European Union ("EU") enacted the General Data Protection Regulation (GDPR)In April 2016, the European Union (“EU”) enacted the General Data Protection Regulation (GDPR). You may ask, I’m a U.S. business so why should I care.  It may be obvious but the United States is the EU’s largest trading partner.  You may think that Europe is a far away place but any regulation that affects commerce in Europe will affect commerce in the United States.  Goods move between the two in great abundance and electronic commerce is pervasive.  If you have an online service with an international reach or sell products internationally, you probably have customers who reside in the EU. As a responsible business person it’s your duty to know how your commercial activities are being regulated.  Having a blind-eye may cost you dearly.

The GDPR replaced previous European data protection laws and was drafted to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”  Its aim is to increase the territorial scope of privacy law, impose new fines for violation of the regulations, and strengthen conditions for consent.  In contrast, the United States lacks any single unified approach to regulating online privacy as evidenced by current events involving data breaches at Facebook and other online players.

Let’s take a closer look at the GDPR.  The most significant changes to privacy laws in Europe under the GDPR relates to the increased regulatory scope of the law.  Under prior law, the scope of the law was ambiguous but the new GDPR expressly applies to the processing of personal data of “data subjects” in the EU even by entities not located in the EU.  “Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.”  So, if you are selling goods or services to EU citizens and collecting personal data in the process, you are subject to the GDPR and you will have to appoint a representative in the EU.  This is a big deal because if you simply ignore the GDPR, you could be subject to penalties as high as 4% of your company’s annual global turnover or €20 Million (whichever is greater). That’s 4% of your company’s global income in one year!  Of course, that’s the maximum penalty; other penalties may be assessed depending upon the “nature, gravity, and duration fo the infringement, the scope and purpose of personal data process, the number of data subjects and the degree of damage…”  Whether the GDPR penalties are enforceable in the United States is not at all obvious and many businesses may have to proceed with caution while the courts work this out.

The other privacy issue strengthened by the GDPR is that of “consent.”  When you collect personal information (defined as “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address”), you must obtain the owners consent.  No longer can you request consent in the context of complex legal documents.  Instead, the obtaining of consent must be part of a separate and easily identifiable process using clear and plan language.  Not only do you have to provide an easy method of obtaining consent, you similarly must make it easy for the owner to withdraw consent.

Finally, the GDPR provides a constellation of rights to “Data Subjects” (i.e, people from whom you are collecting personal information).  They are, in brief:

    *    Breach Notification:  You have 72 hours to notify subjects of a data breach;
    *    Right to Access:  You must give a subject access to his/her data upon request;
    *    Right to be Forgotten:  Upon, request you must “erase [a subject’s] personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data;
    *    Data Portability:  a data subject has a right to receive personal data and to move it elsewhere;
    *    Privacy by Design:  privacy protection must be designed at the outset as a component of online systems, not as an add-on or after thought;

    *    Data Protection Officers (DPO): DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.

That’s an overview, see the other articles in this issue for more details about the GDPR.

— Adam G. Garson, Esq.