate safeguards in place to protect the data. Crucially, the U.S. is not on the list of countries with adequate safeguards in place. However, since 2016, there has been a "Privacy Shield" in place, whereby the U.S. Department of Commerce can certify that certain U.S. businesses provide adequate safeguards.
Other methods of effectuating external data transfers include adopting binding corporate rules, certain standard data protection clauses, approved codes of conduct, and approved certification mechanisms.
Key Compliance Elements for Businesses Subject to the GDPR
If a business is subject to the GDPR, it will have to comply with a number of requirements and could be subject to severe penalties for non-compliance. Below is an outline of some of the more important requirements, penalties, and features of the GDPR.
The Data Privacy Officer Requirement: Public entities, as well as private companies that process personal data on a large scale or primarily process large amounts of sensitive personal data or criminal convictions data must appoint a Data Privacy Officer (DPO). The DPO must be involved in all issues relating to personal data and must have independence within the company (e.g., not follow instructions from others and not face penalties for doing his or her job). Generally speaking, the DPO must advise the company on GDPR compliance and obligations under the GDPR and cooperate with supervisory authorities. Lewis Brisbois can act as an external DPO for organizations.
Controller-Processor Contracts: Processors must enter into contracts with controllers that, among other things, specify the subject matter and duration of processing and types of personal data to be processed. The contracts must include numerous provisions, including that the processor will act only as instructed by the controller. If a processor wishes to sub-contract to a sub-processor, it will need consent from the controller and will need to enter into a contract with the sub-processor that imposes the same legal obligations as those imposed between the controller and processor. This is a key component of defining the controller-processor relationship, because a processor that begins to make decisions about the purpose and means of processing data (beyond mere technical means) may be defined as a controller by operation of law and may then have higher obligations under the GDPR.
Data Privacy Impact Assessments: If processing — particularly by using new technologies — is likely to pose a high risk to the rights and freedoms of data subjects, a Data Privacy Impact Assessment (DPIA) must be carried out to assess the impact of the proposed processing. There are certain instances where DPIAs are necessary (e.g., processing sensitive personal data), and supervisory authorities are permitted to specify other areas in which DPIAs are required to be undertaken.
Sensitive Personal Data Requirements: Article 9 prohibits the processing of sensitive personal data, unless certain exceptions can be met (e.g., the data subject has consented, processing is necessary to carry out the controller's obligations related to employment, processing is necessary to protect the data subject's vital interests, processing relates to personal data that is "manifestly made public by the data subject," etc.).
Breach Notification Requirements: In the event of a data breach, a controller must notify supervisory authorities "without undue delay and, where feasible, not later than 72 hours after having become aware of it . . . unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." This is a vastly more stringent notice requirement than U.S. laws, which typically require notice in 30, 45, or 60 days. Unlike U.S. laws, however, the GDPR does not always require notice to the data subject, but rather only when "personal data breach is likely to result in a high risk to the rights and freedoms of natural persons." In such a case, the controller must notify the data subject "without undue delay."
Penalties: The GDPR sets severe penalties for non-compliance. Certain acts of non-compliance can result in penalties, including the higher of 10 million Euros or two percent of a business' annual, worldwide turnover for the prior year. For certain other, more egregious violations, the penalties can be the higher of 20 million Euros or four percent of a business' annual, worldwide turnover for the prior year. The term annual, worldwide turnover is roughly equivalent to the gross annual revenue for a business.
Rights Created or Augmented by the GDPR
The GDPR creates and/or augments many rights for data subjects. It is critical for businesses who qualify as controllers or processors to understand these rights because those businesses may need to provide certain information or access to data subjects. A brief summary of those rights is below:
Right to Transparent Information: If information is provided by a controller to a data subject, that information must be "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child." The GDPR identifies the kinds of information that are required to be provided to a data subject and when it is to be provided.
Right of Access: Data subjects have the right to certain information from controllers, including the purposes of the processing, the categories of personal data that are being processed, and recipients of personal data.
Right to Rectification: The GDPR creates a right to rectification of personal data held by a controller or processor in certain instances.
Right to Erasure: The right to erasure (better known as the right to be forgotten) requires controllers and processors to erase personal data upon request where certain criteria apply (e.g., the data is no longer necessary, it was not lawfully possessed, etc.)
Right to Restriction of Processing: Similar to the right to erasure, a controller or processor must cease or restrict processing upon request by a data subject if certain conditions are met.
Obligation to Notify Recipients: To the extent that a controller is required to erase or rectify personal data, the controller, generally, must notify each recipient of that personal data.
Right to Data Portability: Data subjects have the right to receive personal data about themselves from a controller or to have that personal data transferred to a new controller or third party in a "a structured, commonly used and machine-readable format." Thus, businesses that are deemed controllers now have the obligation to assist in the transfer of customers' information to third parties (including, potentially, to competitors).
Right to Object: Data subjects have a right to object to processing, and controllers must comply with objections promptly, absent certain circumstances.
Automated Decision-Making and Profiling Rights: One of the more cutting-edge rights created by the GDPR is the right of data subjects, in certain circumstances, "not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her." This right is tremendously important for businesses that advertise online and/or that create profiles of potential customers.
This article is intended to provide a synopsis of the rights of data subjects, obligations of controllers and processors, and rights of data subjects. Compliance with the GDPR can be difficult, and Lewis Brisbois is here to advise you every step of the way.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.