The European Union’s General Data Protection Regulation (“GDPR”) goes into effect on May 25, 2018. It imposes multimillion dollar fines on violators and purports to apply to U.S. companies, including companies outside the technology industry with no physical presence in the EU.
This Legal Alert provides some practical guidance as to how U.S.-based companies can reduce the risk of becoming the subject of an EU governmental enforcement action or a private civil suit alleging GDPR violations. This is only a general explanation and does not consider individual circumstances, which could significantly affect the best course of action for you. If you have questions about how the GDPR may apply to your own circumstances, please contact one of the DGS Tech Group attorneys listed to the left of this Alert.
The GDPR is an unprecedented increase in the privacy protections afforded to individuals who are either residents of, or physically present within, the EU or the EEA1(“EU Individuals”). The GDPR imposes new, strict rules regarding the collection, processing, storage, transfer, return, and use of any information that can be used, alone or together, with other publicly available information, to identify EU Individuals (“personal data”). The GDPR applies when that personal data is provided to or otherwise possessed by companies or persons in the context of either (i) offering or selling goods or services to, or (ii) monitoring the behavior of, EU Individuals. Personal data includes even publicly available information, such as names or email addresses of individuals. If an EU Individual can be identified, directly or indirectly, by an identifier, such as a name, identification number, location, picture, or physical, physiological, genetic, mental, economic, cultural, or social identity, it is personal data subject to the GDPR.
The GDPR purports to bind “controllers” (tech and non-tech companies that obtain personal data for business use) and “processors” (generally tech companies collecting, aggregating, analyzing, or otherwise processing the data) even if they have no physical presence in the EU. For example, the GDPR is triggered when someone in the U.S. obtains personal data of an EU Individual by (a) accepting an online order from anyone while they are in the EU; (b) accepting an online order from an EU resident while the EU resident is in the U.S.; (c) accepting an in-person order of an EU resident in the U.S.; (d) receiving an application for membership, employment, or another similar relationship from an EU Individual, online or in person; or (e) accepting a name or email address from an EU Individual through an online form, account registration, or similar action. Any of these routine actions, among others, might result in a violation of the GDPR unless appropriate steps are taken.
No, but it means that, beginning May 25, you should start dealing with them differently. U.S. companies necessarily gather personal data in every commercial transaction with an EU Individual (e.g., credit card purchases). The gathering of personal data in that context is almost always exempt from the GDPR. On the other hand, the retention of that personal data is not exempt after the commercial necessity of using the personal data for the contract has passed. At that point, the GDPR consent requirements kick in.
U.S. companies routinely keep personal data of customers, members, and other counterparties in various databases for future use, such as marketing, newsletters, and other purposes. The retention of such personal data of EU Individuals, including data obtained before May 25, 2018, is the principal target of the GDPR.
You should confirm that each EU Individual for whom you already have personal data provides to you (or, if you are a “processor,” to the relevant “controller”) a “GDPR-valid” consent to your retention and use of that data. The controller should reach out directly to each EU Individual for that consent. If you are only a “processor,” you must confirm that the relevant controller has done so. Getting these consents will go a long way toward establishing that you are not already in violation of the GDPR when the law goes into effect.
Admittedly, determining the EU Individuals for whom you have personal data anywhere—in a database, in paper records, in individual computers, tablets, or mobile phones—is a daunting task by itself. Having to contact each of them and get their “GDPR-valid” consent before May 25 makes the urgency of this requirement apparent.
To be certain you are following the GDPR, you should destroy all personal data of EU Individuals for whom you don’t have a “GDPR-valid” consent. This duty arises as soon as you no longer have a valid commercial purpose to retain the personal data that is directly related to the original contract or transaction by which you collected the data. If and to the extent you need to retain data relating to pre-May 25 transactions, such as financial information, even after that original purpose has passed, you can do so but you must delete or permanently “anonymize” the personal data attached to the transaction.
Of course, there are practical considerations. It is likely that 100 percent compliance with the consent requirement by U.S. companies with no physical presence in the EU prior to May 25, 2018 is going to be the exception, not the rule. As a result, good faith efforts by a U.S. company to satisfy the GDPR consent requirement by the deadline are likely to drastically reduce the risks of liability for non-egregious violations.
Unfortunately, there is quite a bit more. The GDPR establishes many new rights for EU Individuals with respect to their personal data that do not apply to U.S. residents. For example, EU Individuals have the right to require you to erase all their personal data even after they have given their consent. This is known as the “right to be forgotten.” They also have the right to access their personal data and to require you to correct erroneous data. You are also required to “port” their personal data to other companies upon their request. There are specific data breach reporting requirements that supplement, but do not replace, the reporting requirements of U.S. state laws. Finally, there is a requirement that companies create their information databases on a “privacy by design” basis, minimizing the amount of personal data retained and otherwise facilitating the other rights of EU Individuals created by the GDPR.
No, but the likelihood of being called to task on those other requirements is much less than the risks from retaining personal data of EU Individuals after May 25 without GDPR-valid consent. The likelihood is that, because so many U.S. companies deal with EU Individuals, these additional requirements will eventually become the de facto standards in the U.S. too. As a practical matter, it may be too difficult for most companies to have different privacy protections for EU Individuals and non-EU Individuals.
The maximum administrative fine that can be imposed by an EU member state’s supervisory authority on a “controller” or a “processor” of personal data for violations of the GDPR is the greater of 4 percent of annual global sales or €20 million. There is a tiered approach to the fines, with some less willful and less egregious offenses carrying a maximum fine of 2 percent of sales or €10 million. In some cases, aggrieved EU Individuals can seek remedial or compensatory payments from controllers or processors for violations of the GDPR.
There may be bona fide legal questions as to whether the EU actually has the legal authority to impose GDPR requirements on U.S. businesses that have no physical presence in the EU or EEA. It is therefore possible that, before or after May 25, one or more U.S. companies will seek a declaratory judgment in a U.S. court to the effect that some of the GDPR’s purported applications to U.S. companies are invalid.
1The European Economic Area (the “EEA”) is comprised of the EU countries plus Iceland, Liechtenstein and Norway. The United Kingdom is still in the EU for this purpose.