Virtually all U.S. businesses, nonprofit organizations, and other enterprises collect data from their customers or other individuals with whom they interact. All such enterprises should be aware of the European Union’s new General Data Protection Regulation, 2016/679, commonly known as the GDPR,1 which became effective on May 25, 2018.
The GDPR is a regulation under EU law pertaining to privacy and data protection for individuals within the EU and the European Economic Area. It is a sweeping legislative enactment generally considered to be the most far-reaching change in EU data protection law in many years, and possibly the strictest privacy law in the world.
The GDPR also governs the export of personal data outside the EU, and applies to parties – regardless of location – that collect personal data of individuals within the EU.
Because of this, businesses and other enterprises worldwide, and particularly in the U.S., have devoted considerable attention and resources to complying with the GDPR by the May 25 deadline, and still others are continuing to grapple with its requirements.
Applies Outside EU
The primary objective of the GDPR is to enhance the control individuals within the EU have over their personal data, and to simplify the regulatory environment for data collectors as to data privacy by establishing a single set of data privacy rules that apply throughout Europe.
It is noteworthy, however, that the GDPR has important implications for businesses and other enterprises well beyond the EU/EEA. This includes businesses in the United States, in that its provisions apply to enterprises located in the EU that process data of individuals residing in the EU, as well as any enterprise, regardless of location, that holds or processes personal data of an EU resident.2
Accordingly, any U.S. business that has individual EU customers or otherwise holds or processes transactions or data for individuals within the EU are subject to the GDPR’s requirements and its rigorous enforcement provisions.
Express Consent Required
For many businesses, the GDPR will change how data collectors approach the notion of data security, as evidenced by its requirement that an EU individual’s data, first, be stored only on systems designed and developed with a specific view toward data protection and, second, that such systems employ privacy settings set by default at the highest possible level of protection (these concepts being referred to in the GDPR as data protection “by design” and “by default,” respectively).3
The underlying notion is that an individual’s data are not to be publicly available (and cannot be used to identify the subject absent additional, separately stored information) without the express, opt-in consent of the individual data subject.4
Unless the individual has provided such express consent (rather than just a tacit failure to object) to the processing of his or her data for one or more specifically-stated purposes, the individual’s data may not be processed unless there is a specified legal basis for such processing and the purpose(s) of such data processing is disclosed to the individual.5 The data collector must be able to prove that it obtained such express consent from the data subject, who may revoke such consent at any time.6
Key GDPR Concepts
Although an exhaustive explanation of the GDPR is beyond the scope of this post, the following is a summary of some of its key concepts.
The GDPR Applies to Personal Data
The GDPR applies to the processing of “personal data” or any information relating to an “identifiable natural person”7 – that is, an individual who can be identified, directly or indirectly, by reference not just to common identifiers such as name, home address, telephone number, a photograph, or an email address, but also by less obvious identifiers such as bank or medical information, social networking posts, IP addresses, or any other data pertaining to location or to the physical, physiological, genetic, mental, economic, cultural, or social identity of such individual.8
These identifiers are considered to be personal data even if on their face they do not identify an individual, as long as they can be (or are capable of being) traced back to the subject individual without undue effort. It does not matter whether the individual’s personal data pertains to his or her personal or work-related capacities; if the data falls within the scope of “personal data,” regardless of whether it is personal, work-related or otherwise – it is subject to GDPR regulation.
