EU Finalizes General Data Protection Regulation: Implications for U.S. Businesses
The European Union (EU) has all but officially adopted the General Data Protection Regulation (GDPR), as approved by the European Parliament and the Council of the European Union on December 15, 2015. The GDPR is set for formal adoption this Spring and will go into effect two years later. It represents a major reform of EU privacy rules and will be among the most stringent data protection regulations anywhere in the world. Its effects will extend well beyond Europe, and indeed, the GDPR is designed to reach U.S. companies that handle EU personal information.
Any U.S. business with a presence in the EU should understand how the GDPR will apply to its operations, and should be aware of the opportunities to substantially influence the law’s implementation. In a transformative change, new penalties for violating the GDPR could reach € 20 million or 4% of a company’s annual worldwide turnover. Yet, the process that EU privacy regulators must follow before imposing such a fine is not yet determined and could be influenced by industry. Likewise, U.S. business has opportunities to promote the consistent implementation of the GDPR across the 28 EU Member States in order to reduce compliance costs, as well as promote the development of workable cross-border mechanisms for the transfer of personal data.
KEY FEATURES OF THE GDPR
Regulation v. Directive
The GDPR will replace the EU Data Protection Directive (Directive)—a 21-year-old privacy framework. One of the most significant changes in the GDPR is the very fact that it is a “regulation,” as opposed to a “directive.” A regulation applies directly to EU Member States and, as a formal matter, allows them little discretion in implementation, whereas a directive sets desired results and policies but depends upon Member State implementation into national law. Because a regulation automatically becomes part of each Member State’s legal framework, the GDPR should reduce—though probably not eliminate—the regulatory patchwork in EU Member States’ data protection regulation. Greater consistency across the Union generally will reduce costs and risks for U.S. companies conducting business in the EU.
Jurisdiction and Scope
Under the GDPR, jurisdiction is less related to the location where a business is incorporated or headquartered and more to the location of business activity. To be sure, the GDPR will apply to the processing of personal data by businesses “established” within the EU. More controversially, the GDPR also will apply to businesses established outside the EU if their processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behavior. This provision expands the territorial scope of the GDPR well beyond the EU, essentially making it global law. There are some limits in place on the GDPR’s reach—the regulation makes clear that having a commerce-oriented website that is accessible to EU residents does not by itself constitute offering goods or services. Rather, a business must show intent to draw EU residents as customers, for example, by using a local language or currency.
The definition of “personal data” in the GDPR also will be expanded. Under the old Directive, “personal data” is information about any “identified or identifiable natural person.” Under the new GDPR, the definition of “personal data” also will cover online identifiers or any factors specific to an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.
The GDPR is broad and complex, but several significant themes emerge, including transparency and control, obligations of so-called “data controllers” (defined in the GDPR as any natural or legal person which alone or jointly with others determines the purposes, conditions, and means of the processing of personal data) and “data processors” (defined as any natural or legal person which processes personal data on behalf of the controller), accountability, and harmonization. Below are key aspects of the new regulation that could affect businesses active in the EU market or offering services to EU citizens.
Transparency and Control
The GDPR promotes transparency of processing of personal data and increasing “data subjects’” control over such processing. Data subjects are identified natural persons or natural persons who can be identified, directly or indirectly, by means reasonably likely to be used by a data controller or processor or by any other natural or legal person. The transparency theme runs throughout the GDPR and is expressed in new definitions, new rights conferred on data subjects, and the overall structure of the data processing regime.
Consent. Consent will continue to be a valid basis for processing personal data under the GDPR, so long as it is “freely given, specific, informed, and unambiguous.” Note, however, that this requirement is slightly different from the consent requirement in the Directive, which requires only that consent be “freely given, specific, and informed.” Parents will be required to provide their consent to the processing of children’s personal data where those children are under age 16, although EU Member States may lower the age requiring parental consent to 13.
