How GDPR will affect US brands
Editor's Note: The following is a guest post from Jack Carvel, general counsel of Qubit.
The use (and misuse) of data represents a unique challenge to legislators and law enforcement authorities. Unlike traditional goods and services, data flows do not respect traditional international boundaries, and the rate of technological change means that data privacy law is always either overly broad or totally out of date.
In particular, regulators have struggled to develop effective enforcement practices for companies that have a major impact in their territory but are physically based somewhere else.
This is the underlying theme of the current U.S. Supreme Court case United States v. Microsoft Corp, which led recently to the rushing through of the Clarifying Lawful Overseas Use of Data (CLOUD) Act that will effectively allow U.S. authorities to compel companies to provide requested data stored on servers regardless of whether they are located within the U.S. or in foreign countries.
Similarly, many are still reeling from the Cambridge Analytica/Facebook scandal, which has demonstrated how foreign manipulation of individuals' data can potentially interfere with domestic politics.
In this context, it's perhaps unsurprising that the EU's incoming landmark data privacy legislation, the General Data Protection Regulation (GDPR), seeks to apply enhanced data protection standards not just to those companies based in the EU, but also many outside it.
In this post, I examine what the GDPR means for U.S. brands and what steps, if any, they should be taking now to prepare:
What is the GDPR, and how can EU law apply to US companies?
Put simply, the GDPR is a piece of EU legislation that seeks to protect the personal data of EU citizens by regulating how organizations collect, store and process that data.
Unlike its predecessor the Data Protection Directive, which generally speaking did not regulate companies based outside the EU, the GDPR applies to any processing of personal data of data subjects who are in the EU where the processing activities are related to either: the offering of goods or services to such data subjects in the EU (irrespective of whether a payment of the data subject is required); or, the monitoring of their behavior as far as their behavior takes place within the EU.
This means that the GDPR is not just relevant to multinational companies that may be headquartered in the U.S., or to U.S. companies that have direct business operations in the EU, but also to many U.S. companies that do not. In an online context, the GDPR will be relevant if:
- You have a strong internet presence in the EU (even if you do not sell directly into the EU)
- You are an e-commerce company that accepts EU currencies and/or has an EU domain suffix (such as .co.uk, .fr, .de, etc.)
- You have any EU visitors and you conduct personalization on your website.
The cost of getting this wrong
If any of the above apply to your organization, you should carefully review your data handling practices, and determine whether the GDPR is likely to apply or not to your online activities. One of the reasons this is so important is because of the significant fines under the new regulation.
The GDPR introduces serious penalties for companies that do not comply with the new rules. Fines can reach up to €20 million, or 4% of an organization's worldwide turnover — whichever figure is greater.
It's still unclear how EU regulators would impose these penalties on U.S. companies that do not have a permanent presence in any EU country, but the scale of the potential fines should mean that even U.S.-only companies should be taking the new rules seriously.
Compliance can be simple, but is not just a tick-box exercise
Contrary to popular belief, compliance with the GDPR can be achieved simply and without a huge amount of resources. However, it's not a straightforward tick-box exercise and some of the steps may require input from multiple stakeholders within your organization.
For a more detailed guide to the new requirements, the U.K. regulator has published a summary of the GDPR, which is a great starting point if you're arriving at this fresh. However, for companies that are not used to EU data protection law, complying with the GDPR may also require a fundamental shift in how data is conceptualized:
1.) Personal data vs PII
The definition of "personal data" under the GDPR is far broader than the similar U.S. concept of "personally identifiable information" (PII).
PII, as understood in the U.S., is typically confined to identifiers such as name, social security number, date and place of birth, and biometric, medical, educational, financial and employment records. By contrast, personal data in the EU means any information relating to an identified or identifiable natural person, or "data subject." That encompasses identifiers included within the U.S. definition of PII and additionally includes online identifiers such as email address, cookie ID, IP address, browsing habits, location data and so on.
In practice, this broad definition of personal data means that activities such as website personalization are caught by the GDPR, even if such personalization involves only basic use of analytics based on a user's cookie ID or IP address.
2.) The Data Protection Principles, and consent
The GDPR recognizes that businesses have a legitimate interest in collecting and using personal data (for example, for the purpose of understanding how visitors interact with a company's website). However, in doing so, companies are required to follow certain "data protection principles" such as ensuring transparency with the data subject.
In addition, there may be times where a visitor’s consent is required before their data can be collected, which under the GDPR requires more than just referring to an online privacy statement. The GDPR does away with implied consent and pre-ticked boxes, and puts the onus on companies to show that the data subject has fully understood and agreed to what they're being asked to consent to.
Unlike in the U.S., where all data collected from a website is typically considered to belong to the owner of that website, in the EU, personal data belongs to the data subject concerned. Accordingly, that individual has a right to control how their data is processed, which is reflected in the extensive rights for data subjects under the GDPR to access, take copies of and require companies to delete their data. Companies are required to comply with such requests according to strict deadlines, or face potentially severe enforcement actions from local regulators.
Similarly, much stricter requirements are also introduced where third parties are involved. In particular, data subjects should be informed which companies their data is being shared with, and organizations may only engage third parties that can guarantee an appropriate level of data security. This must be evidenced by specific contractual paperwork that meets the content requirements of the GDPR. Understanding these conceptual differences will be key for companies that are seeking to comply with the GDPR.
The GDPR will change the way companies interact with data — not just in the EU but around the world. U.S. brands, especially those with a strong internet presence, should be carefully reviewing their data handling practices, and determining whether the GDPR is likely to apply or not to their online activities. Any concerns should be discussed with counsel well in advance of the GDPR's effective date in order to avoid the considerable fines under the new regulation.