The European Commission issued an announcement yesterday of its agreement with the other two major government actors within the EU to adopt a new General Data Protection Regulation (“GDPR”) to govern data protection and data security issues throughout the EU. Intended to completely replace the 1995 EU Data Directive (the “Data Directive”), the GDPR will likely receive approval by the European Parliament and Council and become effective two years from the date of the last of those approvals, or in 2018.
The adoption of the GDPR is rightly being seen as the dawn of a new era for data protection law in the EU due to its sweeping nature, expanded scope and heavier penalties. While the complete actual text of the GDPR has not been released yet, enough is known for early commentary. For US-based companies, here is a preview of “coming attractions” under the GDPR: The Good, The Bad and The Ugly (plus The Mysterious).
The Good: Without a doubt, the GDPR will address some aspects of the Data Directive most bemoaned by US and other businesses, as well as some that are simply inefficient and ineffective. The good news includes the following reported aspects of the GDPR.
- Uniform Implementation. Unlike the Data Directive, which was implemented differently by each Member State, the GDPR will fulfill the promise of “a single market” through uniform implementing legislation in all Member States.
- Single Regulator. Unlike today, a company with operations throughout the EU will need to answer only to a single data protection regulatory authority (“DPA”), rather than one DPA in each jurisdiction where the company operates. This change (as well as the one above) will save businesses in the EU untold millions in compliance costs.
- Elimination of Overbearing Notification Requirements. There is no requirement in the materials released so far indicating that regulated companies must submit “notifications” to their local DPAs prior to initiating any new type of personal data processing. This requirement in the Data Directive had extremely limited utility and was regarded as overly burdensome by businesses (particularly those in the US). My belief is that the GDPR will only eliminate the most commonplace and basic of the existing notification requirements, and that the final regulation will contain some DPA notification/consent regime for a range of proposed “more risky” activities with data, such as the compilation of marketing profiles or overseas transfer.
- Risk-Based Regulation. While the devil will be in the details, the intent of the writers of the GDPR will offer more flexible rules based on the circumstances of the processing of particular data by a particular company, rather than the one-size-fits-all approach under the current Data Directive.
- Small Business Exceptions. There are exceptions to certain burdensome requirements built in for smaller businesses, such as exemptions in certain cases from the obligation to carry out data impact assessments or appoint Data Protection Officers.
The Bad: Some of the changes reportedly being made by the GDPR will be viewed as negative by some, but less negative by others. Some of these are included here because they involve a widening of legal obligations in comparison to those existing today.
- New Breach Notifications. As in the U.S., there will be an obligation on regulated companies to inform EU residents if the personal data held by the company has been hacked or otherwise accessed or used in an unauthorized manner.
- Right to be Forgotten. While this much-publicized new human right in the EU will no doubt be a major issue for search or data mining companies such as Google or Axciom, many U.S. companies only incidentally processing and storing the personal data of EU residents may not have difficulty complying with this edict. However, it remains to be seen how this requirement may clash with a company’s legitimate desire to enforce its own legal rights in a dispute with an EU resident where the personal data at issue has ostensibly been deleted.
- Broadened Scope of “Personal Data.” That the GDPR will include IP addresses as regulated “personal data” will surprise no one who has been engaged in e-commerce in the EU lately. More surprising expansions of the scope of “personal data” may include unique identifiers such as third party advertising cookies, cell phone numbers and/or other character strings used to uniquely identify a single individual in some data environments.
The Ugly: Truly unwelcome changes being reportedly imposed by the GDPR include elements that significantly raise the stakes for U.S. companies with subsidiaries or other presence in the EU, as well as those who merely target EU residents from servers based outside the EU.
- Dramatically Increased Penalties. While final figures are not available yet, the size of possible monetary penalties under the GDPR will increase to somewhere between 2% and 5% (most commentators are saying 4%) of a company’s global trading revenue. The size of these penalties will catch the attention of even the least data-focused U.S. companies.
- Dramatic Widening Scope of Regulated Entities. The scope of companies regulated will be widened, including for the first time, express obligations applicable both to U.S. companies who merely provide services (i.e., “processors”) to EU companies that provide them with personal data, as well as, to companies without any EU presence who target EU residents as customers via websites based outside the EU. While the first change may add a welcome degree of certainty to the rules surrounding processing of EU data, the second is likely to be viewed with dread by U.S.-based companies currently targeting EU residents for sales but who have not yet taken any substantive steps to comply with EU data protection laws.
- Guarantees of Data Portability. The GDPR will include a right to portability of data, somewhat like the right of U.S. consumers to port their existing telephone number from one carrier to another. Depending on how this is stated in the new regulation, it could create extremely challenging programming and software development expenses and requirements.
The Mysterious: Let me add a final category here for questions raised by the GDPR about which currently available information does not shed significant light. The most critical of these is the practical details of how transfers of data out of the EU to countries not currently deemed “adequate” by the EU Commission, such as the US, will be treated under the GDPR? Of course, this issue takes on added import due to the recent collapse of the US-EU Safe Harbor (see related article here). The Schrems case that invalidated the Safe Harbor was premised, ostensibly, on the clash in approaches to data privacy between the security-minded and constantly surveilling US government and the EU, where the right to privacy is viewed as a key human right that cannot be trampled even for the purposes of combatting terrorism. While this conflict in principle may be tough to reconcile, one can only hope that calmer heads will prevail and that EU regulators notice that surveillance of communications is also widely found throughout the EU (see examples, here and here), and that the scope of affected data in US federal surveillance efforts is narrow in practical terms to allow the bulk of data flows to the US to continue unrestricted. Along with resolution of this key issue, whether the DPAs will be given additional budgetary and personnel resources to focus specifically on overseas transfers, and whether any privacy-enhancing technological solutions will be deemed “adequate protection” by the European Commission is still to be determined to ease the way for all involved under the GDPR.
The Bottom Line: Given all the recent regulatory changes in the EU concerning companies that receive and process personal data of EU residents, now is not the time to put these legal issues on the back burner. Decisions that your company may be making today, such as choice of service providers or adoption of certain technologies, can make the difference between dramatically reducing your company’s risk regarding EU data protection or painfully compounding them. Your company’s bottom line will likely be better off by pausing to consider and address the issues discussed here.
Author Kim Verska, is an attorney in Atlanta and head of the Data Privacy and Security team at Culhane Meadows. She has been advising companies from the Fortune 100 to the newest startup in US-EU data privacy issues since 2000. Her full biography is here
For assistance with U.S.-EU data privacy compliance issues, contact your Culhane Meadows attorney or send a message to privacy@culhane.law. The Data Privacy and Security Team of attorneys at Culhane Meadows have been assisting clients with these and other cross-border data privacy and security issues since the inception of the Safe Harbor and the related laws in the US, EU and elsewhere. As always, due to its cloud-based business model, Culhane Meadows attorneys provide clients with advice from BigLaw quality attorneys at New Economy rates and efficiencies.