The European Parliament made international headlines in April when it enacted the General Data Protection Regulation, a revolutionary data privacy law that permits regulators to fine corporations in excess of €20 million for noncompliance. What’s more, companies without a physical presence in the European Union may be subject to regulation and liability. These changes usher in an era of uncertainty as U.S. companies assess the potential effects on their business.
This article offers some background on recent developments in EU data privacy law, endeavors to answer some questions you may have regarding how the evolution of EU law affects your business, and suggests first steps that you can take to ensure compliance with the GDPR.
What Sparked the EU’s Data Privacy Changes?
The transformation of EU data privacy law encompasses two different concepts: regulation within the EU, and transfers of personal data outside the EU. Since 1995, the EU Data Protection Directive has regulated data privacy within the EU. By 2012, however, efforts were underway to replace the Directive, and the GDPR was proposed. In April 2016, after years of negotiation, the GDPR gained European Parliament approval, which was the final step in the legislative process.
In the realm of data transfers outside the EU, companies for years relied on an agreement between the EU and U.S. known as the Safe Harbor. In October 2015, however, a European court invalidated the Safe Harbor because it failed to adequately protect EU citizens’ rights. Companies that relied on the Safe Harbor scrambled to find alternative ways to legalize data transfers, and the EU and U.S. rushed to negotiate a new data-transfer pact. Although the EU and U.S. reached an agreement known as the Privacy Shield, whether the Privacy Shield will take effect remains unclear.
While most American companies’ attention was focused on the upheaval surrounding invalidation of the Safe Harbor, the European Parliament thrust the GDPR to center stage.
What Are the Significant GDPR Changes?
The GDPR introduces significant changes to EU data privacy law, including a broader territorial scope, enhanced penalties and a shortened time frame for responding to data breaches.
First, the GDPR regulates more businesses than the directive. The directive applied only to data “controllers” – that is, entities that “determine[d] the purposes and means of the processing of personal data.” In contrast, the GDPR applies to data “processors,” which process personal data on a controller’s behalf. The GDPR also expands the definition of “personal data” to include a person’s name, location data, online identifiers and genetic information.
Moreover, when data processing relates to offering goods or services to data subjects in the EU or monitoring data subjects’ behavior in the EU, the GDPR extends even to controllers and processors who have no physical presence in the EU. The GDPR’s extraterritorial reach marks a significant development EU data regulation.
Second, the GDPR provides severe penalties for noncompliance. Administrative fines reach as high as 4 percent of a company’s gross worldwide revenue or €20 million – whichever is greater. Administrative fines must be “effective, proportionate and dissuasive,” and the supervisory authority imposing the fines must consider factors including the number of data subjects involved and extent of their injuries, whether a company acted intentionally or negligently, and whether a company took mitigating action. Given these factors, a company’s deftness in preparing for and responding to data breaches will go a long way toward minimizing the amount of potential fines.
Third, data controllers must notify supervisory authorities of a personal data breach within 72 hours of discovering the breach. This notification period is shorter than state-law notification periods with which U.S. companies are familiar, although the notification period is longer than the 24-hour period originally proposed in the GDPR. Additionally, controllers must notify data subjects “without undue delay” if the breach is likely to cause a “high risk” to individual rights.
The swift 72-hour notification period entails some ambiguity. In particular, the GDPR mandates that “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.” Notification is not required, however, if the “personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons.” Notification after 72 hours must be “accompanied by reasons for the delay.” The GDPR also imposes a notification requirement on the data processor, who “shall notify the controller without undue delay after becoming aware of a personal data breach.”
The GDPR, however, does not define “undue delay,” describe situations in which notification within 72 hours is not “feasible,” or explain what constitutes an acceptable delay for late notification. Data controllers and supervisory authorities may also differ in their assessment of what constitutes a “likely” risk to individual rights. Thus, ambiguity exists, and supervisory authorities and European courts will likely fill in the blanks. The notification requirements underscore the importance of planning and preparing for data breach responses.
Does the GDPR Impose Additional Obligations?
In addition to notification requirements, the GDPR requires controllers and processors to implement an array of internal controls related to managing personal data.
For starters, data controllers must “implement appropriate technical and organisational measures” to ensure GDPR compliance and protect individual rights. Similarly, controllers should not contract with processors without guarantees that the processors will take appropriate technical and organizational measures to protect individual rights.
