In my first blog post, I briefly discussed the European Union’s (EU) General Data Protection Regulation (GDPR). We’ll take a closer look at the GDPR now. Specifically, what impact can the GDPR have on U.S. businesses?
The GDPR is broad enough to impact even small U.S. businesses that have customers in, or market their products or services to, EU residents. Violation of the GDPR carries with it hefty fines which are intended to be “effective, proportionate and dissuasive.” (Article 83). The EU is serious about enforcing the GDPR! It’s important for U.S. business owners to learn about the GDPR and become aware of the risks for failing to comply with the GDPR.
The GDPR embodies the philosophy of data stewardship. Businesses are caretakers of other people’s data and have an obligation to handle the data responsibly. U.S. businesses that embrace the data stewardship philosophy, going beyond doing the minimum to comply with the GDPR, have the opportunity to turn their GDPR efforts into a market place differentiator that matters to consumers.
What is the GDPR?
The European Union General Data Protection Regulation provides the most extensive personal information protections in the world. The U.S. protects personal information according to sectors, such as health care and financial services, but does not protect personal information across the board. In the EU, people have a fundamental right to protection when their personal data is processed. The GDPR “applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” (Article 2).
The GDPR contains 173 Recitals and 99 Articles. The Articles are the law, but the Recitals provide context. EU authorities cite the Recitals as well as the Articles when giving guidance on the GDPR.
The two critical elements of the GDPR are 1) processing and 2) personal data. I’ll discuss these in reverse order, with personal data first.
- Personal Data
Let’s take a minute to discuss what personal information is. This is Washington State’s definition of personal information in the data breach context: An individual’s first name or first initial and last name, in combination with a Social Security number, a driver’s license or Washington identification card number or an account, credit or debit card number plus information that would permit access to an individual’s account.
The GDPR speaks in terms of “personal data,” not “personal information,” a distinction without a difference for the purposes of this post. The GDPR defines personal data as “any information relating to an identified and identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Clearly, the EU definition for personal data is much broader than the Washington State definition for personal information. Only one factor is required to identify a person under the GDPR. A name is not required for data to be classified as personal data. Information which is not considered personal information in the U.S. can be considered personal data in the EU. U.S. business owners should understand how the GDPR defines personal data so that they can determine whether they are collecting personal data from EU residents.
Other GDPR terminology includes “data subjects,” as opposed to individuals. The GDPR does not define the term “data subjects.”
“‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” (Article 4(2)). It’s safe to say that the definition is broad enough to cover any use or possession of personal data.
The GDPR separates the processing entities into controllers and processors. Both are liable for infringement, but their duties differ.
Controller. “‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” Article 4(7).
Processor. “‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Article 4(8).
Article 24 details the responsibilities of the controller, while Article 28 details the responsibilities of the processor. The controller continues to bear the ultimate liability for the processing, but the processor is liable when it does not fulfil its obligations. (Article 82). Articles 24 through 37 set out other controller and processor obligations. The controller is liable for damage caused by the processing. The processor is liable only if it has not fulfilled its obligations under the GDPR or it has acted outside the scope of the controller’s lawful instructions. (Article 82).
Is your business a controller or a processor? That depends on the transaction context. Suppose your business develops a software application that you license to another business. If your licensee collects personal data through your application, which it then passes on to your business for processing, your business is a processor in that context. If your business independently collects personal data through the application even though it receives data collected by your licensee, your business becomes both a controller and a processor regarding that interaction with the data subject. Your business can be a processor for one data set and a controller for a different data set regarding an interaction with the data subject. The context of the data collection determines whether your business is a controller or a processor and determines the extent of liability for GDPR infringements.
Which Businesses Must Comply With the GDPR?
The GDPR applies to U.S. businesses that either 1) offer goods and services to people residing in the EU, regardless of whether a payment is required or 2) monitor the behavior of people within the EU. (Article 3).
Offering goods and services to people residing in the EU requires more than having a website that can be accessed anywhere in the world. The GDPR applies when a business envisages offering goods or services in one or more EU countries. Other factors considered in determining whether the GDPR applies are making the website available in languages spoken in the EU, making the goods or services available in currencies used in the EU and mentioning other EU customers on the business’ website. (Recital 23).
Monitoring the behavior of people within the EU includes tracking them on the Internet. Even if your business does not offer goods or services to people residing in the EU, if your business uses the Internet to track people residing in the EU, the GDPR likely applies to your business. If your business’ tracking includes profiling an individual so that decisions or predictions can be made about that individual, the GDPR is even more likely to apply to your business. (Recital 24).
What does the GDPR Require Businesses to Do When Processing Personal Data?
