Territorial Reach
The “extra territorial” reach of the GDPR is a key change that all non-EU entities will need to be aware of. Previously, EU law in this area applied only to those entities that control the use of the data and have some sort of establishment or equipment in the EU. However, the GDPR applies directly to any entity that processes personal data about EU residents in connection with (i) the offer of goods or services in the EU; or (2) the monitoring of behavior in the EU. Jurisdiction will therefore be measured digitally rather than physically, paying less attention to the physical location of the entity undertaking the processing. When assessing this reach, regulators will look to a variety of factors, including how a website references EU individuals, the currencies accepted and languages used. In addition, any profiling of EU individuals will fall squarely within these criteria. This is a huge shift and something that entities that were previously outside the scope of the current law but are now likely subject to the GDPR will need to absorb over the coming months.
Expansion of Definition of Personal Data
The GDPR expands on the definition of “personal data” from the Data Protection Directive, the collection and processing of which is covered by the GDPR. After its effective date, personal data will include unique online identifiers, including IP addresses and mobile device identifiers, and geo-location data about a subject. Unique biometric data, such as fingerprints and retina scans, and genetic data are also included in the expanded definition of personal data.
Enhanced Individual Rights
The GDPR also requires data controllers to provide greater transparency to individuals about the data they are collecting and how that data will be used at the time of data collection. Most of this information should be described in a well-written privacy policy, and includes the identity and contact information of the controller, the purpose of data collection and processing, and third parties to whom the data will be transferred. The information provided must also identify the legal basis of transferring data outside of the EU. Those bases—whether the use of standard contractual clauses, binding corporate rules or the new “privacy shield”—are likely to continue to be in flux until the GDPR comes into effect. Controllers also must inform individuals about the right to deletion and correction of data about themselves, more colloquially known as the “right to be forgotten,” the right to lodge complaints to the controller’s data privacy authority, and the right of individuals to receive data that has been collected about them in a structured and commonly used machine-readable format.
Article 4(3aa) of the GDPR also requires controllers to notify individuals if they will use personal data for “profiling,” which is defined as (a) involving automated processing of personal data and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Profiling cannot be based on certain special categories of personal data, such as racial, ethnic, or religious information without explicit consent, or such processing is necessary for reasons of substantial public interest. Controllers will be required to use adequate procedures and implement technical and organisational safeguards to correct data inaccuracies and avoid errors, secure personal data, and minimize the risk of “discriminatory effects.” Additionally, individuals will have the right both to request the “profiling” data about themselves and to object to or demand that profiling be stopped.
Direct Liability for Processors
Data processors will now have direct obligations under the GDPR. Currently, only the data controllers subject to direct regulatory oversight, often flowing applicable obligations to the data processor under contract, such that the data processor would be contractually liable to the data controller but would not be subject to direct enforcement or penalties from a data protection regulator. Whether a data processor is located within the EU or overseas, this is a big movement in regulatory compliance risk. These obligations of a data processor will include implementing appropriate technical and organizational measure with respect to personal data, notifying the data controller of a data breach and potentially appointing a data protection officer. In addition, contracts appointing data processors will need to be more prescriptive, requiring audit rights for the data controller and a mechanism for the approval of the appointment of sup-processors.
Organizational Requirements
The GDPR imposes several internal administrative compliance obligations for data processors and controllers. First, both controllers and processors will be required to develop and maintain documentation describing their data protection policies. Both will also be required to keep a record of processing activities. Controllers and processors will be required to conduct data protection impact assessments where the proposed data processing is likely to result in a high risk to the rights and freedoms of individuals. An impact assessment evaluates the likelihood and severity of the risks involved in the proposed data processing and assesses the safeguards to be introduced to mitigate the risk. To ensure covered companies will have internal accountability for compliance, the GDPR will require data processors and controllers to appoint a data protection officer where its core processing activities require regular and systematic monitoring of individuals on a large scale, or where its core activities consist of the processing of sensitive data on a large scale. The data protection officer will have the responsibility for overseeing the company’s compliance with the GDPR.
Local Representative Requirement
As a mechanism to bring non-EU data processors within the regulatory oversight of EU data protection authorities, article 25 of the GDPR requires both data controllers and processors that regularly collect or process personal data from EU citizens on a large scale to appoint local representatives within EU member states where they do business. This requirement is likely to apply to, for example, U.S.-based “software as a service” providers whose customers include companies with significant numbers of EU end users or employees.
Fortunately for companies that have few contacts with EU citizens’ personal information, there is an exception to this requirement for companies that do limited processing of EU citizens’ personal data. Companies that only engage in “processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of data relating to criminal convictions and offences referred to in Article 9a, and is unlikely to result in a risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing” are not required to appoint local representatives.