It should be noted, however, that the GDPR does not apply to processing data “for a purely personal or household activity and thus with no connection to a professional or commercial activity.”9
Controllers and Processors
The GDPR directs most of its requirements toward “data controllers” (businesses or organizations the collect the data) and “data processors” (organizations that process data on behalf of a data controller, such as a third-party software or other service that a business may use to process data on its behalf).10
Data controllers are required under the GDPR to utilize only those data processors that provide sufficient assurances that they will implement appropriate technical and organizational measures to meet the GDPR’s requirements and protect the rights of individual data subjects.11
Both data controllers and data processors are required to implement programs to assure compliance and be able to demonstrate such compliance to data subjects and regulatory authorities.12
Overall, the GDPR calls for a risk-based approach, that is, the utilization of controls which correspond to the degree of risk associated with the data processing activities. To this end, businesses that are data controllers must, for instance, put in place procedures to prevent data from being processed unless necessary for a specified purpose.13
Further, such businesses must incorporate technological and organizational measures appropriate to the nature of the business to ensure the protection of individuals’ personal data,14 including:
- pseudonymization and/or encryption of data so that it cannot be attributed to individual without use of additional information;
- restoring the availability of data in a timely manner in the event of a loss of data; and
- regularly testing and evaluating the effectiveness of security measures.
Data controllers must maintain records of their processing activities, although there is an exclusion for small businesses (less than 250 employees) where data processing is not a significant risk.15
Additionally, controller/processor relationships must be documented and managed with contracts that specifically set forth the parties’ privacy and data protection obligations.
Data Protection Officers
Businesses that are data controllers or data processers are required under the GDPR to appoint a “data protection officer” if their essential activities involve, on a large-scale, regular monitoring of personal data or processing of sensitive data.16
A data protection officer must have IT processing, data security, and business continuity competence in personal data processing.
Lawful Basis for Processing of Personal Data
Unless a subject individual has provided express, affirmative consent to the processing of his or her personal data for one or more stated purposes, such data may not be processed unless there is at least one specified legal basis to do so.17
If the individual’s consent has not been obtained, the subject’s personal data may be processed only:
- to comply with a legal obligation;
- to perform a contract with the data subject;
- to protect vital interests of the data subject when he or she is unable to give consent;
- for the performance of a task carried out in the public interest or the exercise of official authority; or
- for the purposes of legitimate interests of the data controller or a third party (but subject to certain fundamental rights and freedoms).18
If the data subject’s consent is the basis for the processing of his or her data, such consent must consist of:
“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her.”19
That is, such consent must be explicit for the data collected and for each purpose that the data are used, so that the controller can clearly show when and how the consent was obtained.
Accordingly, the purpose(s) for the individual’s data will be collected and used must be clearly and expressly disclosed to the data subject so that it is obvious what the data are going to be used for.
Consent must be demonstrable and freely given. A controller cannot require the disclosure of data as a prerequisite or condition of, for instance, the provision of services or the performance of a contract.20
Additionally, the data subject must be allowed to revoke consent in a manner no more burdensome than the manner in which consent was given.21
Information Provided at Data Collection
Individual data subjects have enhanced rights under the GDPR to access and obtain copies their data, as well as rights to require rectification or erasure of their personal data, to restrict further processing, and to lodge a complaint with a supervisory authority.22
Individuals must be informed of these rights and, in addition they must be given information about how their data will be processed.23
Breach and Notification
In the event a breach of security of an individual’s data in the hands of a data controller which gives rise to the destruction, loss, or unauthorized disclosure of such individual’s data, the data controller must notify the appropriate supervisory authority “without undue delay,” and “where feasible,” within 72 hours after having become aware of such breach.24 If such notification is not made within 72 hours, the data controller must provide a “reasoned justification” for the delay.25
Such notice is not required if the data breach is “unlikely to result in a risk for the rights and freedoms” of subject individuals,26 although how this exception is to be interpreted will likely require future clarification.
If the data controller determines that a personal data breach “is likely to result in a high risk to the rights and freedoms” of subject individuals, it must – subject to certain exceptions – also notify the individuals affected by the data breach “without undue delay.”27
In the event of a data breach by a data processor, it must notify the data controller,28 but the GDPR does not otherwise impose any other notification or reporting obligation on the data processer.
Fines and Enforcement
Businesses should note that, for GDPR violations, the GDPR provides for liability, including fines, for both data controllers and data processors as well as remedies for data subjects.
