By Maia T. Spilman, Esq./CIPP
The “GDPR” –What is it and why does it matter if we’re not in Europe?
The Data privacy/Data protection community has been all abuzz about the European Union’s “GDPR” for a while and the attention will not go away soon. Apart from those of us who are data privacy/protection focused in our jobs, many companies that handle electronic data are also joining the conversation. In this column we’ll attempt to provide an overview of the “GDPR” and particularly, how certain US companies will be impacted by this European law.
The GDPR is the acronym for General Data Protection Regulation; an extensive Regulation set for enforcement on MAY 25, 2018. It took nearly five years to negotiate and finalize the text of the Regulation. The GDPR overhauls and updates the European Union’s Data Protection Directive, gives enforcement powers to regulators and aims to give individuals more control over their personal data. One of the stated purposes in the GDPR is to update the Data Directive, which went into effect in 1995.
Anyone who remembers that time knows how much technology has changed since then, so updating the relevant law is overdue. As a Regulation vs. a Directive, the GDPR is to be enforced by all European Union (EU) Member States at the same time; namely May 25, 2018. This is not optional, and the Regulation provides a major enforcement tool in the form of significant fines. The GDPR also provides individuals with clear rights related to the data about them. These two last points in particular are important for companies outside of the EU to understand because the Regulation’s reach extends beyond Europe’s geographical or political boundaries.
The GDPR is global in its reach, and that includes companies which are based solely in the United States. Article 3 of the GDPR “Territorial Scope” addresses this. In essence, the GDPR applies to anyone who processes personal data in connection with offering goods or services in the EU – even if those offerings are free of charge to the individual. The Regulation also applies to those who monitor the behavior of individuals so long as the behavior being monitored is in the EU. This last portion is understood as monitoring online behavior including tracking and targeted marketing/advertising. For the purposes of this article processing personal data means using, analyzing, aggregating or otherwise handling data relating to an individual.
Not unlike the US definition of personally identifiable information, which is broad and seems a bit circular, so too is the GDPR’s definition of “personal data” found in Article 4 paragraph (1):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person:”
Unlike the United States where data privacy laws tend to apply according to business sectors; i.e. Healthcare and Financial Services, the GDPR applies across the board regardless of industry. In this sense the Regulation is broader than United States’ federal and State laws; it applies to any company which handles personal data so long as that personal data is related to goods and services offered in the EU or the monitoring of behavior in the EU. Nonetheless, there are certain industries which will likely come under regulators’ scrutiny more readily than others; namely technology and digital marketing companies. The obvious ones are e-commerce companies who have EU clients or who market to consumers in the EU. The less obvious ones are B2B companies which offer targeted marketing services, data analytics or which aggregate data for other purposes. In these instances even if the aggregated data is not used for “nefarious” purposes and the names of individuals may be unknown, EU Regulators enforcing the GDPR may not find that sufficient for compliance.
The Stick (no carrot)
Companies everywhere must consider the consequences of not following the law where they may do business or have clients. Apart from wanting to be lawful corporate citizens, for many companies reputational damage is a serious consideration. However, the GDPR is not relying on corporations’ moral compass or integrity but rather on stiff penalties to force compliance. Fines under the Regulation are intended to be preventative and punitive. The fines range from 2% of a company’s worldwide annual turnover (equivalent of gross revenue) or 10 million Euros, whichever is greater. However, violations of certain provisions (Articles 5, 6, 7 and 9, Articles 12-22 or 44-49) will incur fines of 4% of worldwide annual turnover or 20 million Euros which ever sum is greater. Those Articles address the processing of personal data, an individual’s rights regarding her/his personal data and how personal data may be transferred outside of the EU.
To avoid the significant fines and other consequences, companies handling/processing personal data will have to do a variety of things and implement certain internal measures. Preparations for the GDPR were meant to have begun over two years ago. Certain key requirements will be discussed here in the future, particularly those that United States based companies need to understand because they differ from the status quo on the west side of the Atlantic. The Articles that carry a higher penalty if violated seem targeted to the types of technology companies which have flourished in the United States in recent years. Therefore, these companies and those looking to emulate them will be well served to understand what is required for GDPR compliance, and consider that in their risk tolerance assessments.
 Article 3 paragraph 2 states: “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
 Article 4 paragraph 2 of the GDPR provides the official definition: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
 Principles relating to Processing of Personal Data; Lawfulness of Processing, Conditions for Consent, Processing of Special Categories of Personal Data, Articles 12-22 address the Rights of Data Subjects [Individuals vis a vi their information] and Articles 44-49 address the Transfer of personal data to third countries [the US is not just a third country but an inadequate jurisdiction for the purposes of transferring personal data].