(Photo: Shutterstock) (Photo: Shutterstock)

Bess Hinson of Morris, Manning, & Martin (Courtesy photo) Bess Hinson of Morris, Manning, & Martin (Courtesy photo)

In May, Europe ushered in a new normal for online privacy by enforcing the General Data Protection Regulation (GDPR). Noncompliance penalties at a rate of 4 percent of annual revenue or 20 million euros, whichever is higher, motivated companies worldwide to reevaluate their data privacy and data security programs. Your company may have achieved its strategic compliance goals by the deadline, but the GDPR is the new normal and requires a shift in the corporate mindset and associated budgets.

The GDPR pushed U.S. businesses to roll out global privacy programs. The regulation, along with Facebook’s data-sharing practices, as linked to Cambridge Analytica, inspired statutory innovation in the United States. In June, California passed its own GDPR-esque statute, which global companies must address in order to continue to do business in California. Japan and Argentina have also overhauled their domestic rules to comply with the GDPR, and other countries are likely to follow suit.

The California Consumer Privacy Act, which comes into force on Jan. 1, 2020, defines personal information broadly and grants California residents rights to request from covered entities detailed information about how their information is disclosed, shared and sold. California is the first to provide individuals a right to obtain information about how a business sells consumer data, including the categories of third parties to whom data is sold. California residents will also have rights to object to the sale of their personal information, data portability, data deletion and data access, among others.

If your company turned its attention to the GDPR in the spring of 2018, your legal or compliance department may have completed a data mapping exercise, posted a privacy policy and notified customers about new privacy practices in order to address consumer rights under the regulation. But there is more to do, and complacency may now be the company’s biggest risk.

Routinely update Article 30 documentation

Ensure your internal process permits regular updates upon a change in data flow, data retention or engagement of a new third party vendor who may have access to company data. These documents will permit your company to answer questions from consumers and regulators and to prove public representations concerning data collection practices and uses.

Real-time transparency

As you add new technologies to your business, remain transparent with data subjects about how you use, manage, share and protect their data. When regulators receive a complaint about how data is used or shared, they are likely to first review your public-facing privacy policy. If your privacy policy is not current, consumers or regulators could accuse the company of misrepresentations.

Data subject request management

The company may soon receive its first EU data subject request. Train personnel how to recognize a data subject request from all possible sources (e.g., via email or social media message.) In order to effectuate your response within the 30 day deadline:

(1) draft language for your personnel to use when responding to a data subject’s request, and include the expected timeline for carrying out the request;

(2) Designate personnel to perform the required function (e.g., data rectification, data deletion, data portability);

(3) know ahead of time whether you must send a request to a third party service provider and identify the key contractual provisions and contact at that provider; and

(4) prepare language certifying that the company has carried out the request, keeping in mind that a regulator may scrutinize the certification.

  • Third party service providers: Your company likely entrusts consumer personal data to business partners. Consider whether your contractual agreements obligate those partners to also comply with the GDPR where they process EU personal data. If not, consult legal counsel on the appropriate data processing addendum to propose to third parties.
  • Third Party Service Provider Audit: If you obligated a third party service provider to a data privacy and data security contract addendum, you likely included a right to audit its regulatory functions. Designate personnel within your company who will inspect, test and audit those functions. Determine how often you will request evidence of compliance or an on-site audit in order to fulfill your obligations under the Regulation and your representations to customers and/or consumers.
  • Prepare for enterprise customer requests and audits: If your company provides services, or functions as a data processor, you may be subject to heightened scrutiny by your customers, particularly if you agreed to a data privacy and data security addendum. Most addenda permit customers to request documentation regarding your GDPR compliance and conduct an on-site audit. Customers may also request a list of your sub-processors or object to certain subprocessors, therefore requiring you to maintain a varied list of suppliers and to prefer subprocessors who can attest to GDPR compliance. Customers will also seek assistance from you in the event of a security incident or data subject request related to data you have processed on the customer’s behalf.

Max Schrems, the Austrian lawyer who won the landmark European court ruling in 2015 that invalidated the “safe harbor” agreement that allowed firms to transfer personal data from the EU to the United States, and his organization, noyb-European Center for Digital Rights, wasted no time in filing complaints against the most visible global tech companies.

The complaints target Google, as the provider of the Android operating system, and Facebook, as well as Facebook-owned companies Instagram and WhatsApp, for GDPR non-compliance. For instance, noyb alleges that Google’s four bases for lawful processing under Article 6—consent, legitimate interest, providing a contract and legal obligations—failed to state exactly the legal bases for each specific processing operation, and as a result, failed to inform the user of its bases for processing data as contemplated by Articles 5 and 13 of the Regulation. Noyb further alleges that Google violates the regulation because a data subject must agree to the entire privacy policy and terms, and also because the terms create a “take it or leave it” scenario in which consent is not freely given. Noyb made similar allegations against Facebook, noting that an individual cannot refuse to accept the terms and still read messages on Facebook.

Noyb filed the complaints before regulators in Austria, France, Germany and Belgium. The imposition of fines by any of the regulators based on these complaints could significantly shape expert views on how to draft GDPR compliant privacy policies and terms and how to offer choices to users regarding data collection and use. For example, the regulators’ decision could instruct companies on how to obtain granular consent—that is, consent specific to a given purpose (i.e., sharing data, using data for advertising, collecting location data) and force companies to provide lengthy menus to consumers on how their data may be used, as well as access to services even if a consumer does not accept all terms contained in a privacy policy.

Finally, no longer expect guidance from the Article 29 Working Party. Upon enactment of GDPR, the European Data Protection Board (EDPB) replaced the Working Party. On May 25, during its first meeting, EDPB adopted the final version of the Guidelines on derogations applicable to international transfers (GDPR Article 49) and has endorsed guidelines previously issued by the article 29 Working Party. Any further guidance on the GDPR will be issued from this board.

Bess Hinson is chair of the Cybersecurity & Privacy Practice at Morris, Manning & Martin.