Additionally, if a controller is not established in the EU, it must appoint a representative in an EU member nation where the controller offers goods or services or monitors data subjects’ behaviors. An exemption exists, however, for companies that engage in occasional processing that is unlikely to threaten individual rights.
The GDPR also imposes record-keeping requirements on controllers and processors. For instance, controllers must maintain a record of processing activities that includes the purpose of processing and a description of categories of data processed. Records must be produced to supervisory authorities on demand. Although an exemption exists for companies with fewer than 250 employees engaged in infrequent processing, what constitutes “occasional” processing remains to be seen.
Companies engaged in large-scale processing – or in processing of data related to special categories, such as race, ethnicity and religion – must appoint a data protection officer. The data protection officer’s responsibilities include monitoring compliance with the GDPR.
Companies often rely on consent when processing personal data, and the GDPR sets forth new requirements for obtaining consent. Consent must be affirmative, freely given, specific, informed and unambiguous. A pop-up, click-through box on a website is a common way of obtaining consent and remains valid as long as it meets the GDPR’s criteria. A data subject, however, must have a genuine choice, be aware of the controller’s identity and the purpose of processing, and be able to withdraw consent at any time without detriment.
What If We Transfer EU Data to the U.S.?
Until last year, companies routinely relied on the Safe Harbor to legalize the transatlantic flow of EU citizens’ personal data. In October 2015, however, the Court of Justice of the European Union invalidated the Safe Harbor because, in the CJEU’s assessment, the Safe Harbor failed to adequately protect EU citizens’ privacy.
The CJEU’s decision left many companies that relied on the Safe Harbor in legal limbo. In early February 2016, the European Commission announced that it had reached a new agreement with the U.S., called the Privacy Shield, to replace the Safe Harbor. Privacy advocates, however, criticized the Privacy Shield for not going far enough to protect personal data and individual rights. Following release of the Privacy Shield’s text, a group of European data regulators – the Article 29 Working Party – disapproved of the Privacy Shield. Although the Working Party’s opinion is not binding, many commentators expect that the Privacy Shield will not take effect absent significant revisions.
The practical effect is that companies that transfer personal data from the EU to U.S. remain in legal limbo.
Although the Safe Harbor was the most popular mechanism for transferring data from the EU, several alternatives exist, including binding corporate rules, standard contractual clauses and consent. The GDPR expressly recognizes these methods of transfer. Additionally, the European Commission can issue adequacy decisions declaring that a particular country provides an adequate level of data protection. A similar process existed under the Directive, but the Commission recognized only 11 nations – not including the U.S. – as providing adequate safeguards.
Thus, companies may still transfer data, but for the time being, they cannot rely on the Safe Harbor or Privacy Shield to do so.
Is There Any Good News?
The GDPR may seem burdensome, but it does have a silver lining. The GDPR is a “regulation,” not a “directive.” Unlike directives, regulations do not require implementing legislation from EU member nations. Thus, the GDPR will regulate data privacy throughout the EU. As a result, the GDPR may simplify the data privacy regulatory structure by providing one set of regulations for companies to deal with – a one-stop shop of sorts.
Additionally, companies have about two years to prepare for the GDPR, which will take effect on May 25, 2018.
European data privacy law remains in flux and is undergoing a period of transformation. This article describes some of the most significant developments with regard to the GDPR and Privacy Shield, but is far from comprehensive. As companies navigate these uncertain waters during times when data breaches have become increasingly common, planning and preparation are crucial.
As a first step toward complying with the GDPR, companies should take stock of their data operations. Ask the following questions: What personal data does my company collect or store, and how is it used? Do our activities fall within the scope of the GDPR? Do we meet the definition of a “data processor” or “data controller”? Do we have a high-level employee responsible for data security? Have we developed a data breach response plan?
The prospect of fines exceeding €20 million provides a strong incentive to invest in data security and breach response. A well-designed and well-executed data breach response plan may keep your company out of regulators’ cross hairs. U.S. companies should therefore be proactive during the GDPR’s implementation period and stay abreast of developments in the evolution of EU data privacy law.
Louis Dejoie, chair of the International Law practice group and a member of the Corporate and Tax and Intellectual Property groups, can be reached at [email protected].
As part of the Litigation and Privacy and Data Security practice groups, Thomas S. Markey assists clients in matters including contract disputes, corporate governance and data protection. He can be reached at [email protected].
Published May 26, 2016.