How The European Union’s New General Data Protection Regulation Will Impact U.S. Businesses that Target EU ConsumersNovember 2017
The European Union’s new General Data Protection Regulation (GDPR), which takes effect on May 28, 2018, impacts every business that markets and sells goods or services to EU residents online, even if the company has no physical presence within the EU. The GDPR imposes extensive obligations on any U.S. business, including small and medium-sized enterprises (SMEs), which directly or indirectly collects or processes EU consumers’ personal data. Economic penalties for non-compliance can be severe.
This includes any U.S. business that targets EU consumers directly or through third parties (such as marketing firms), including e-commerce companies; hotels, resorts and travel agencies; and museums, art fairs and galleries that have EU clients and mailing lists.
How should you prepare? In this alert, our Information Governance team compares GDPR to the EU-U.S. Privacy Shield framework it replaces; and outlines ten of GDPR’s key provisions for U.S. businesses.
Background on the Privacy Shield Framework
In 2015, the Court of Justice of the European Union invalidated a longstanding EU-U.S. data privacy “safe harbor” agreement because EU residents weren’t afforded the same level of protection they were under EU law. Subsequently in mid-2016, the U.S. Department of Commerce launched the EU-U.S. Privacy Shield Framework, which provides an interim safe harbor for U.S. businesses.
To participate, businesses must be subject to Department of Transportation or Federal Trade Commission oversight – something that already applies to most consumer-facing e-commerce websites and social media platforms – and must certify that their data retention and processing policies comply with EU laws. More than 2,500 businesses are Privacy Shield certified; however, complying with Privacy Shield’s requirements can be burdensome, especially for SMEs.
GDPR’s Privacy and Security Obligations for U.S. Businesses
The GDPR will substantially increase privacy and security obligations with respect to EU resident data transfers, along with potentially draconian penalties well beyond those of the Privacy Shield. Under GDPR, “personal data” is very broadly defined to include a person’s name, address, phone and email, as well as their economic, social, cultural, genetic and mental characteristics. Here are ten of GDPR’s key provisions, culled from the entire 99-page regulation:
- EU individuals from whom personal data is collected (such as in connection with a hotel booking or e-commerce sale) must be provided with detailed disclosures, including the following:
- the identity and contact details of the company and its data protection officer;
- the purpose for processing their personal data, as well as the legal basis for processing;
- the recipients or categories of recipients of their personal data, if any;
- the period for which their personal data will be stored, or if that’s not possible, the criteria used to determine that period;
- the existence of their right to access, port, amend or erase their personal data; or their right to restrict or object to data processing,
- in authorized situations, the right to withdraw consent at any time, without affecting the lawfulness of any data processing that occurred before they withdrew their consent;
- the right to lodge a complaint with a supervisory authority (see below);
- the right to know whether the provision of their personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract; and to know whether they’re obliged to provide it, as well as the possible consequences of not providing it;
- the right to know if automated decision-making and profiling tools are being used to analyze or predict their work performance, personal preferences, reliability, behavior, health, location or movement. In cases where these tools can affect their legal rights, meaningful information must also be included about the logic behind using the tools, as well as the significance and envisaged consequences of such data processing; and
- if the company intends to further process their data for a purpose other than why it was collected, a third-party processor (called a “controller”), shall provide the different purpose and any relevant information prior to processing.
- Where personal data is collected based on consent, the company must be able to demonstrate that the consumer has consented to processing his or her data. Processing is defined as any use of personal data once collected, and it can only occur when a business has a legal basis or “good reason” to do so. This would include obtaining prior consent of individuals from whom the data is derived (such as collecting necessary data to complete an e-commerce purchase), the need to enter into a contract (such as an online license agreement or subscription), or compliance with legal obligations.
- Companies must implement appropriate technical and organizational measures to ensure that, by default, only personal data that is necessary for each specific purpose is processed. This applies to the amount of data collected, the extent of its processing, and the period of storage and accessibility.
- EU residents have a right to be forgotten. This includes a right to have all of their personal data deleted “without undue delay.” Companies must also delete data
“without undue delay” when it’s no longer necessary for the reason it was collected or processed. This is subject to limited exceptions, including exercising the right of freedom of expression and information, compliance with a legal obligation (currently limited to EU or EU member states’ laws), performance of a task carried out in the public interest; and archiving for scientific, historical research, statistical or public interest, purposes. The company must also take “reasonable steps, including technical measures,” to inform controllers that the consumer has requested they erase any links to, or copies of the data. This will require potentially costly changes to a company’s IT infrastructure to segregate EU consumer data from U.S. and other unregulated data, and to implement search and recovery tools to access and completely delete all such data on a consumer-by-consumer basis. This could also impose additional liability where controllers retained by a company are not notified of the removal request.
- EU residents have the right to obtain copies of all data collected about them, and to require companies to correct any errors.
- All personal data must be deleted once a business transaction is completed. However, there is an exception that permits data to be used for a purpose other than which it was originally collected, if the other purpose is not “incompatible” with the original purpose.
- Strict data breach rules are imposed. They include a requirement to notify the “supervisory authority” to be designated by each EU member country within 72 hours of a breach affecting residents of such country. Note that 48 U.S. states already have similar notification laws, but they do not apply to EU residents.
- EU residents whose rights are violated may file complaints with a designated “supervisory authority” and will have a direct cause of action against non-compliant companies. Initially, that action will be reviewed by the “supervising authority” in the EU country where the person lives or works, followed by a judicial appeal to courts in the same EU country if the person is unsatisfied. How this will enforced against U.S. businesses is not yet clear, but it could subject businesses to liability before EU tribunals and courts. The FTC may also be empowered to enforce non-compliance based on misrepresentations on a company’s website.
- EU regulators and courts will have significant discretion to impose severe fines. Businesses can be fined a maximum or 4% of their annual global revenue, or €20 million (whichever is greater), for failing to obtain consent to collect and process data, for ignoring consumer requests to delete and port their data, or for transferring personal data outside the EU without appropriate safeguards. For lesser violations, including a failure to maintain records of customer consent or a failure to provide timely notice of a data breach, the maximum fine is 2% percent of annual global revenue, or €10 million (whichever is greater). Fines will be assessed based on a number of factors, including willfulness of a violation, gravity and duration of the violation, any mitigation undertaken by the company or its data processors, prior violations, degree of cooperation with supervising authorities, and adherence to codes of conduct to be established by EU member states.
- EU regulators will have additional enforcement power to order remediation and suspend data transfers to the U.S. If U.S. companies use third party data processors or providers based in the EU, this could shut down such operations if there are serious violations.
GDPR’s Impact on U.S. Businesses
How all of this will be enforced in the U.S. is yet unknown. The U.S. Department of Commerce and the FTC may reach an agreement with EU regulators on a new safe harbor, as they did with the Privacy Shield. Indeed, the GDPR directs EU authorities to develop international cooperation mechanisms to support the reach of extraterritorial enforcement.
As the May 28, 2018 implementation date approaches, U.S. businesses that do business with EU residents will have to address a wide variety of business and legal concerns, including reviewing and updating their privacy and data security policies and protocols, monitoring U.S. agency compliance and enforcement initiatives, educating employees on GDPR’s requirements; and auditing and revising contracts involving data collection, storage, processing and marketing vendors.
For more information contact:
Ronald J. Levine at +1 212 592 1424 or [email protected]
Barry Werbin at +1 212 592 1418 or [email protected]
© 2017 Herrick, Feinstein LLP. This alert is provided by Herrick, Feinstein LLP to keep its clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The information is not intended as legal advice or legal opinion and should not be construed as such.