By Contracts and Technology Solicitor, Paul Eastwood.
Whilst that title may not look catchy on a nice red hat, the EU’s incoming data protection law (the General Data Protection Regulation or GDPR, effective from 25 May 2018) is very much being noticed by businesses in USA, with more than 75% of respondents to a PricewaterhouseCoopers LLP survey of American businesses on their GDPR-readiness revealing that they planned to spend $1million on the new law.
Businesses in USA that import certain types of data from the EU have long been aware of the reach of data protection legislation, with the Privacy Shield (or its predecessor) available to US businesses wanting to self-certify compliance with the EU’s high watermark for data protection in the event of data transfers from the EU. However, a significant impact of the GDPR is that it can also capture businesses without a business presence in EU who process certain personal data (a term more widely defined than USA’s “personally identifiable information”), either for themselves or for a client.
The expanse of the Atlantic Ocean will not be sufficient to avoid the territorial reach of GDPR for those businesses who offer goods or services to EU residents (regardless of whether a payment is required) or those who process personal data to monitor the behaviour of EU residents within the EU. Whether or not this offering takes place will require an individual analysis, but where businesses allow payments in euros, have an EU-based website (such as .ie or .co.uk) or use EU customer testimonials it is more likely that those businesses’ activities will be within the scope of GDPR. It will also be timely to look at how far website cookies monitor and build profiles on individual users (and consider what the business is really getting out of that functionality).
Once businesses know they are caught by GDPR, they will need to know what obligations apply to their collection, use, sharing and destruction of certain types of personal data.
Specifically for such businesses who are caught as above, and in addition to all of the other obligations of the law, GDPR requires that a person has to be nominated (in writing) to be the business’ representative with regard to GDPR compliance (unless an exemption applies). That representative will not only be the point of contact for authorities in the EU, but may also be pursued by those authorities for enforcement proceedings following breaches by its appointing business.
On a more general basis, other than the significant fines that can be levied for breach of the law (potentially €20million or, if higher, 4% of the organisation’s previous year’s annual turnover), the main changes which have been grabbing attention are the quick breach notification requirements (less than 72 hours), the “right to be forgotten” in certain circumstances and the legislative obligations now being imposed directly on data processors (usually service companies).
Trying to find a silver lining, although it may not be welcome news to hear that the EU’s data protection regulations apply and an investment must be made in various operational and technological updates (including updating T&Cs and privacy notices), GDPR may also be viewed as an opportunity. It is the next revolution in data protection and goes some way to aligning laws across all of the EU’s Member States (regardless of Brexit), which allows for consistency of approach when it comes to compliance. Further, a robust approach to GDPR may also be attractive to clients and consumers in the EU, where a company’s reputation for respecting privacy and data protection will never be as valuable (or more sorely missed) as the day a breach notification hits the media.
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.