On May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) replaced the Data Protection Directive of 1995. Unlike the previous legislation, the GDPR affects businesses and organisations which are based outside of the EU. The simple fact that all US large businesses should have acknowledged by now is that even if an American company has no staff or sites within any member state of the European Union, GDPR will, in the vast majority of cases, still apply.
Article 3 of the GDPR, states the following:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
An American company (or any other non-European enterprise for that matter) is therefore subject to the GDPR if it handles or processes the personal data of any individual that resides in an EU member state at the time when the data is accessed. For example, this would be the case in circumstances where the processing relates to the sale of goods or proposal of services anywhere in the EU.
Moreover, the GDPR may apply even if there is no form of financial transaction, the gathering and processing of personal data is key. For instance if an American company has any internet presence in the EU for the purposes of conducting a marketing survey, it is in probability subject to the legislation.
Even if an American business has no such activity whatsoever in the EU and is not presently subject to its obligations, becoming GDPR compliant may in fact prove useful in the long term. This is true in order to facilitate future expansion, but also (for reasons that will be discussed later) because of a general global trend with respect to personal data.
The Seven Principles
The General Data Protection Regulation was drafted with seven broad principles in mind. It is useful to consider them and to reflect upon how they may apply to USA based enterprises.
These principles are set out in Article 5 of the legislation and are as follows:
- Lawfulness, fairness and transparency
Personal data shall be: 1 (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
This principle stresses the need for transparency for all European Union data subjects. At the time that the relevant data is gathered, the reasons as to why the data is being collected and how it is to be used must be communicated. Any company gathering data needs to provide details concerning the data processing when the subject requests it; e.g. should a data subject ask who the data protection officer (often referred to as the “DPO”) is at that company or what personal data the organization holds relating to them, that information has to be available.
- Purpose limitation
Personal data shall be: 1 (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
To ensure GDPR compliance, companies may not ask for personal information that does not have a specific purpose in what they are doing. Members of the public, in addition to the legal authorities, have the right to question why a particular service appears to request irrelevant information for the service it is providing. Indeed, the request for the irrelevant information may in itself be an act of non-compliance.
- Data minimisation
Personal data shall be: 1 (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Any data that is collected must be sufficient only for the precise needs of the business or service concern. Organisations may not request nor gather information that is not necessary, or is irrelevant for their service. The goal of this principle is to prevent individuals from exposing personal information that is not in fact used in processing.
Personal data shall be: 1 (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
This principle obliges data handlers to guarantee that information remains correct, legitimate and fit for purpose. In order to comply, the organization concerned should have a thorough process and clear policies in place to address how they will maintain the data they process and store.
- Storage limitation
Personal data shall be: 1 (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
Information is required to be deleted (in most circumstances) at the request of the data subject, or when it is not accurate or can no longer be deemed necessary to retain it. Data relating to individuals should not be kept by a company if said individuals are no longer clients or customers of it. People may request that their information be removed from company files and records, and organisations should do so when requested.
- Integrity and confidentiality
Personal data shall be: 1 (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The integrity and privacy of data must be protected by ensuring that it is secure. Any organization which collects and processes data is now entirely responsible for implementing adequate security measures that are proportionate to the risks and rights of data subjects. It is not simply a question of avoiding deliberate malice or misuse of personal data; negligence is not an excuse under GDPR, so organizations must spend an adequate amount of time and resources to ensure that data is protected from security breaches, be they due to internal system or human error, or deliberate cyber attack by malicious hackers.
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Previous data protection laws failed to specifically include severe punishments for the misuse, negligent exposure, or illegal selling of personal data. The GDPR, however, makes organisations much more accountable for their actions. If found guilty, businesses can face huge fines; which multinationals such as Google, the Marriott Hotel Groupe and Easyjet can attest to.
All businesses should take the necessary time and effort to evaluate their potential risk and be as honest as possible when gauging their present status. The above explanation should be viewed as an introduction to each requirement and it should be noted that important questions as to how a non-European based company can ensure compliance remain (e.g. the role of the Data Protection Officer, or perhaps the need for a European Representative office), but a basic comprehension of the task ahead is of course a very important starting point.
GDPR as the blueprint for US legislation
The European Union has come to be seen as a trend setter in many aspects of trade law. If one wishes to engage in commerce in the EU market then, logically, the products must come up to European standards. The knock-on effect of this reality is that international companies tend to adjust their standards globally to meet the EU requirements; more often than not it makes little sense for them to institute multiple standards or products for different regions. It is simpler to apply the same standard to all. The EU generally demands rather high standards, so if a product or service is EU compliant, it will likely be acceptable pretty much anywhere else. The size and power of the EU market further influences this trend. Interestingly, in a practice that is sometimes referred to as the “Brussels Effect”, other nations are increasingly mimicking EU requirements in their own domestic laws.
The size and scope of the GDPR means that it is being seen as the first significant piece of the new wave of data privacy and data protection laws. As already discussed, the very nature of data gathering in the 21st century means that GDPR has a global reach. In many respects, GDPR is quickly becoming the blueprint for data protection laws all across the world.
To date, there is no comprehensive federal data protection law in the United States. A number of individual states have however introduced their own. Notably, the California Consumer Privacy Act (or “CCPA”) came into force on the 1st of July 2020. It is quite evident that those responsible for drafting the California Act used the GDPR as their guide.
What this means is that those California based companies who acted swiftly to ensure that they were GDPR compliant in 2018, now find that they have already put the procedures in place to ensure that they respect the CCPA. Industry insiders believe that this will continue to prove to be the case as states introduce their own data protection legislation, and ultimately, a federal law is enacted.