Commonly recognised as the toughest privacy and security law on the planet, the European Union’s General Data Protection Regulation (or GDPR), imposes legal obligations on companies and organizations anywhere, so long as they handle data related to people situated in, or who are citizens of, European Union member states. The GDPR has been in force for over two years, and as a number of significant fines (potentially rising to hundreds of millions of euros) have indicated, compliance is not optional.
We have identified some key legal questions which get to the root of why the GDPR has provoked concern for businesses based not only in Europe, but all around the globe.
What did the GDPR change
The key aim of the GDPR was to return control of personal data to the individual. It focuses on accountability, transparency and governance in order to minimize the risk of data breaches and to enforce personal data protection by the imposition of new obligations on businesses and organizations. Below are some of the main requirements and obligations in more detail:
A) Processing in a lawful, fair and transparent manner
Organisations that process personal data are obliged to process that personal data in a manner which is lawful, fair and transparent. This can be explained as follows;
- “Lawful” means that any processing of data should have a legitimate purpose.
- “Fair” means that organisations take responsibility for their own actions and must not process data other than for the legitimate purposes.
- “Transparent” means data subjects must be fully informed about processing activities concerning their personal data.
Companies are required to limit the scope of their processing by collecting only that data which is necessary, and not keeping personal data after such time as which the processing purpose has been completed. This effectively creates the following obligations;
- processing of personal data other than the legitimate purpose for which the personal data was gathered is forbidden
- no personal data, beyond what is necessary, can be requested
- personal data should be deleted as soon as the legitimate purpose of its use is fulfilled
C) Rights of the data subject
Data subjects have the right to request what information it holds about them, and what it does with this information from the company or organisation. Additionally, a data subject can ask for a correction, raise an objection to processing, file a complaint, or even ask for the removal or transfer of personal data.
When a company intends to process personal data beyond the legitimate purpose for which it was originally gathered, clear and explicit consent must be sought from the data subject. At the time that it is collected, the consent must be documented, and the data subject retains the right to withdraw his or her consent at any future date.
For data relating to minors, the legislation requires explicit consent of the data subject’s parents (or guardian) if the child is under 16 years of age.
E) Breaches of personal data
Organisations have an obligation to inform regulators of data breaches without undue delay (based on severity, but normally within 72 hours) and record the facts, effects and remedial action taken.
F) Ensuring privacy by design
Companies must ensure privacy and protection aspects should be ensured by default. That is to say that organisational and technical mechanisms to protect personal data should be incorporated in the design of new systems and processes.
G) Impact assessment of data protection
Data Protection Impact Assessment (DPIA) should be carried out when launching a new project, change, or product, in order to estimate the impact of those changes or new actions. The DPIA is a procedure that should be carried out whenever a significant change is made in the company’s method of processing of personal data.
H) Transfer of data
The personal data controller is accountable for ensuring that all personal data is properly protected and GDPR requirements respected, even if processing is being done by a 3rd party. That is to say that controllers are obligated to ensure the protection and privacy of personal data when it is being transferred to a third party or to another entity within the same company.
I) Data Protection Officer (DPO)
A company which undertakes a significant amount of data processing should assign a Data Protection Officer (DPO). When assigned, the DPO is responsible for advising the company about GDPR compliance.
J) Awareness and training
Organisations must conduct regular training to inform employees of their professional obligations under GDPR and ensure that they remain aware of any changes in technology or business practices. The must be kept up to date with regard to the protection of personal data and identification of personal data breaches.
How significant are penalties for non-compliance?
Under GDPR, regional or national authorities may punish non-compliance in one of three ways:
- Serve a warning or impose a ban (temporary or definitive) on the right to process personal data;
- Impose a fine of up to a maximum of €20,000,000 or 4% of the total global turnover; or
- Both of the above options.
The significant level of fines is designed to ensure that compliance is not a choice. Companies and organisations that fail to respect their responsibilities when treating the personal data of individuals will be made to pay for such failures. Examples of fines imposed for data breaches include; British Airways, currently facing a fine of €204.6m Euros; Marriott International Hotels€ 110.3m Euros; and Google Inc. €50m.
In what ways are some of the GDPR requirements vague?
Parts of the GDPR have been deliberately left rather vague. This has created some difficulties for companies striving to become fully compliant.
