In data privacy circles, there is constant discussion regarding the EU-US Privacy Shield and the EU General Data Protection Regulation (“GDPR”). While the temptation for US- based companies to take an isolationist approach and ignore these EU regulations is understandable, doing so may unintentionally subject such companies to significant liability. All US-based organizations that hold, process, or transfer data of EU citizens or residents will be subject to the GDPR. The physical location of the organization, including its headquarters, is irrelevant.
US companies with EU affiliates, employees, or operations, or that offer goods or services to EU residents (irrespective of whether payment is required) should analyze what personal data they obtain, where it comes from, where it goes, and how they transfer it. This analysis is critical to preparing for the significant regulatory changes coming—in less than 10 months.
US companies have been forced to process evolving data protection regulations emanating from the EU in the past year. The following outlines the recent evolution of EU data protection regulations and what companies should expect next year when the GDPR goes active:
Privacy Shield
This month marks one year anniversary of EU-US Privacy Shield. The Privacy Shield replaced the Safe Harbor agreement between the US and EU after the European Court of Justice declared it invalid on October 6, 2015. The Privacy Shield Framework was designed by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a legal mechanism to comply with data protection requirements when transferring personal data. Six-months after the EU approved the EU-US framework, the Swiss Government approved the Swiss-US Privacy Shield on January 12, 2017.
Essentially, US-based companies can voluntarily self-certify to the Department of Commerce, publicly pledging compliance with the Privacy Shield Framework and benefit from the adequacy determinations. Once a company is certified, it is declared to have adequate data privacy protection. EU countries then waive, or automatically grant, the requirement for prior approval of data transfers, and the company is added to the Privacy Shield List. The Privacy Shield is designed to ensure compliance with the EU’s Data Protection Directive. However, the GDPR will replace the Directive.
GDPR
The GDPR affects all US businesses and organizations that hold information about present or past employees, clients, or suppliers who are EU citizens or EU residents or provide goods or services to EU citizens/residents. Even if you do not offer a product or service directly to EU consumers, but rather provide a service to an EU company that leads to you processing data of EU citizens/residents, you need to comply with the GDPR.
The GDPR strives to (1) defend the fundamental right to the protection of personal data; (2) protect the free movement of personal data within the EU; and (3) unify the regulatory environment to achieve simplicity and effectiveness.
The GDPR goes into full effect May 25, 2018. Any organization not in full compliancy with the new regulation faces heavy fines of up to €20 million ($23 million USD), or 4% of a corporate group’s worldwide gross annual revenue, whichever is greater.
Given the draconian nature of these penalties, US companies should gain an understanding of the GDPR and whether compliance is necessary. Here are some high level considerations:
- Extended jurisdiction: Regardless of where your company is established, if you process or control data of EU citizens/residents or offer goods or services to EU citizens/residents, you will be subject to the GPDR.
- Stricter penalties: With the tiered approach a company could be facing a fine of 2% of their annual gross revenue for not notifying the supervising authority and affected persons about a breach.
- Consent: The primary objective of the GDPR is to give control back to individuals over their personal data, therefore, explicit consent must be obtained for the collection and processing of data. Requests for consent must be given in an intelligible and accessible format with freedom to easily withdraw consent.
- Breach notification: It will be mandatory to notify affected persons, including customers and controllers, of a data breach within 72 hours.
- New data protection rights: The GPDR will establish the right to access whether or not personal data concerning an individual is being processed, where and for what purpose, the right to be forgotten and erase all personal data, and the right to receive personal data concerning the individual to transmit that data to another controller.
- Privacy by Design: Although this concept is nothing new, the GDPR is now making it a legal obligation to include data protection from the onset of the designing of systems, rather than an afterthought.
- Data Protection Officers: The GDPR will mandate organizations that satisfy certain criteria to appoint a Data Protection Officer who will oversee data protection law and practices.
Please contact any member of Miller Johnson’s Privacy and Cybersecurity team if you have any questions or would like assistance evaluating whether your organization is subject to the GDPR and if so, whether you are complaint.
Authored by Jeffrey Muth, Privacy & Cybersecurity Co-Chair and Tiffany Kim, a Summer Associate working with Miller Johnson’s Privacy & Cybersecurity team. Before law school, Tiffany was the Homeland Security Planner for the Kent County Sheriff’s Department, and Co-Chair for Homeland Security Region 6, West Michigan Cyber Security Consortium.