A recent Facebook commercial talks about how great Facebook was when it first came into our lives. It then talks about how bad Facebook became recently (“fake news,” “spam,” and “data misuse”). It ends with Facebook promising to do more. It promises Facebook will do more to “protect your privacy.” Although Facebook is one of the most recognizable organizations embroiled in a personal data misuse controversy, it is not the first one and will not be the last one.
As information technology has advanced, it seems every industry has found a way to incorporate the collection and use of personal data from users and consumers, from advertising to health care. In the process, some collect and use personal data openly while some do so not so openly. The European Union (EU) has historically been more concerned about this practice than the United States, and so not surprisingly, the latest new regulation relating to personal data comes from across the pond.
What Is the GDPR?
In January 2012, a proposal for what would become the General Data Protection Regulation (GDPR) was released by the European Commission. The GDPR is a regulation on data protection and data privacy for all individuals within the EU. It applies to anyone who is doing business with EU member states regardless of the location of that person. It became effective as of May 25. As of this effective date, any American company will have to comply with the GDPR if it does business with EU member states. Although the GDPR is already in effect, many American companies who do business in the EU or provide services to residences of the EU are still trying to figure out what this regulation is and how it impacts them. As legal professionals, our clients have been turning to us for answers, but even lawyers are unsure of what to make of the GDPR. One thing is clear: this regulation will have a huge impact on American businesses.
As stated below in more detail, the GDPR’s main objective is to give the EU’s residents control over their personal data by requiring anyone who handles the residents’ personal data to protect the data. The GDPR defines three primary roles: the data subject, the data controller, and the data processor. The data subject is the traditional consumer or user. The data controller is what we think of as the company offering products or services to the data subject. The controller is named, ostensibly, because it is the ultimate owner of whatever personal data is collected and stored. The data processor can be an individual or team within the company or a separate entity that the controller has contracted to manage or process the controller’s data (the most straight-forward example being a cloud service or something similar). Often, private companies with a customer or user base in the EU will also require a data protection officer (DPO) in charge of advising the controller and processor on GDPR obligations, monitoring compliance, and serving as a contact point with supervising authorities.
What Is the Purpose of the GDPR?
The primary purpose of the regulation is to create and protect personal data rights for every natural person in the EU beginning with a strong stance on consent. Person’s consent under the GDPR must be explicit, freely given, specific, informed and unambiguous. In a deviation from many of our experiences with privacy policies, the GDPR also gives data subjects the right to object and the right to withdraw consent. Unless the personal data objected to is necessary for the service or good, a data subject might object without losing the opportunity to use that service or good—this is a significant departure from the data policy used by many American companies (or the data controllers) who simply refuse to provide their services to persons who do not provide consent. The data subject may also change their mind after any amount of time and withdraw their consent without their personal data being recorded or stored.
Other rights are enumerated throughout the text of the regulation itself and include the right to transparent information, the right to access, the right to rectification, the right to erasure (sometimes called “the right to be forgotten,” referring to an earlier iteration of the provision), the right to restrict processing, and the right to data portability in addition to the right to object.
The right to transparency outlines the right of a data subject to receive clear and easily accessible answers about the processing of their data. The right to access is the right of the data subject to access whatever data has been processed or stored by a data processor or controller. The right to rectification is the right of the data subject to have complete and accurate personal data processed or stored. The right to erasure or the right to be forgotten is the right of the data subject to have their personal data erased by the controller in certain situations (e.g., the personal data are no longer necessary in relation to the purposes for which they were collected). Finally, the right to portability is the right to receive requested data in a machine-readable format and then transmit that data to a different controller if they choose.
Does the GDPR Affect Me?
Yes, if you are doing business with the EU. More specifically, there are two categories of American companies that must comply with the GDPR: companies located in the EU, and companies not located in the EU but offer products or services to EU residents (or monitor the behavior of EU residents). The second category would likely apply to you. The category applies even if you do not sell anything to EU residents if you monitor their behavior. Specifically, the GDPR applies to, not only companies controlling and processing personal data that are based in the EU, but also any entity that processes the data of EU residences. If you process or control any such data, the GDPR will affect you.
How Do You Comply With the GDPR?
The flip side to the creation of rights for individuals is that many obligations are also created under the GDPR. The data subject has the burden upon them reduced, but DPOs, controllers, processors, and regulators have all received their share of new responsibilities. The specific obligations created are consent, data protection, recording keeping, notification of breach, and response to data requests and complaints.
Tech giants Facebook and Google were both slapped with huge lawsuits before most of us got our first cup of coffee on May 25. The regulation provides for sanctions as high as 4 percent of a company’s global revenue or 20 million euros, whichever is more, for failure to comply with some of the GDPR’s provisions. To put the significance of the sanctions into context, consider the amount of Apple’s 2017 annual revenue, which was about $230 billion. At 4 percent, the amount of hypothetical sanctions for Apple would be close to $10 billion.
It seems obvious that most companies have no choice but to comply with the GDPR. But, this is easier said than done as even after having two years to work out the kinks, many entities are still concerned with the lack of specificity of the regulation. Notably, the regulation raises the age-old legal quandary of how to define “reasonable.” Many provisions require reasonable steps to be taken to avoid fines or other sanctions, but the regulation never outlines which steps are reasonable and which are unreasonable. In many areas of law, the question can only be answered through case law, which does not exist yet.
What Has the Compliance Deadline Meant So Far?
Regulators have their own concerns too. Though, again, not enough time has passed for these concerns to come to fruition. Some regulators were concerned they would experience a deluge of complaints following the compliance deadline that they would not have the bandwidth to handle. Essentially, the fear was that because so many companies were not compliant, there would also be many users submitting complaints to regulators, who would also not have the manpower to respond adequately.
If you do any business with any EU resident, it is likely that you must comply with the GDPR. To comply, a good starting point is to hire a data protection officer (DPO), particularly if the regulation requires your company to have one. Entities would also be well-served by taking another look at their contracts with clients or consumers, vendors, and processors when applicable. The GDPR requires a new level of explicitness and unprecedented communication between the data subjects and data controllers. You should also consider speaking with lawyers who have expertise in the GDPR compliance.
Edward T. Kang is the managing member of Kang, Haggerty & Fetbroyt. He devotes the majority of his practice to business litigation and other litigation involving business entities.