The legislation includes imprecise terms such as “undue delay,” and “disproportionate effort”. Exactly how long of a delay might be deemed ‘undue’ or how ‘disproportionate’ effort is to be measured remains to be seen. Such terms may become clear when market practices develop, or could require clarification by the courts or regulators.
In a similar fashion, GDPR provides no definition of how a “reasonable” level of protection for personal data might be assessed. At present, this offers regulators significant flexibility when evaluating fines for non-compliance and data breaches.
When it comes to the appointment of a Data Protection Officer, the legislation fails to include a definite list of DPO credentials. As Article 37 of GDPR rather vaguely puts it, a data protection officer is required to have “expert knowledge of data protection law and practices.” The regulation goes on to specify that the DPO’s field of expertise should correspond with the company’s data processing operations and the level of data protection required for its activities.
Does the GDPR affect the USA?
The answer to this question is found by consulting the legislation itself. Article 3 of the General Data Protection Regulation defines its territorial scope:
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
The short answer? Yes. As a European law, one might be forgiven for thinking that GDPR applies only to the 27 member states of the EU. The nature of the transferring and processing of data in our present digital age, however, means that the physical borders of nations are no longer such a clear cut guide. The GDPR has global reach. It affects the United States of America, Canada, Central and South America, Africa, Asia and Australasia. If a company does business (or even conducts surveys) with clients, suppliers, or partners who are located in a European Union member state then it is indeed obliged to respect the terms of the General Data Protection Regulation no matter where in the world said company is headquartered.
What actions, specific to US companies, are required to ensure compliance?
Again it is important to stress that there are in fact no specific measures for ‘American’ companies with regards to GDPR. As any other non-EU based company however, whether it is based in Tokyo or Texas, US businesses need to be aware that any data they handle from a European Union client, supplier, or affiliate does fall under the auspices of GDPR.
A significant action for any non-European company is the appointment of a European Data Representative. This role is described under Article 27(3) of the legislation. It precises that the data representative must;
“…be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.”
The representative can be either a natural or a legal person located in any of the European Union’s 27 member states. The role is that of a point of contact for the EU or the state GDPR enforcement authority for matters related to data handling.
Where Should a Data Representative Be Located?
As previously stated, the data representative can be located in any European Union member state. Which one is best for any given company may of course depend on individual circumstances or the specific business model concerned. That said, in general terms the Republic of Ireland is quickly emerging as the simplest, and best, choice for companies based in the Anglosphere.
Brexit means that the only remaining English-speaking nations in the EU are Ireland and Malta. From a US perspective, Ireland has the additional advantage of its legal system, like the American equivalent, being part of the common law tradition. Malta uses a hybrid system of common law and European continental civil law. Ireland also offers attractive tax rates for businesses and boasts a highly skilled workforce in the IT industry.
A subsidiary office can therefore be created in Ireland in order to satisfy the need for a data representative. This office may be registered as an Irish Limited Company under the sole ownership of its parent company. The primary role of this form of subsidiary office is to reply to any request from the data regulator. A typical subsidiary office serves as a “One stop shop” for any and all European Union matters. The main advantage of this is that every EU data issue can be dealt with by the same regulator, the Irish DPC. The alternative would be to deal with, potentially, all 27 state regulators together with the legal and language differences that that would imply.
Benefits of GDPR Compliance for American companies
The General Data Protection Regulation is believed by many industry experts to be the first significant piece of what will soon become a new wave of data privacy and data protection laws. More significantly, GDPR is in many respects being used as the blueprint for legislation being drafted all over the world. The United States of America still lacks a comprehensive federal data protection law. Nonetheless, a number of individual states have introduced legislation of their own. For example on July 1st 2020, the California Consumer Privacy Act (commonly known as the “CCPA”) came into force. Because of its similarity to the European law of 2018, the Californian Act has often been referred to as “GDPR lite”. To make a long story short, it seems that GDPR is the template for upcoming US legislation. Therefore, achieving GDPR compliance now serves two purposes for American companies:
- Firstly, given the importance and scope of the EU market, virtually no company that engages in international trade has no link whatsoever to Europe. If a company processes the personal data of EU citizens or residents, it must comply.
- Secondly, even in circumstances where a US company is not currently trading with Europe, GDPR is the blueprint for new data protection laws globally. This means that acting to ensure GDPR compliance now will almost certainly prove to be the perfect preparation for future domestic law.