E.U. General Data Protection Regulation Looms for American Multinational Businesses
By: Jon Avidor and Cassidy Lopez
If you do business in Europe, a new landmark European Union data protection law may have a huge impact on how you may collect and store personal information from their E.U. clients and customers.
The General Data Protection Regulation (GDPR), which is set to go into effect on May 28, 2018, is perhaps the most significant change in personal data privacy rules to date. The new regulation gives European Union citizens more control over the private information they share online and applies to all companies worldwide that do business with E.U. citizens. It is a prime example of the difference in how American law and European law approach consumer privacy—opt-in vs. out-out—while forcing global companies, especially those in the tech, retail, healthcare, and financial industries, to find a compliant yet practical and workable balance.
The new law itself has extensive technical and costly requirements, including providing E.U. customers with copies of their personal data at their request and also deleting any such personal data at the customer’s behest. Companies must also report any data breaches within a 72-hour period. Non-compliant companies can face threatening fines of as much as 4% of its annual revenue or 20 million Euros, whichever is higher.
Implications for Data Collection and Retention
Personal Data: The GDPR regulates directly or indirectly identifiable information about a person, or “Data Subject,” which is more expansive than the traditional American concept of “personally identifiable information,” and can include the consumer’s name, photo, email address, financial and banking information, social media posts, medical information, and even IP address.
Information Concerning Minors: Data controllers must obtain parental consent before processing personal data of children under the age of 16, though E.U. member states may lower the minimum age to no less than 13. This sets a higher bar than American privacy law, which under the Children’s Online Privacy and Protection Act requires verifiable parental consent before collecting and storing personally identifiable information relating to children under the age of 13.
Consent to Collect Data: The hidden browse-wrap privacy policy is a no-go under the GDPR. Data collectors must have “unambiguous” consent to collect ordinary identifiable “personal data,” such as a person’s name, location data, or demographics, but “explicit” consent to collect sensitive personal data, including information relating to a person’s racial or ethnic origin, political opinions, religious beliefs, health, and more. An intelligible and easily accessible form stating the purpose of data collection is sufficient for unambiguous consent, but explicit consent requires affirmative acceptance or opt-in.
Data Retention and Consumer Requests: The GDRP’s greatest compliance cost will likely result from the strict data retention policies. Data collectors must routinely account for the data they hold and why and where, how, and for how long its stored. Within one month upon request by a data subject, these companies must provide E.U.-citizen customers with reports detailing all high-risk personally-identifiable information held by the company and disclose how they use that data and under what permissions. Companies will develop mechanisms for users to submit data requests to gain access to personal information.
This is not surprising in light of the 2014 ruling by the Court of Justice of the European Union that, under the EU’s 1995 Data Protection Directive, individuals have the “right to be forgotten,” more specifically, the right to request Internet search engine operators remove information from search results that is “inaccurate, inadequate, irrelevant, or excessive.” Listen to John Oliver’s take on Last Week Tonight.
Mandatory Security Breach Notifications: To ensure accountability, in the event of a “high risk” security breach, the data controller must notify its country’s supervisory authority and all affected individuals within 72 hours of discovering the breach.
Appointing Data Protection Officers: Organizations that engage in “large scale” systematic collection and processing of personal data must hire an expect in data protection law and practices as a Data Protection Officer.
Penalties for Non-Compliance: The enforcement mechanism under the GDPR is a fine, tiered up to the greater of 4% of total worldwide turnover (i.e., revenue) in the past financial year or 20 million Euros, based on, among other things, the scope and duration, negligence, and subsequent transparency of the data breach or non-compliance, as well as past infringements
Effect of “rexit: Since the United Kingdom will still be a member of the European Union when the GDPR goes into effect later this year, the GDPR will become part of U.K. law and remain so after leaving the E.U. The U.K. Department of Digital, Culture, Media and Sport introduced into Parliament the Data Protection Bill, which according to Shearman & Sterling, would largely implement and perhaps even enhance the GDPR framework and policies. As of January 18, 2018, the bill had proceeded from the House of Lords and is currently under consideration in the House of Commons. Check the status here.
U.S. Cooperation and the Privacy Shield
The E.U.-U.S. Privacy Shield framework is an agreement between the U.S. Department of Commerce and the European Commission designed to provide a regulatory framework for commercial personal data exchange between the European Union and United States in a way that satisfies both jurisdictions’ privacy and consumer data protection laws, namely the GDPR. It replaces the U.S.-E.U. Safe Harbor program. Once an eligible U.S. organization voluntarily and publicly commits to the Privacy Shield Principles, compliance with its commitment to data processing transparency, security, and accessibility is enforceable under U.S. law, primarily by the Federal Trade Commission or, if relating to an airline or ticket agent, the Department of Transportation. Participating American businesses must also provide a free mechanism for consumers to resolve privacy issues directly with the company and agree to final, “last resort” arbitration with an approved data protection authority. The E.U.-U.S. Privacy Shield will not apply to data transfer between U.S. and U.K. companies post-Brexit, according to a U.K. parliamentary committee report as reported by TechCrunch.
Looking Ahead, Companies Weigh Their Options
Compliance with GDPR is a top priority for many large U.S. based multinational companies, but achieving compliance won’t be cheap. PricewaterhouseCoopers reported that, to insure against the threat of fines and penalties resulting from non-compliance, 92% of U.S. multinational companies cite compliance with GDPR as a top priority and 68% of those companies are committing between $1 million to $10 million to GDPR compliance efforts. For others, the investment isn’t worth the return, and the threat of high fines and injunctions is instead leading some businesses to reconsider doing business in Europe. In another recent survey conducted by PwC, 32% of respondents plan to reduce their European presence, while 26% plan to exit the European market all together. While Google parent company Alphabet certainly won’t exit the European market, which contributes approximately $9.3 billion to Google’s annual revenue (approximately 33%), Deutsche Bank predicts Google’s bottom line could take a 2% hit as an estimated 30% of E.U. users will likely opt-out of data sharing under the GDPR, decreasing Google’s targeted ad efficiency by 20%. One report also claims that only 34% of sites in the EU are ready for GDPR. As European regulators continue to clarify how they will interpret the GDPR, more American companies are likely to re-evaluate the return-on-investment of their European initiatives.
* We would like to thank Cassidy Lopez for her contribution to this article.