11 Apr 2018 Are You Prepared for the General Data Protection Regulation (“GDPR”)?
The General Data Protection Regulation (“GDPR”), adopted in April 2016 and finally enforceable on May 25, 2018, is a European regulation intended to strengthen the data protection of individuals within the European Union (“EU”) and address the export of personal data out of the EU. These strengthened data protection regulations are embodied through the requirement for data protection by design and data protection by default as well as rules regarding consent, data portability, right to erasure, and complaint mechanisms. The GDPR also stipulates that the export of personal data outside of the EU may be prohibited if the target country’s legal regime is determined to not have an adequate level of data protection.
Who Does the General Data Protection Regulation Apply To?
The GDPR applies to the processing of personal data of data subjects within the EU by data controllers and processors established in the European Union and to data controllers and processors outside the EU when such processing activities relates to the offering of goods or services to data subjects within the EU, or relates to the monitoring of the data subject’s behavior.
First, we need to define what the GDPR defines as a data subject. A data subject is an identified or identifiable natural person. Essentially, this means the GDPR applies to the personal data of humans and not corporate entities. The next step in determining the applicability of the GDPR is to determine whether the collected data is considered personal data. The GDPR defines personal data in very broad terms and any information with the potential to identify a data subject may be considered personal data. A specific example of personal data described in the text of the GDPR includes online identifiers. The GDPR explicitly mentions types of online identifiers like internet protocol addresses and cookies as data collection tools that may provide personal data on a data subject. In some cases, location identifiers including MAC addresses and GPS information may also provide personal data.
When determining whether an entity or person is a data controller or data processor, the GDPR identifies data controllers as the entity or person that determines the purposes and means of processing personal data. In contrast, the processor should only process personal data on behalf of the controller. While this seems like a straightforward relationship, the waters are often muddied by entities seeking to limit the liability and responsibilities associated with being categorized as a controller. As a result, entities often attempt to contractually claim that they are simply processing data and exert no control. There is no indication in the text of the GDPR that contractually assigning the role of controller and processor by labelling alone will be sufficient.
What Are Some of the Responsibilities of a Controller?
The GDPR lays out a set of enhanced rights for data subjects like right of access to personal data, right to rectification, right to erasure, and the right to restrict processing. It is the controller’s responsibility to ensure that the data subjects have these rights. For example, the GDPR states that when relying on consent for processing personal data, consent “should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” The GDPR places the burden on the controller to prove that the requirements for consent are met.
What are the Penalties for Violating the GDPR?
The penalties are dependent on which article of the GDPR an entity violates. Violation of the more serious articles, like violating consent or failure to comply with cross border transfer requirements, results in a fine of up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Violations of other articles may result in fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For some entities with subsidiaries or parent companies should note that, as currently worded, “worldwide annual turnover” is not limited to the worldwide annual turnover of the subsidiary alone. As a result, a parent company may have substantial liability based on the actions of a subsidiary.
What Are Some Concerns for a United States Based Entity?
In some cases, an entity may have to appoint a Data Protection Officer (“DPO”) in the EU. Whether a DPO is required is dependent on the personal data collection practices of an entity. DPO’s are required for private entities when core activities of controllers or processors consist of processing operations which, by virtue of their nature, scope and/or purposes require regular and systematic monitoring of data subjects on a large scale; or processing on a large scale of special categories of data and personal data relating to criminal convictions and offenses. Many entities may not be required to appoint a data protection officer under the GDPR, but may be subject to national law requirements or find it beneficial to appoint a data protection officer. Under the GDPR, member states are free to implement broader national DPO requirements. For example, Germany and Croatia both have mandatory DPO requirements which widely apply to public and private entities. Many other EU countries implement a mandatory DPO appointment for specific business sectors.
Additionally, in cases where controllers and processors are located outside of the EU, the GDPR generally requires a representative to be appointed within the EU. Limited exceptions apply to occasional processing of data when this data does not include restricted categories of data or personal data relating to certain criminal convictions and offenses.
While this list of possible concerns is not exhaustive, one more major concern that entities face is transferring personal data out of the EU. As stated earlier, the GDPR prohibits entities from transferring personal data outside of the EU to countries that do not have adequate data protection. Currently the US is not an adequate country and as a result, entities seeking to transfer data must put in place certain safeguards. In some cases, this may be standard contractual clauses published by the European Commission. The drawback with standard contractual clauses occurs in situations where an entity has a significant number of contracts which may prove difficult to track and modify. Another method of cross border transfer is binding corporate rules, which are internal rules which define the data policy of the entity. However, this method has not been adopted by a significant number of entities. The method seeing the largest growth has perhaps been the Privacy Shield which is administered by the US Department of Commerce. The Privacy Shield was negotiated between the US and the EU to provide business a simple process to ensure that data transfer adheres to GDPR requirements.
With the deadline for GDPR compliance looming on the near horizon, many entities are concerned with whether they are currently compliant. Additionally, contracts for services that take effect now but last past the May 25 deadline must also be negotiated with the GDPR in mind. While there may be significant effort required to adhere to the GDPR, if an entity has not started already, there is no better time than now to ensure compliance.