This section describes some of the GDPR’s major requirements, but does not include an exhaustive list.
The GDPR requires businesses to comply with personal data processing principles.
- Lawful, fair and transparent processing;
- Purpose limitation. Data collected for one purpose cannot be further processed for an incompatible purpose;
- Data minimization. Data collected shall be adequate, relevant and limited to what is necessary for the processing purpose;
- Data shall be accurate and kept up to date;
- Storage limitation. Data shall be kept in a form which permits identification of people for no longer than is necessary for the purposes of the processing; and
- Integrity and confidentiality. Data shall be processed in a manner that ensures appropriate security.
Processing is lawful under the GDPR only when the individual gives consent, the processing is necessary for the performance of a contract, the business that controls the data has a legal obligation to process it or processing is necessary to protect the vital interests of the individual or another person, plus two other situations that are not relevant to this article. (Article 6).
The consent requirements are strengthened by the GDPR, compared to previous EU law. Consent must be freely given and as easy to withdraw as it is to give. The business owner must be able to demonstrate that the individual gave consent. Consent requested for one matter must be clearly distinguishable from other matters. The request for consent must be presented in an intelligible and easily accessible form, using clear and plain language. (Article 7).
The GDPR enumerates individuals’ rights in the categories shown below. These rights place corresponding obligations on businesses in processing individuals’ personal data:
- Transparent information, communication and modalities for the exercise of the rights of the data subject. Requires concise, transparent, intelligible and easily accessible communications to be made to individuals regarding data processing.
- Information to be provided where personal data are collected from the data subject. A business must provide an individual with certain information when the information is obtained from the individual.
- Information to be provided where personal data have not been obtained from the data subject. A business must provide an individual with information on personal data processing even when the business did not collect the information directly from the individual.
- Right of access by the data subject. An individual has the right to obtain from a business confirmation of whether personal data concerning that individual is being processed, and, if so, access to the personal data, the purposes of the processing and other information about the processing.
- Right to rectification. An individual has the right to get the business to correct inaccurate personal data.
- Right to erasure (‘right to be forgotten’). An individual has the right to get the business to erase personal data about her.
- Right to restriction of processing. An individual has the right to get the business to restrict processing of data about her.
- Notification obligation regarding rectification or erasure of personal data or restriction of processing. A business must communicate to the individual that the business has corrected, erased or restricted the data processing according to the individual’s exercise of her rights.
- Right to data portability. An individual has the right to receive her personal data in a commonly used, machine-readable format and has the right to transmit that data to another business.
- Right to object. An individual has the right to object to processing data about her.
- Automated individual decision-making, including profiling. An individual has the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning her or significantly affects her.
(Articles 12 through 22).
The rights of individuals to the protection of their personal data are not absolute, but must be balanced against other fundamental rights. Fundamental rights include the respect for private and family life, home and communications; the protection of personal data; freedom of thought, conscience and religion; freedom of expression and information; freedom to conduct a business; the right to an effective remedy and to a fair trial; and cultural, religious and linguistic diversity. (Recital 4).
The GDPR requires businesses to keep extensive records of processing personal data. Businesses with fewer than 250 persons are relieved from these obligations in many instances (Article 30), but each business must still keep sufficient records to fulfill its obligations to individuals according to the rights listed above. For example, all businesses are required to respond to individuals’ requests to correct or erase their data or move their data to another business.
Other GDPR requirements include data protection by design and default (Article 25), secure data processing (Article 32), data protection impact assessments in some situations (Article 35) and a 72-hour timeline for notifying authorities of a data breach (Article 33).
The GDPR takes a risk-based approach to protecting personal data. “The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.” (Recital 76). Businesses are required to identify risks related to processing personal data and to take appropriate actions to mitigate those risks.
What are the Penalties for Failing to Comply with the GDPR?
The GDPR enables supervisory authorities in the EU to impose administrative fines of up to 20,000,000 EUR or 4% of total worldwide annual turnover (gross revenue), whichever is higher, for violating the GDPR. (Article 83). The EU starts enforcing the GDPR on May 25, 2018. (Article 99). Many U.S. companies are scrambling to try to comply with the GDPR by that date.
While many U.S. companies are scrambling to comply, there are still many business owners that are unaware of the GDPR and unaware that the GDPR could apply to their business. It makes sense for all U.S. business owners to determine whether the GDPR applies to their operations, and, if so, to make conscious decisions about implementing the GDPR’s requirements into their operations. Those businesses that aspire to provide their consumers with more protection than minimum compliance requires may be able to turn their GDPR compliance efforts into value added programs that matter to consumers.