Harmonization and the One-Stop Shop
Under EU law, a “regulation” is law directly applicable to companies acting within the EU, whereas a “directive” requires legislation to be passed at a national level implementing the general principles of the directive, inevitably resulting in a lack of uniformity among the member states. Therefore, a key nuance that is not necessarily evident from the text of the GDPR but is a product of this fundamental principle of EU law is that the GDPR will now create a uniform privacy regime across the EU, in place of the current patchwork of member state laws implementing the current directive.
Following the same theme, the GDPR will also fundamentally change the way that data protection law is supervised in the EU. A key proposal to promote this uniformity was for any given company (which may have a presence in a number of member states) to be able to have one point of contact for supervisory purposes. This has manifested itself in detailed structure whereby a lead supervisory authority in the Member State in which a company has its main or sole establishment will have supervisory responsibility, with that lead supervisory authority having the ability to work with other concerned authorities. A centralized European data protection board will be established, having the ability to issue opinions on particular decisions. It remains to be seen how this will work in practice and whether companies will have the ability to influence which lead supervisory authority is allocated to it, along with the political and tactical maneuvering this may entail to ensure the most preferable outcome for the company.
Data Transfers
There are no major changes in this area of the GDPR and, save for the “safe harbor” uncertainties, the existing methods to transfer data internationally have broadly been retained, with some refinements. With regard to safe harbor, we all await clarification on the law and the details of its newly unveiled replacement, the “privacy shield.” There appears to be an emerging view that whatever the details of this privacy shield will be, the shield is likely to be subject to challenge in the courts. Whether it will withstand such challenge remains to be seen, but in the interim, the market waits with anticipation. With regard to other methods to facilitate transfers of data, a popular alternative to the safe harbor regime are model contractual clauses. Although these remain intact under the GDPR, in due course these may come under fire and be subject to similar challenges and calls for invalidity as the safe harbor regime. Binding corporate rules have also survived under the GDPR, and they remain a valid way to transfer data, with the current rules now codified into law.
Consent
There are new provisions codifying the ways in which a data subject may provide, or be deemed to have provided, its consent to the processing of its data. Consent needs to be informed, specific, evidenced by a statement or affirmative conduct (silence or inactivity is insufficient) and in the case of sensitive personal data, be explicit. The onus is on the data controller to demonstrate this and the request for consent must be easily accessible, using clear and plain language. The consent must be freely given and revocable at any time without detriment to the data subject. The GDPR looks to the bargaining power of the parties as a factor when assessing this. For example, companies can no longer make it a condition of a contract or service that consent is provided to that company to process certain personal data, where the processing of that personal data is not necessary for the performance of that contract or delivery of that service—the “all or nothing” option is therefore likely to find little favor. In addition, in the employer-employee context, which is often the focus of much analysis regarding freely given consent, member states will have the ability to implement specific rules to regulate this.
Data Breach Response
An aspect of the GDPR that will significantly impact U.S.-based companies’ data breach response plans is the requirement of data controllers to notify supervisory authorities—e.g., data protection authorities—of a data breach that “is likely to result in a risk for the rights and freedoms of the data subject” within 72 hours of discovery of the breach. This time period is considerably shorter than any existing U.S. state statute. Because companies affected by breaches are often still assessing what happened and identifying the scope of the compromise within the first 72 hours of a breach, companies will need to be cautious in not understating or overstating the impact of the breach.
Affected individuals must also be notified without “undue delay” if the breach presents a high risk “for the rights and freedoms” of individuals. The notification must describe the nature of the breach and its causes, if known, and recommendations on how affected individuals may mitigate risks. Although a data controller may not give notice to the supervisory authority or affected individuals if it determines that the breach is unlikely to pose a threat to the rights and freedoms of affected persons, the burden will be on the data controller to prove the absence of risk.
Notably, the trigger for a breach notification under the GDPR is both broader and vaguer than under the laws of the more than 47 U.S. states and territories that have data breach notification statutes. Under these statutes, an obligation to notify arises following the breach of relatively well-defined categories of information, typically including a combination of the first name or initial and last name, with some other unique identifier, such as a social security number, driver’s license number, financial account and passcode, unique biometric identifiers, or health insurance or medical treatment information. The GDPR imposes a much vaguer standard, requiring notification where the breach could lead to identity theft, discrimination, loss of confidentiality of information that could result in economic loss or social disadvantage. The end result is likely to be an increase in global notifications of data breaches.
Penalties for Non-Compliance
The GDPR, once in effect, is not a paper tiger. Data controllers will face penalties of up to 4 percent global “turnover”—gross revenue—for non-compliance. For large U.S. companies—the kind that are likely to be controllers rather than mere data processors—these fines could be substantial. Data protection authorities will also be able to enforce penalties against the local representative of a non-EU data processor or controller, effectively giving those authorities indirect jurisdiction over non-EU data processors. The GDPR has no means of enforcing penalties against non-EU processors who fail to appoint a local representative, which may lead some U.S. data processors to consider whether appointing a local representative simply invites more risk.