New rights. The “right of portability” and the “right of erasure” are two additional privacy rights granted to individuals under the GDPR. The right of portability affords citizens easier access to their own data. Upon request, individuals will be able to transfer all data from one provider of goods or services to another; specifically, this provision was created to foster healthy competition and increase accountability among providers. Under the “right to erasure,” (also known as the “right to be forgotten”) individuals can have their personal data erased upon request. If the data controller to which the request has been made “replicated” that data with other entities, then it must also forward the erasure request to those entities.
The GDPR also affords individuals a right to object to the processing of their personal data under certain circumstances, including where a controller relies on the “public interest” or “legitimate interest” as a legal basis for the data processing or where processing is for direct marketing purposes, including profiling. Finally, individuals will have the right not to be subject to a decision based solely on “automated processing,” including profiling, that produces legal consequences for them or otherwise significantly affects them. Such right does not apply if the decision is necessary for a contract between the data subject and the controller, or is authorized by the law of a Member State, or when based on the data subjects’ explicit consent.
Data Breach Notifications. Compared to the Directive, the GDPR will impose stricter obligations on data controllers and processers with respect to data breach notifications. Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.” Notably, unlike data breach laws in the United States, this definition is not tied to the exposure of information that can lead to fraud or identity theft. In the event of a personal data breach, data controllers will be required to notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it,” unless there is a “reasoned justification” for the delay. If the data controller determines that the breach is likely to “result in a high risk to the rights and freedoms of individuals,” it also will be required to notify the affected data subjects. Data processors that experience a personal data breach will be required to notify only the controller. The GDPR includes content requirements for notifications and sets forth limited exceptions to the notification rules.
Obligations of Data Controllers/Processors
In addition to the broad new rights and protections afforded to data subjects, the GDPR imposes several specific obligations on data controllers and processors that are either carried over from the existing Directive or are new or expanded. Each of these obligations generally is concerned with ensuring that data controllers and processors are made accountable for the collection and processing of personal data for which they are responsible.
Notice. Data controllers will be required to take appropriate measures to provide information regarding the processing of personal data to individuals in a concise, transparent, intelligible, and easily accessible form.
Privacy by Design and by Default. Under the GDPR, data controllers will be required to implement the concepts of Privacy by Design and Privacy by Default. These obligations mean that, at all stages throughout the conceptualization, design, and execution of data processing, the controller must implement measures to ensure that the requirements of the GDPR are met. Additionally, controllers must implement mechanisms to ensure that by default only necessary data is collected and processed.
Impact Assessments. When processing operations present specific risks to the rights and freedoms of data subjects, the controller will be required to carry out an assessment of the impact of the processing on the protection of personal data. Assessments will be required for automated data processing activities, including profiling leading to decisions that produce legal consequences for data subjects, large-scale processing of certain kinds of data, and systematic monitoring of a publicly accessible area on a large scale.
Data Processors. Data processors will be required to have a contract in place with the data controller to process personal data. Under the GDPR, processors also will be directly liable for the security of personal data.
The GDPR emphasizes the accountability of data controllers and processors. To this end, under the GDPR, data controllers and processors will be required to designate a data protection officer to oversee compliance with the regulation. Data protection officers must be appointed where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data.” Notably, a company with multiple subsidiaries may appoint a single data protection officer so long as he or she is “easily accessible from each establishment.” The GDPR also will allow the data protection officer functions to be performed by either an employee of the controller or processor or by a third-party service provider.
One of the primary aims underpinning the GDPR is developing and implementing a uniform and harmonized application of data protection and privacy rules across all 28 EU Member States. As explained above, this will be accomplished in part simply by virtue of the fact that the GDPR is a regulation and not a directive, resulting in the adoption of a core set of rules across all 28 EU Member States. For example, under the GDPR, a “legitimate interest” will become a legal ground for lawful processing across the EU. National registrations and prior authorization registrations also will be abolished.
Yet, there are still substantial risks of a regulatory patchwork, as Member States will preserve substantial discretion to regulate “circumstances of specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful.” Such powers potentially could defeat the harmonization goals of the GDPR.
