
It’s the world’s largest trading block, but for serious digital businesses to access the EU requires compliance with the European General Data Protection Regulation (“GDPR”). The words themselves make your eyes want to bleed a little, but fear not.
The voluminous GDPR may feel a little overwhelming for any American business accustomed to our lax privacy laws. And in candor, it’s not a walk in the park. However, once stripped of its internal mechanisms and special circumstance cases, for an American digital business thinking of expanding into the EU, it really breaks into three buckets:
Things a business will have to do;
Rights the customers of the business will have; and
Things a business may need to do.
This article will visit each of the above three areas. Larger businesses will be accustomed to more administration in the conduct of their business and will not be intimidated. Management of smaller enterprises may feel this is an unfair burden. Perhaps so. In theory, the current exemptions from the California Consumer Privacy Act are much friendlier to small businesses. In practice, however, the trend in the law is quite clear: expect more regulation in this area in the future, not less, and tackling the GDPR may be like physical training for the road ahead here in the U.S.
Things a Business Will Have to Do in Nearly Every Instance
The GDPR applies whenever a business is processing personal data.[1] It applies to U.S. business that are intentionally offering goods and services into the EU.[2] Businesses[3] subject to the GDPR will:
Collect and process personal data for only specified, explicit, legitimate and lawful[4] purposes;
Collect only the relevant person data necessary to be collected;
Maintain accurate data and respond to requests to correct personal data
Keep data in a form that permits personal identification for no longer than is necessary;
Ensure that all processors (e.g. hosting sites, contracted services, etc.) comply with all of the rules and regulations.
Where usage of personal data is based on the consent of the customer/data subject, the business must have conspicuously obtained the consent and informed the customer/data subject[5] of its right to withdraw the consent; finally, a business must keep a record of the consent.
Maintain appropriate safeguards of personal data and appropriate security against unauthorized access.
Do not collect or process personal sensitive data (e.g. racial or ethnic origins, religious or philosophical beliefs, membership in a trade union, criminal convictions, et cetera).[6]
Conduct any and all communications with customers/data subjects in concise, transparent, intelligible and easily accessible form, using clear and plain language.
When personal data is being collected from the customer/data subject the business must inform the customer/data subject of:
the identity and contact information of the business
if applicable the name of its EU representative
the name and contact details of the business’ data protection officer if it is required to have a data protection officer
the purpose for the data processing and its related legal basis and where applicable the legitimate basis for the business, processing the data
what third parties will be receiving the data
if the data is being transferred out of the EU, where it is being transferred, the safeguards that apply and how to find a copy of the safeguards
the time period for which the personal data will be stored
the right to rectification and erasure of personal data
the right to portability of personal data
the right to place a restriction on the processing of personal data
the right to withdraw consent if consent was the basis for receipt of the personal data
the right to lodge a complaint with a supervisory authority
whether the personal data is being requested for statutory or contractual reasons and of the possible consequences of failing to provide the data
information about the profiling and auto-mated decision-making procedures, if any, that will be used.[7]
The right to object when the stated use of personal data is for public interest, legitimate interest of the Company or marketing[8]
Provide an electronic method or portal for customer/data subject to request a copy of their data.
Implement technical and organizational safeguards and policies to protect the personal data, the amount of such technical and organization safeguards to be commensurate with the risks.[9]
Unless a business has only occasional processing of data in the EU, if it doesn’t maintain a physical office in the EU it will need to appoint a representative.[10]
When using other third parties to process data, the business must have a written instrument[11] with the processor which guarantees the processor will comply with the GDPR, the processor will not engage sub-processors without consent of the business, the processor will not change sub-processors without consent of the business and that when a processor-engages a sub-processor, that agreement guarantees that all of these obligations continue to flow down the chain.
If a business employs more than 250 people, a business and any processor it uses are required to have a detailed written record of processing activities under its responsibility.[12] (Provided that this requirement may apply to businesses with less than 250 people if they cause high risk to data subjects or process certain categories of sensitive information).
Notify the relevant EU supervisory authority within 72 hours of a breach of personal data. And, except for limited cases, if the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the business shall also notify the customer/data subject.[13]
If the core activities of business consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale then it shall appoint a data protection officer.[14] The data protection officer may be on staff or it may be a contract service. If a data protection officer is appointed, then its contact details shall be published and shared with the EU supervisory authority.
Ensure that all data is stored in the EU and if not in the EU then in third countries or international organizations which have met the “adequacy” requirement of the EU[15] OR a place with the adequate safeguards as set forth more fully in Article 46 of the GDPR.[16]
Rights a Customer/Data Subject will Have
When the GDPR was announced, this was the “sexy” part (if anything about a data protection law can in fact be deemed sexy). However, the so-called “right to be forgotten” garnered a lot of attention – and it’s certainly different than here in the U.S. Much of these have already been covered above insofar as a business has a proactive duty to inform of some of these, but at the risk of being duplicative a customer/data subject shall have:
A right to request of copy of the personal data being collected
A right to revoke their consent for the usage of the data
A right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject.
A right to receive their own data in a portable form which could be used elsewhere and even to have that data transferred directly to a competitor.
Right to object to its data being used for public interest, legitimate interests of the business or marketing.
A right to object to automated decision making or profiling based on their data.
If there is a data protection officer then customers/data subjects will have the right to contact the data protection officer.
A right to seek judicial remedy against business if the customer/data subject believes their rights have been infringed under the GDPR. The customer/data subject can also assign this right to an advocacy organization.
A right to compensation if the cutomer/data subject has suffered material or non-material damage from an infringement of the GDPR.
Things a Business May Need to Do or May Do
On review of the GDPR there was a third bucket of items that not every business would need to do, but the likelihood of the requirement merited attention. This third bucket of business are obligations are as follows:
Stop using data if data subject withdraws consent, where the initial access and use of the data had been based on consent.
