The new European General Data Protection Regulation (GDPR) will go into effect on May 25, 2018, and will grant European citizens broad, never-before- recognized data privacy rights.
The consequence for companies violating the GDPR could be financially devastating – the fine for non-compliance is up to 20 million Euros or 4 percent of a company’s worldwide annual revenue, whichever is higher. It will be important for companies worldwide to determine if they will be subject to the GDPR well in advance of the GDPR’s effective date, because of the potentially extensive preparation necessary to ensure compliance. This article provides insight into GDPR jurisdiction and compliance requirements.
The GDPR has an almost unlimited territorial scope that could cause serious headaches for many American companies which might not realize that they will be subject to its provisions upon enactment. This issue will be compounded by the fact that Europe takes a broad approach to defining personal data compared with what most American are familiar. Transferring data to and from Europe is crucial for many companies, and the GDPR’s wide reach may even affect companies that do not directly use data of European citizens for profit.
Additionally, the GDPR also has the potential to reach American or other foreign parent companies with subsidiaries that are subject to the GDPR, and this could significantly amplify the 4 percent worldwide annual revenue penalty. Although the GDPR will not go into effect until 2018, many non-European companies will soon find themselves scrambling to avoid severe fines if they delay preparing for it. European companies have a head start, as they been operating under a similar privacy directive since 1995, and have had notice of how the forthcoming GDPR changes will affect them (the first iteration of the GDPR was proposed in January 2012 and underwent thousands of proposed amendments before its adoption on April 14, 2016).
European regulators have structured the GDPR to capture organizations that have an “establishment” in the EU. The high court of the EU has previously explained that “establishment” should function as a broad and flexible phrase, and one can become “established” through surprisingly minimal activity. The presence of even a single representative in an EU member state can suffice as an “establishment.” Thus, a company need not have an office in Europe to be “established” there under the GDPR.
Companies that escape classification as “established” can still be subject to the GDPR. The GDPR will also apply to organizations that are not “established” in the EU but that process personal data of EU citizens in connection with either the “offering of goods or services” or “monitoring” their behavior within the EU. To classify as “offering goods and services,” an organization must merely “envisage” that activities will be directed to EU data subjects. As for “monitoring,” the European Commission has stated that it specifically encompasses tracking or profiling EU data subjects, especially when the data is used for analyzing or predicting the subjects’ personal preferences, behaviors, and attitudes.
“Establishment” is also important because it will largely determine which country’s Data Protection Agency (DPA) will police an organization’s compliance with the GDPR. Under the GDPR, the initial presumption is that a company is subject to the DPA of where the company has their “main establishment” in the EU. This presumption can be rebutted in favor of the place where the decision-making regarding data processing takes place. If an organization is deemed not “established” in the EU, the governing DPA will be that of the place where the organization’s main data processing activities occur for activities subject to the GDPR.
The GDPR also applies to the processing of personal data or to being a controller of such processing, and these terms are fairly all-encompassing. “Processing” is defined as:
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organi[s]ation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
A “controller” “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data . . .” Thus, by collecting personal data, one is a “data processor” and potentially also a data controller if the same entity also determines the purpose for collecting that data. In the notorious Google matter that resulted in the grant to EU citizens of the “Right to be Forgotten”, the Court of Justice of the EU determined that Google “collects,” “retrieves,” “records,” “organizes,” “stores,” “discloses,” and “makes available” personal data by merely providing search results, even though that personal data had “already been published on the internet and [was] not altered by the search engine.” With respect to being a “controller,” the Court further stated that “it would be contrary not only to the clear wording of [the provision of the directive to be replaced by the GDPR] but also to its objective . . . to exclude the operator of a search engine from that definition on the ground that it does not exercise control over the personal data published on the web pages of third parties.”