Regulators may impose penalties equal to the greater of €10 million or 2 percent of the violator's worldwide revenue, for violations of record-keeping, security, and breach notification requirements.29
Violations of obligations related to legal basis for processing, consent requirements, data subject rights, and cross-border data transfers are subject to penalties up to the greater of €20 million or 4 percent of the violator's worldwide revenue.30 EU member states may impose additional penalties, which may include criminal penalties.31
Data subjects have the right to make complaints with “data protection authorities” maintained by EU member states, as well as to initiate judicial proceedings.32
Additionally, data controllers and processors can be held responsible to compensate affected data subjects for damages resulting from a GDPR violation.33
Considerations and Recommendations
Although many U.S. businesses may be tempted to disregard the GDPR as a non-U.S. regulation relevant only to large multinational corporations, this approach could do great harm to such enterprise if it has European customers or otherwise collects data from European individuals.
No matter the size or nature of the business, if it collects any kind of personal data on EU residents, it is very likely subject to the GDPR and its requirements.
Given the substantial monetary and other penalties for noncompliance, businesses of all sizes should clearly understand whether and how the GDPR applies to them, and establish a game plan for GDPR compliance as necessary.
Establishing a Game Plan for GDPR Compliance
Businesses and their legal advisers should start by assessing the extent to which they have EU customers and/or collect data from EU residents, and acknowledging that they may have to alter current data handling procedures in light of the GDPR.
This assessment should include a review of the types of personal data the business collects and holds, what the data are used for, and whether the business is collecting more information than is reasonably necessary for its legitimate business purposes.
Further, businesses should assess the documents (whether in written or electronic format) they require customers to sign when purchasing or obtaining products or services. It is likely that such documents may need revision in light of GDPR requirements, to ensure that customers know how the business is processing their data and why. This may include development and implementation of new processes for obtaining and verifying express (rather than tacit) customer consent to data collection, and for the transfer and deletion of such data when requested.
Given the GDPR’s reach well beyond the boundaries of the European Union, and the substantial fines and other sanctions that can arise for GDPR violations, businesses and other enterprises collecting data from EU residents are well advised to have a clear understanding of the GDPR and its applicability to their operations.
For more information on the GDPR, see Keith Byron Daniels's article, New European Privacy Law: Its Effect on Wisconsin Lawyers, in the July/August 2018 issue of Wisconsin Lawyer magazine.
1The GDPR is formally known as “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”
2 GDPR, Article 3(3).
3 GDPR, Article 25 (Data protection by design and default).
4 GDPR, Article 6(1)(a).
5 GDPR, Article 6(1)(b)-(f).
6 GDPR, Article 7(3).
7 GDPR, Article (4)(1).
8 GDPR, Article 4(1).
9 GDPR, Article 2(2)(c).
10 GDPR, Article 24 (Responsibility of the controller) and Article 28 (Processor).
11 GDPR, Article 24(1).
12 GDPR, Articles 24, 28.
13 GDPR, Article 24(1).
14 GDPR, Article 24 (Responsibility of the Controller; Article 40 (Codes of Conduct).
15 GDPR, Article 30(1), (5).
16 GDPR, Article 37 (Designation of the data protection officer).
17 GDPR, Article 6 (Lawfulness of processing).
18 See Footnote 5, above.
19 GDPR, Article 4(11).
20 GDPR, Article 7 (Conditions for consent).
21 GDPR, Article 7(3).
22 GDPR, Article 15 (Right of access by the data subject).
23 GDPR, Article 7(2).
24 GDPR, 33(1); GDBR, Recital 85 (Notification obligation of breaches to the supervisory authority).
25 GDPR, Article 33(2).
26 GDPR, Article 33(1).
27 GDPR, Article 34(1) and (3); GDPR, Recital 86.
28 GDPR, Article 33(2).
29 GDPR, Article 83(4).
30 GDPR, Article 83(5).
31 GDPR Article 84 (Penalties); GDPR, Recital 149 (Penalties for infringements of national rules).
32 GDPR, Article 77(1).
33 GDPR, Article 82 (Right to compensation and liability).