This is not just a problem for European-based companies. If your organization does business in the EU, offers goods and services to EU citizens, or processes EU citizen data, then all the provisions of GDPR apply, including:
- More rigorous data security measures
- A higher bar for obtaining consent
- New breach notification provisions
- New rights of the data subjects, including the “right to be forgotten”
- New requirements for governance over data and data processes
- New framework for data transfer under the EU-US Privacy Shield Framework
The GDPR defines “personal data” as “information relating to an identified or identifiable natural person.” This includes IP address, device ID, and any customer reference number. Importantly, these protections apply to all entities that process the personal data of EU citizens, even if the processing of personal data does not take place within the EU. The new regulation also imposes restrictions on transferring personal data outside of the EU. Personal data may be transferred outside the EU only if the European Commission determines that the receiving jurisdiction “ensures an adequate level of protection” consistent with the GDPR; the processing entity has provided “appropriate safeguards”; or the individual has provided specific consent for the transfer. (The European Commission is responsible for proposing legislation, implementing decisions, upholding treaties, and managing the day-to-day business of the EU.) Furthermore, the GDPR guarantees a number of privacy rights to EU internet users, including mandatory, prompt notification of data breaches likely to “result in a risk for the rights and freedoms of individuals,” access to one’s personal data, the ability to instruct an entity to erase one’s personal data (consistent with the “right to be forgotten”), and the ability to move one’s personal data from one processing entity to another. Together, these rights are at the heart of the regulation’s purpose – to give back to individuals control over their personal data.
These objectives are advanced through several mechanisms. First, organizations that breach their obligations can be fined as much as 4 percent of their annual global revenue, or 20 million euros, whichever is greater. This fine applies primarily to breaches of the GDPR’s consent requirements which are related to the second point: Under the GDPR, consent must always be unambiguous. For special categories of personal data (e.g., race or ethnicity, political opinion, genetic data, union membership), explicit affirmative consent is required. Third, the GDPR requires that entities monitoring data subjects “on a large scale” or processing special categories of personal data appoint a data protection officer. Such officers advise their organization on GDPR compliance, serve as a point of contact for subjects inquiring into their data, and liaise with EU supervisory authorities. Fourth, the GDPR encourages the creation of data protection certification mechanisms, such that entities can clearly demonstrate compliance with the regulations.
If you have a website, mobile app, or other online service that is accessed by EU users, you will likely need to update your relevant online agreements and notices in order to comply with the GDPR. Some suggestions include:
- Utilize clipwrap agreements to get clear, unambiguous consent before collecting any personal data.
- Add Privacy Notices in places where you are asking for consent to collect data to help users understand to what they are consenting, why you are collecting the data, and your planned use for the data.
The GDPR is a complicated regulation and certainly all of the key parts cannot be summarized here, but if you have any questions or would like a legal review of your online agreements and notices, please contact your Carlile Patchen & Murphy LLP business attorney.