Three-and-a-Half Weeks in May: Some Final Thoughts as GDPR Takes Effect on May 25, 2018
by Saad Gul and Michael E. Slipsky
Given recent headlines, ranging from Facebook to Cambridge Analytica to the City of Atlanta’s ransomware attack, the logical inference is that the European Union’s General Data Protection Regulation (GDPR) is a product of our current privacy-conscious environment. In fact, it was conceived as a long overdue update to the EU’s 1995 data protection directive and has been years in the making.
As GDPR appeared on the horizon, we had occasion to work with a number of clients on related issues. Certain themes emerged as frequent points of concern. Now that we are closing in on GDPR’s effective date, we have collected our thoughts on those points:
· By far the most frequent question we address is whether the GDPR applies to a particular client with no physical presence in Europe. That is, of course, the million euro question. GDPR’s text and working papers do not establish bright line rules. However, reading Article 3 together with Recital 23 provides some guidance: the GDPR applies if the client’s data processing activities are connected to the offering of goods and services to EU individuals. To some extent, this connection, like beauty, is in the eye of the beholder. Nevertheless, some general extrapolation is possible. At one end, mere incidental sales—e.g., an EU citizen registers to attend a single professional training session in North Carolina—would not implicate the GDPR. At the other end, activities tailored to EU residents—e.g., websites translated into European languages and/or offering products priced in euros—would almost certainly trigger the GDPR. Unfortunately, the scope and reach of GDPR will likely become known with precision only when enforcement begins.
· The most cautious practitioners suggest that handling any EU personal data brings the organization within the ambit of the GDPR. Our reading of the statutory text and Working Party papers does not support this reading. There is clearly some de minimis standard, e.g., if a North Carolina meal is paid with a European credit card, then that would technically constitute data processing, but it would not implicate the privacy concerns that underpin GDPR. However, discerning where the EU draws the line will require some time and experience.
· The GDPR does not apply to all EU data. It is limited to personal data. “Personal data” is defined broadly. It encompasses standard data points such as name, address, telephone number, and contact information. There is an additional category of especially sensitive personal data that is considered even more sacrosanct, such as data regarding individuals’ political or religious beliefs, sexual orientation, medical records and the like.
· Contrary to popular belief, data processing under GDPR does not necessarily entail consumer consent. Additional legal grounds, such as public necessity, are available. However, most businesses will rely on consumer consent. Consent must be clear, specific and unambiguous. In other words, obtaining “consent” via click-through following several paragraphs of dense legal jargon will no longer suffice. Businesses should consider the legal justification for their EU data processing activities.
· GDPR is not universal. Critics had assailed the GDPR as an effort to foist European privacy requirements on the rest of the world. While a business may find it easier to comply with a single privacy regime for all of its global business, GDPR does not impose such a requirement. A number of businesses, with Facebook being perhaps the highest profile example, have elected to comply with GDPR for their EU clientele, while adhering to their original privacy policies for the rest of the world.
· The GDPR explicitly provides that the legal processes of a third country—e.g., a United States subpoena—is not a sufficient basis for the transfer of EU residents’ personal data to a third country. On the other hand, the recently enacted CLOUD Act specifically requires that such data be turned over to American law enforcement in certain circumstances. The potential for conflict between these two regulatory regimes (and others like the CLOUD Act) remains real.
· The GDPR requires the appointment of a Data Protection Officer if the business engages in certain types of data processing, such as processing highly sensitive data. The Data Protection Officer is envisioned as an in-house privacy ombudsman whose role encompasses defense of privacy rights. The position should enjoy a high degree of autonomy within the company hierarchy, including job security.
· At the Global Privacy Summit 2018, EU officials were clear that enforcement will begin on May 25, 2018, with no grace period.
· The focus of enforcement is the protection of data privacy, not the imposition of the GDPR’s highly publicized mammoth fines. Fines will be a function of the egregiousness of conduct and the businesses’ track record. Persistent violators will be prohibited from processing EU data.
· If there is one principle that underpins the GDPR, it is the notion that data belongs to the individual (or, in GDPR parlance, the “data subject”). The GDPR protects certain rights for all data subjects. These include (1) the right to access any personal data the business stores on the subject, (2) the right to revoke consent to data processing, (the famed “Right to be Forgotten”), and (3) if technically feasible, the right to obtain a copy of the subject’s own personal data in a format that could be used by a different service provider (the right to data portability).
The GDPR has been years in the making. The statutory text alone comprises over 100 pages of dense, technical requirements. The text is supplemented by guidance and Working Party papers. The full impact of GDPR implementation will only be evident in hindsight. Until then, U.S.-based organizations should have a firm grasp on (1) what EU personal data they collect; (2) how they protect that data; (3) the GDPR-compliant legal basis of that collection; and (4) the documentation of their compliance with Privacy-by-Design principles. Because despite all the current murkiness about the GDPR, this much is clear: We are going to be hearing a lot more about it in the years to come.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or email@example.com. Mike may be reached at 919.783.2851 or firstname.lastname@example.org.