Generally speaking, a business may delete personal data unless other laws require the personal data to be maintained (i.e. the long list of rights of the data subjects does not require a business to save the data in order to meet those rights).
If a customer/data subject makes a request of their rights, the business will have to facilitate that request.[17] This includes responses to a request for their data.[18] It includes correct or erasing a customer’s data – and ensuring that any third party recipients of the data also correct or erase it.[19] It includes restricting processing when requested.[20] Furthermore, facilitating the request could include giving the customer/data subject all of their data in a portable form which could be transferred to another business – or honor their requesting to transfer their personal data directly to another business.
If the business will be using personal data for processing for purposes other than the purpose at the time of collection, it will also have to inform the data subject of such additional purpose.
If a business obtains personal data from sources other than directly from the customer/data subject, it must inform the data subject of the items set forth in Article 14 of the GDPR within a month of receipt, prior to the first communication or prior to any disclosure, whatever comes first.[21]
Cease using data in public interest, legitimate interest of the business or marketing where customer/data subject objects to usage on that basis.
Where a customer/data subject objects to automated profiling or decision making a business may need grant right for human intervention.[22]
In Conclusion
What this article sought to do was to create a Cliff’s Notes version of the GDPR. Even with this intention of brevity it became quite long. Anyone who ever used Cliff’s Notes can attest the product didn’t exactly cover everything in the underlying book. This doesn’t either.
The GDPR offers several methods of compliance, including codes of conduct established and enforced by associations [23] and certifications.[24] The certifications can be relied upon to allow data to be stored out of the EU. As of the publication of this article, the rolling out codes of conduct and certifications has been generally slow. And regardless, it’s important to note the controller ultimately remains liable.[25] As stated above, individual customer/data subjects have a right to judicial redress. There is also the possibility of administrative fines for businesses violating the GDPR.
If this has been a helpful post, please share. And by all means, start getting your data house in order for your big European debut. In the words of Audrey Hepburn, Paris is always a great idea.
———————————————————————————————–
About Joe Huser, Esq.
Joe Huser is a California business lawyer, consultant, fixer, confidante and writer. Joe can be reached at joe@joehuser.com or at 213-271-1520.
[1] There are exemptions in Article 2 of the GDPR. Go ahead and check, but it would seem to rarely apply to an American business seeking to do business in the EU.
[2] The angle of this article presumes the reader wants to make a robust entry into the EU market. However, there is a possibility that it would not apply to an American business with only incidental sales into the EU. For more guidance here, see: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf
[3] The GDPR makes a distinction between “controller” and “processor” – in GDPR parlance, the controller determines the purposes and means of collecting personal data. In the real world that distinction can become fuzzy, but this article assumes an American business deciding to expand into the EU would typically be a controller.
[4] Article 6 of the GDPR provides for lawful processing only in six instances: a) with the consent of the data subject; b) when it’s necessary for performance of a contract with the data subject; c) when it it’s necessary for compliance with legal obligations; d) when it’s necessary to protect vital interests of data subject or another natural person; e) when it’s in the public interest; and f) when it furthers a legitimate interest of the controller unless the rights of the data subject override the interests of the controller.
[5] The GDPR refers to and defines data subject as an identifiable, natural person and to be clear it is not necessary that the person is a customer of the business. Moreover, the GDPR refers to a “controller” rather than a business. For purposes of making this article more approachable to a broader U.S. business audience, it will continue to refer to a controller as a business and a data subject as a customer/data subject.
[6] There are exceptions where this kind of sensitive, personal data and can be collected and if your business is the type that needs this kind of data, consult with counsel to see if an exception applies to you.
[7] This information may be presented with standard icons to assist understanding.
[8] See Article 21.
[9] Article 25 and Article 32 provide additional guidance here and recommendations like pseudonymization of data. Complying with the security guidance will require a range of activity related to the human side (limiting access to only those employees who need to know) and to technical steps like encryption. There are additional requirement on this subject in Article 35 regarding requirements in making a data protection impact assessment and even more hoops to jump in Article 36 if its believed that the data processing would be high risk.
[10] See Article 27 for additional guidance.
[11] As to be expected, there is a long, long laundry list of what is required in the written instrument. See third section three of Article 28.
[12] See Article 30 for what is required to be in that record.
[13] See Article 33 and 34 for complete procedures in connection with these notices.
[14] Article 38 and 39 detail what is required of the data protection officer positions and the related tasks and responsibilities.
[15] See Article 45.
[16] See also Article 49 which provides an exceptionally small pathway for transfers outside of “adequacy” or safeguards and binding corporate rules.
[17] Generally speaking, these requests must be facilitated within one month of receipt of the request and, unless the requests are manifestly unfounded or excessive then responding must be done free of charge.
[18] The contents of the response to a customer’s request for their data is covered in Article 15 of the GDPR.
[19] Article 17 of the GDPR more fully explores this right, including instances where the business would be permitted to continue maintaining the data.
[20] Article 18 of the GDPR more fully explores restriction of processing which includes like requesting that the data not be processed (but not erased) because in the future a data subject might need the data for its own legal compliance.
[21] A further notice is required if the data is to be used for other than the purpose it was obtained.
[22] See Article 22 of GDPR for applicable details.
[23] See Article 40.
[24] See Article 42.
[25] For larger companies or others with complex data processing situations there is also the last possibility of Binding Corporate Rules (“BCRs”), which are a binding resolution by the Board and which detail the company’s policy and confer enforceable rights on the customer/data subjects. A business must apply for approval of the BCRs. An example of an approved set of BCRs can be found at https://static.ebayinc.com/assets/Uploads/PrivacyCenter/ebay-corporate-rules-english.pdf
Comments