The European Union General Data Protection Regulation Will Affect Companies in the United States and Canada. Many Still Aren’t Ready to Comply
On May 25, 2018, the European Union member states will begin to enforce the General Data Protection Regulation (GDPR). The GDPR imposes sweeping data privacy, access, consent, transfer, processing and storage requirements on companies that offer goods or services to, or monitor the behavior of, people residing in the EU at the time the data is collected, whether or not the companies are located in the EU. The GDPR governs all aspects of the collection, use and processing of personal data. Personal data is any information related to a person or that can be used to directly or indirectly identify the person. Regulated information includes email addresses, banking information, medical information, IP addresses, photos and posts on social media.
The penalties for non-compliance are severe. A tiered system categorizes the severity of violations and corresponding fines up to a maximum of four percent of a company’s global annual turnover or twenty million euros, whichever is greater. Yet despite the global impact of the regulations and the severity of the penalties for non-compliance, some estimates indicate that less than half the companies in the United States and Canada that are subject to the GDPR are prepared to comply.
The regulations governing privacy notices will be among the most significant for many companies. GDRP requires that companies provide privacy notices to the individuals whose data is being collected (referred to as “data subjects”). The notices must contain the following information:
- The identity and the contact details of the company’s data protection officer (where applicable);
- The purposes for processing the personal data as well as the legal basis for the processing, including the legitimate interests pursued by the company;
- The recipients or categories of recipients of the personal data, if any;
- The fact that the controller intends to transfer personal data to a third country and how it will ensure adequacy of protection;
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- The existence of the right to request from the company access to and correction or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- Where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with a supervisory authority;
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- The existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Some uses of data under the GDPR will require consent from data subjects that goes far beyond the requirements of state or federal statutes in the United States or the Personal Information Protection and Electronic Documents Act in Canada.
- If consent is given in the context of disclosures that also concern other matters, like a website’s general terms and conditions, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of the consent that does not comply will not be binding.
- A data subject has the right to withdraw consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before the withdrawal. It must be as easy to withdraw consent as to give it.
- To determine whether consent was freely given, consideration will be made of whether the goods or services could be obtained without agreeing to the processing of personal data that is not necessary for the performance of the contract.
In addition, companies governed by the regulation must provide mechanisms for enforcement of “Data Subject Rights”, which include the rights to:
- Correct inaccurate data
- Erase data (the “right to be forgotten”) under certain circumstances, including that the data is no longer necessary for the purpose for which it was collected or the data subject withdraws consent,
- Restrict processing to verify accuracy of data,
- Data portability – companies have to give data subjects their data in a format which the individual can take to another company;
- Object where processing is based on public interests or legitimate interests or for direct marketing;
There are a number of other aspects of the GDPR that will present challenges to the companies that fall within the regulation. For instance, the GDPR: (1) requires that data breaches which may pose a risk to individuals be reported to the governing authority within 72 hours and to affected individuals without undue delay; (2) contains requirements regulating how data is processed and transferred; (3) requires that organizations maintain documentation to demonstrate compliance with the GDPR, including data processing activities, purposes of processing, description of categories of data, security measures and data flow maps; and (4) restricts exports of data to third-parties outside of the EU by permitting export only where the recipient of the data is in a country that offers an adequate level of protection.
As state and federal governments and agencies in the US and Canada continue to develop laws and regulations governing data privacy and cybersecurity, it is important to remember that nations across the world are dealing with these same issues. Companies that do business outside of the US and Canada need to be cognizant of these developing laws, and the GDPR is one such substantial and far-reaching regulation that international companies must take into account in this digital age.