Effective as of May 25, 2018, the European Union’s General Data Protection Regulation (“GDPR”) imposes strict regulations on the way companies collect, record, organize, store or disclose (collectively, “process”) certain personally identifiable information (“Personal Information”) that is received in the US from the European Economic Area (“EEA”). Any business that provides goods or services, regardless of whether there is a payment for such goods or services and regardless of where such business is geographically located, and that collects Personal Information of an EU resident who is physically located in the EU at the time of collection, must be GDPR compliant. Collection of information relating to an EU citizen who is outside of the EU when the Personal Information is collected does not subject a business to GDPR. Listed below are GDPR’s major initiatives that data processors—including American companies—should be particularly mindful of when adhering to the new legislation:
In order to process Personal Information, the collector must obtain valid consent. In order to be valid under GDPR, consent must be freely given, specific, informed and unambiguous. Consent may not be a prior condition to using the website or services. If the user is to sign or assent to a written declaration, the terms must be in clear and plain language and easily accessible. Further, the user should have the right to withdraw their consent at any time.
Notification of Data Breach
Data processors must report data breaches to a supervisory authority within 72 hours of learning of the breach. The report must include what data was impacted, the likely consequences to follow and how the issue will be addressed moving forward.
Access and the Right to be Forgotten
EU residents may have the right to request a copy of their personal data held by a data processor. Additionally, EU residents can request their data be deleted without undue delay if they meet one of the requirements listed in Article 17. These requirements include, but are not limited to, personal data that is processed but is no longer necessary in relation to the purposes for which they were processed, consent was not initially provided to process the data, the personal data was unlawfully processed, or the data processor has no legitimate grounds for processing the data. Further, in some cases, companies may be obligated to take steps to get third parties or other processors to erase the data as well.
Third Parties and Parties
If a company transfers Personal Data to third-party agents or service providers, or if its website, mobile application or service uses plug-ins or connects to any third-party services, those third parties must be GDPR compliant. Under certain circumstances, companies may remain liable for the acts of its third-party agents or service providers for their handling of EEA Personal Data that the company transfers to them.
Data Protection Officer
Certain data processors will need to appoint a Data Protection Officer (“DPO”) if they are a public body or if they monitor certain data subjects on a large scale, which can include tracking user behavior. DPO’s must advise data processors and employees of their obligations with respect to GDPR and also understand the inherent risks associated with data processing operations. Further they must maintain an expertise with respect to the protection of personal data, be reachable by data users, fully cooperate with supervisory authority and have the necessary resources to carry out the job.
The Children’s Online Privacy Protection Rule (“COPPA”), imposes requirements on websites that collect information on children that are under 13 years of age. COPPA specifically requires that parental consent be given for the collection or use of any personal information from children under the age of 13. Consent can be achieved through many methods such as a personal video conference, by postal mail or electronic signature via email. Similarly, GDPR has an expanded requirement whereby parental consent is necessary to collect personal information from children up to age 16. However, member states may provide by their state law for a lower age as long as the age is not lower than 13. The controller of the online service or site is also required to make viable efforts to receive parental consent.
The consequences of GDPR non-compliance can be significant, with financial penalties of up to the greater of 20 million Euros or 4% of the company’s revenues.
Fortunately, the European Commission and the US Department of Commerce have reached an agreement on a framework for transfers of Personal Information to the United States from the European Union. The EU-US Privacy Shield does not guarantee GDPR compliance, but it does provide a framework to facilitate transfers that would otherwise not be permitted under applicable EU law. The EU-US Privacy Shield is voluntary and is not a requirement of GDRP compliance.
It is vital for every US business that is or may be collecting data in European markets to understand and address GDPR compliance—and ensure all of its employees are engaged participants in the compliance strategy. Only time will tell how strict regulators will be, but knowledge of your data, where it is going, and what is required will equip companies to navigate the new and significant EU regulations.