In addition to uniform rules across the EU, the GDPR introduces other important changes in furtherance of uniformity. Under the Directive, businesses are supervised by a different authority in each EU Member State in which they are established. In order to standardize enforcement, both data controllers and processors will be monitored under the GDPR by a “lead data protection regulator” in the EU country where they have their “main establishment.” This welcomed change commonly is known as a “one-stop-shop.” The lead authority may confer with other authorities—meaning consumers may still complain to their local data protection regulator. Accordingly, it is unclear whether the GDPR actually will insulate companies from the costs and headaches of satisfying multiple Member State data protection authorities.
Transfers to Third Countries
The cross-border data transfer rules under the GDPR largely mirror those under the existing Directive. As an important addition, the Regulation calls for “uniform recognition” of Binding Corporate Rules (BCRs), which were previously handled differently among Member States. This means that there will be three bases upon which cross-border data transfers will be lawful: (1) where there has been a decision of the European Commission that the data protection rules of the non-EU transferee country are “adequate;” (2) where the transfer is subject to the use of appropriate safeguards by the company (which can include BCRs or model clauses); or (3) where there is an application of a “derogation.”
Previous adequacy decisions and model clauses issued under the Directive will remain in force. In addition, no specific authorization from data protection authorities (DPAs) will be required with respect to EU model clauses. Finally, transfers of personal data also will be allowed based on legitimate interest if the transfer is not repetitive and concerns only a limited number of individuals. As we previously reported, the U.S. and the EU currently are negotiating a second version of the Safe Harbor, which may provide another avenue for data transfers to the United States.
Penalties and Remedies
The GDPR will be backed up by a punitive penalty structure that is intended to ensure that data controllers and processors take the protections afforded to data subjects seriously. Under the existing Directive, the amount of administrative penalties is left to the discretion of Member States, and historically, has been small and rarely applied. Under the GDPR, administrative penalties, at least on paper, will be mandatory and uniform, and they could be imposed for any intentional or negligent violation of the GDPR’s provisions. Depending on the provision of the Regulation that is violated, companies could face fines of up to € 20 million or 4% of annual worldwide turnover.
The GDPR also grants data subjects the right to seek judicial remedies against EU data protection authorities, data controllers, and data processors. DPAs, in turn, will be given wide-ranging powers to enforce the GDPR, including the power to impose a ban on data processing. Finally, the GDPR grants the European Data Protection Board (EDPB) the authority to issue opinions, adopt binding decisions on the application of the Regulation, and issue guidelines, recommendations, and best practices.
IMPLICATIONS FOR U.S. BUSINESSES
There are many areas of concern for U.S. companies whose operations are subject in part to the EU data protection regime. For example, questions remain about the feasibility of the GDPR’s emphasis on clear, explicit consent in a regulatory environment where a broad range of data can be considered personal data, including potentially cookies, IP addresses, and the like. Parental consent requirements for children under the age of 16 also may make it substantially more difficult for companies to offer online services to children. Indeed, under the new rules, teenagers under the age of 16 could be banned from social media platforms such as Facebook, Snapchat, Instagram, and others if they do not obtain parental permission. There also are legitimate causes for concern regarding the expansive jurisdictional claims asserted in the GDPR and the punitive penalty structure. Finally, while the limited streamlining of the international data transfer rules may benefit some companies, even under the GDPR the process for transferring personal data out of the EU remains onerous.
Although the final text of the GDPR is settled, opportunities remain for U.S. businesses to influence its implementation. Many of the GDPR’s articles still require further action by the European Commission to adopt “delegated acts” or “implementing acts” to clarify, supplement, or implement provisions of the new regulation. U.S. businesses may influence implementation of the GDPR, and seek pro-business outcomes on issues such as the age of parental consent or penalties, among many others, through engagement with U.S. authorities and industry groups. Timing is key, however, as the window of opportunity may close once implementing provisions are adopted.