Once under the jurisdiction of the GDPR, a company must comply with the GDPR’s many privacy requirements, including the requirement to provide notice and obtain consent before collecting any personal data from an EU natural citizen, referred to as a “data subject” in the GDPR. Consent must be obtained by giving data subjects a clear option to not consent as the default setting, and data subjects must be able to freely withdraw or refuse consent without detriment. For direct marketing data, data subjects must also be given a right to object, a right that must be explicitly brought to the data subjects’ attention. In many circumstances, companies must also give all the personal data they have for an individual to that individual upon request. Additionally, data subjects have a “Right to Erasure” of their personal data that is no longer necessary for the purpose for which it was collected. This right imposes a burden on companies to obtain erasure of the data by third parties in some cases. Furthermore, the GDPR places an onerous burden on companies to demonstrate compliance and accountability.
It is apparent that the GDPR is much stricter than U.S. data privacy laws. While U.S. data privacy laws provide protection for personally identifiable information, the type of information that is covered by the law is defined somewhat narrowly. Generally, it must directly identify an individual. For example, a social security number would be personally identifiable information, whereas an email address may not be. In contrast, the GDPR defines personal data very broadly to include data that relates to a person or persons even though that data could never enable someone to identify the specific individuals to whom the data pertains. The GDPR defines “Personal Data” as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
Thus, while it would be difficult to identify most people by, for example, where they went for a bike ride, such information may arguably fall under this definition. In addition to applying to the obvious collection of data by such entities as advertisers, analytics companies, and social media platforms, the regulation may apply to others who are collecting what would be deemed “personal data” of EU “data subjects” through their ordinary course of business. For instance, a company would technically be collecting personal data by merely keeping contact information of European counsel, sub-contractors, vendors, and business contacts.
The field of fitness wearables provides one illustration of how American companies are already having problems with Europe’s position regarding data privacy. The Norwegian Consumer Counsel (“NCC”) filed a complaint against the manufacturers of wearable devices, alleging they were in violation of Norwegian citizens’ consumer and privacy rights. The NCC specifically pointed out that these companies needed to make significant changes to “be ready for the [GDPR]” and that their current policies “call for an overhaul of the way that fitness trackers treat consumers’ data.” The NCC outlined many shortcomings, including a lack of notice and transparency about the data being collected, unnecessary data collection, and a lack of explanation about companies with whom data was being shared and those third party companies’ respective data retention policies. Additionally, the NCC classified the data collected by fitness wearables as “health data,” which is considered to be very sensitive information. The GDPR imposes much stricter regulations for health data than it does for regular personal data.
Companies in many other industries that depend on collecting or using personal data may find themselves in need of an overhaul if they wish to remain active in the EU. The GPDR unquestionably takes aim at companies that wish to profit from using the data of EU citizens, especially in the context of data mining and targeted advertising. In addition to updating data laws that were created when floppy disks were prevalent, the European Commission states its motivation for the GDPR was based on the perceived lack of privacy and control over personal information and data.
Many companies currently build their pricing models with the assumption that they can collect and use certain data from their customers. Even companies that don’t collect data for commercial purposes may find themselves labeled “data processors” and/or “controllers” under the broad definitions of the GDRP. Thus, companies with customers or contacts in Europe will want to take a close look at the GDPR to decide how they are going to adapt their business models to address these brand-new rights. No one knows if the EU data privacy rights will become the new world-wide standard, or if they are the flash-in- the-pan result of one-time legislation.
Regardless, it’s clear that the intent of the GDPR is to force companies to change their attitudes regarding personal data. The heavy-handed approach of the GDPR will provide many opportunities for counsel to find creative legal solutions for complying with the burdensome requirements of the GDPR, and to avoid crippling fines.
|Benjamin Anger is a partner at Knobbe, Martens, Olson & Bear. His practice is primarily focused on patent litigation, and he has deep experience in pharmaceutical and medical device litigation.|
|Clayton Henson is an associate in the firm’s San Diego office and practices intellectual property law with an emphasis on patent litigation.|