By: Michael H. Gladstone, Esq.
On May 25, 2018, the European Union (EU) “General Data Protection Regulation” (GDPR) becomes effective. Many U.S. businesses are just waking up to the possibility that this regulation may pertain to them. For U.S. entities with any contact with EU subjects and their personal data, the question whether the GDPR applies to them is a serious one which should be carefully studied.
The GDPR imposes an extensive set of duties and burdens on “covered entities," and sets out breathtaking penalties for violation of the regulation. Breathtaking here means 4% of worldwide revenue, or 20 million Euros, not counting damages to the violated data subject. The scope of personal data covered by the regulation and utilized by data recipients and users (called “controllers” and “processors” of personal data) coupled with the GDPR’s expanded territorial reach (compared to the predecessor EU rules concerning protection of personal data) ensures a significant number of U.S. businesses, which might intuitively or superficially conclude otherwise, may be covered by the regulation. The GDPR presents an unprecedented effort by a governmental unit to protect the privacy of its subjects’ personal data. The practical details of the GDPR’s numerous requirements are driven by the fundamental proposition that personal data belongs absolutely to the individual. It places the burden to protect the data fully and squarely on the controllers and processors. The ramifications of this are expressed in the extensive provisions governing the interplay between the individual and the controllers and processors which receive the person’s data for processing. The broad definitions of personal data generally, and the special attention the GDPR pays to information it deems sensitive, along with its protection of the data of children, reinforce the protective, property-right philosophy underpinning the regulation. Personal data controllers and processors must act as advisers, protectors, facilitators and recorders of the protection of the extensive individual fundamental rights of the owners of the personal data they obtain and process.
In connection with this responsibility, records must be maintained by controllers of the lawful basis for receipt and processing of the data, the actual processing, and of all interactions with the individual pertaining to the protection and exercise of their rights in the data. Significant effort must be devoted by data controllers and processors to gather no more data than necessary for the purpose at hand, to protect it while on hand, and to eliminate it once processing is concluded. Changes in the purpose of processing require additional notice to individuals, who retain throughout the right to object, limit, obtain, transfer, correct and terminate the use of their data. It is true that the GDPR requires a reorientation of thinking concerning design and implementation of systems which will obtain, process and file protected personal data, extending from everyday employment record making and keeping to massive marketing and consumer profiling data processing.
The range of compliance duties imposed on covered U.S. companies is hinted by the responsibilities outlined in the preceding paragraph. Those responsibilities, in addition to gearing up to implement the referenced controller/data subject responsibilities, can include appointment of an agent in the EU, conduct of data processing assessments, and appointment of a data protection officer whose loyalty owes to the EU, not his/her employer. U.S. entities must focus on their activities touching EU subjects and their data, and their EU connections and market activities, to determine whether or not the GDPR reaches them. Questions in this area include whether or not a U.S. company is part of a wider establishment in the EU, if the company offers goods and services in or to persons in the EU, and whether the entity is for some reason subject to the law of an EU country. We’ve found in applying the regulation that its concepts and language can be challenging, and the precedent available for interpreting it is limited. The only path to confidence going forward under, or outside, the GDPR is a systematic review of its standards for application and, where it is found applicable, a thorough response identifying its demands and implementation of a compliant data protection and individual- and regulator-responsive program.