Today the General Data Protection Regulation (“GDPR”) replaces Data Protection Directive 95/46/EC as the European Union’s (“EU”) primary law regulating how companies protect EU citizens’ personal data. The GDPR is intended to harmonize privacy laws across Europe and bring about operational changes with regard to how organizations collect, store, process and think about their customers’ personal information.
The GDPR applies to organizations located within the EU as well as organizations located outside the EU that offer goods or services to EU data subjects or process the personal data of EU data subjects. This includes U.S. companies that have customers in the EU, market products and services in the EU, or process EU citizens’ personal data. Article 4 of the GDPR defines “personal data” as
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Online identifiers include “traces” left by a data subject’s “devices, applications, tools, and protocols,” including IP addresses, cookies, MAC addresses, and RFID tags, which when combined with other identifying information can identify a given data subject.
This definition of personal data is significantly broader than what is considered personal data under U.S. state and federal laws. California’s data breach law, for example, defines personal information as (1) An individual’s first name or first initial and last name in combination with any one or more of the following: Social security number; Driver’s license number or California identification card number; Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; Medical information; Health insurance information; Information or data collected through the use or operation of an automated license plate recognition system; or (2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account. CA Civ. Code § 1798.82(h). California’s definition does not include the range of online identifiers encompassed by the GDPR or the open-ended “factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”
The GDPR applies to both data controllers and data processors. This is a departure from the previous EU regulation governing data privacy, the 1995 Data Protection Directive, which only applied to data controllers. Now data processors have direct statutory obligations and share joint and several liability with data controllers for damages. The GDPR describes data controllers as entities that decide the purpose and manner that personal data is used or will be used. A data processor is a person or group that processes the data on behalf of the controller. The act of processing consists of obtaining, recording, adapting or holding personal data.
Notable requirements of the GDPR include:
· Privacy by Design and by Default – Data protection considerations must factor into the design and development of products, processes or services that will process personal data. When a system or service gives consumers choices regarding the amount of personal data she/he shares, the most privacy friendly choices should be the default setting.
· Stronger Consent Requirements – In most cases a data subject’s consent is required before the subject’s data can be processed. Requests for consent must be intelligible, accessible, and articulate the purpose of the data processing. The data subject’s consent must be clearly given and specifically directed to purpose of the data processing articulated at the time consent was requested. It must be as easy for the data subject to withdraw consent as it is to grant it.
· Right to Access – Data subjects have the right to ask a data controller to confirm whether it is processing any of their personal data, where and for what purpose. Data subjects can also request an electronic copy of any personal data a data controller has stored about them free of charge.
· Data Portability – Data subjects have the right to receive, in a “commonly used and machine readable format,” any personal data a controller possesses concerning them. The data subject is then free to transfer this data to a different controller.
· Data Erasure (Right to be Forgotten) – Under certain conditions, a data subject can request that a data controller erase and cease dissemination of her/his personal data, and even make third party data processors halt processing of their data.
· Mandatory Breach Notification – Where a data breach is likely to “result in a risk for the rights and freedoms of individuals,” notice must be given within 72 hours after the organization learns of the breach. Data processors must notify data controllers “without undue delay,” after learning of a breach.
· Data Protection Officers – Companies that regularly process sensitive data on a large scale or regularly and systemically monitor individuals on a large scale must appoint a Data Privacy Officer (“DPO”). For example, a DPO would be mandatory for hospital or accounting firm processing large sets of sensitive data. A DPO would likely not be necessary for a local doctor’s office or accountant that processes the data of its patients or clients.
Organizations will not be able to satisfy these requirements with superficial or pro forma measures. The GDPR is intended to force organizations to encode privacy protections into their DNA, such that privacy protections become an inseparable component of daily operations. Non-compliant organizations face steep fines (maxing out at roughly $25 million dollars or 4% of global annual turnover, whichever is higher), though it remains to be seen how aggressively regulators will enforce compliance early on. Each EU member state is responsible for setting up a Data Protection Authority (“DPA”) tasked with monitoring whether individual data subjects can exercise their rights and evaluating whether organizations are processing personal data in compliance with the GDPR. The DPA has the power to investigate suspected violations and conduct data protection audits. The DPA may request access to a data controller or processor’s premises, processing equipment, customer data flow, and data protection procedures.
Organizations will be best served if they view the GDPR not as a burden, but an overdue opportunity to overhaul treatment of customer data. Adopting procedures to comply with the GDPR will help organizations prepare for future privacy law developments in jurisdictions outside the EU. In California, for example, a currently proposed ballot measure would incorporate some of the protections mandated by the GDPR. The California Consumer Privacy Act of 2018 would, among other things, give Californians the right to know what personal information a business has collected about them and to tell the business not to sell the information, prohibit businesses from discriminating against consumers who exercise these rights, and strengthen enforcement measures for holding business accountable for safeguarding the information. While there is no guarantee the California Consumer Privacy Act of 2018 will ever become law, it’s a safe bet that it won’t be the last effort to import GDPR protections into domestic legislation.
California businesses of all types and sizes would be well advised to reevaluate, and if necessary, reform their data privacy practices with an eye towards the GDPR. Even if a company does not fall under the GDPR today, using the GDPR to inspire and guide data protection reforms will allow the company to better protect customer privacy and better position itself to address rapidly evolving data privacy laws.