Everyone is talking about the European Union‘s (EU) General Data Protection Regulation (GDPR) which takes effect today. Recent news reports about misuse of personal data suggest that rules to protect personal data are essential in today’s interconnected (online) world. But what is the GDPR exactly? And why should you care about an EU law if you live in the United States?
In the EU, the protection of personal data and the respect for private life are fundamental rights, codified in the EU Charter and in the Treaty on the Functioning of the European Union (TFEU). The GDPR is the result of a long legislative process with the aim to replace and update current data protection rules and adapt them to the digital age. It covers the processing of all personal data, irrespective of the means of transmission. Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’).” (GDPR, Art. 4 (1)). Examples of personal data include name, home address, email address, location data, genetic data, health data, or data concerning criminal convictions.
The GDPR is complemented by the ePrivacy Directive which states how data protection principles apply to the electronic communications sector to ensure the confidentiality of communications. A proposal to update and replace the ePrivacy Directive with an ePrivacy Regulation is currently being debated in the European Parliament and the Council and is slated to go into effect in the summer of 2018. Unlike the GDPR, the ePrivacy rules are applicable to personal and non-personal data.
The GDPR has a broad material and territorial scope. “Processing” personal data is any operation performed on personal data such as collection, recording, organization, structuring, storage, consultation, use, dissemination, or destruction, among others. (GDPR, Art. 4(2)). Examples provided by the European Commission include staff management and payroll administration; access to or consultation of a contacts database containing personal data; sending promotional emails; shredding documents containing personal data; posting or putting a photo of a person on a website; or storing IP addresses or MAC addresses.
One of the reasons why an EU law might affect businesses and organizations in the U.S. is the broad territorial scope of the GDPR. Its rules apply not only to businesses that have an establishment in the EU, but to all businesses, regardless of location, that offer goods and services to consumers located in the EU or that monitor the behavior of EU consumers. Monitoring behavior means tracking an EU resident on the internet as well as the potential subsequent use of personal data processing techniques to profile that person to analyze or predict her or his personal preferences, behaviors, and attitudes.
Rights and Principles
Individuals are guaranteed certain rights with regard to their personal data, such as receiving information in clear and plain language on what personal data is stored, why, and how long; the right to access data; the right to object to the processing; the right to correct incorrect data; the right to have data deleted (“right to be forgotten“); the right to move personal data to a different company (data portability); and the right to have a decision based solely on automated processing (an algorithm) be made or reviewed by a natural person instead of a computer, for example the refusal of an online credit application.
Controllers processing personal data must ensure that the processing complies with the principles set out in the GDPR, in particular lawfulness, meaning there needs to be a proper legal basis for the processing. “Controllers” of personal data include search engines and social networking services. Most of the time, data is processed because of consent given by the individual. The notion of consent is given a prominent place in the GDPR. Consent is only valid if it is freely given, specific, informed, and an unambiguous indication of a person’s agreement to the processing by means of a statement or clear affirmative action. (GDPR, Art. 4(11)). That means that silence, pre-ticked boxes (checked by default), or inactivity do no constitute valid consent. Furthermore, withdrawing consent needs to be as easy as giving consent.
Businesses are obligated to notify the national data protection authorities of a data breach without undue delay and additionally notify the individual if there is a high risk that rights and freedoms are violated. Failure to notify such a breach may result in fines, in addition to or instead of other corrective measures such as a warning, reprimand, or the suspension of the processing of personal data. Certain breaches may result in fines of up to €20 million (about US$23.5 million) or 4% of a company’s global turnover. However, the GDPR only sets the maximum amount for a fine. It is up to the national data protection authorities to determine an effective, proportionate, and dissuasive sanction which should be equivalent across the EU.
Transfer of Personal Data Outside the EU
Why else should anyone in the U.S. care about the GDPR? The GDPR contains rules about the transfer of personal data to countries outside of the EU. Such a transfer is only possible if the European Commission determines that the foreign country offers an “adequate level” of data protection. In general, the U.S. data protection rules only fulfill these requirements if the data is transferred within the framework of the EU-U.S. Privacy Shield, an approved data transfer mechanism. Companies that are not self-certified to the Privacy Shield principles can instead use approved standard contractual clauses or adhere to approved binding corporate rules to transfer personal data outside of the EU.
In order to enforce the data protection rules of the GDPR internationally, the GDPR obligates the EU Commission and the national supervisory authorities to develop international cooperation mechanisms, provide international mutual legal assistance, engage relevant stakeholders, and promote the exchange and documentation of personal data legislation. (GDPR, Art. 50).
This blog post is intended to provide a brief overview of the GDPR and why it may affect a company or an organization in the U.S. If you would like to find out more about the GDPR and data protection in the EU as well as in the EU Member States France, Germany, Italy, the Netherlands, Portugal, Spain, Sweden, and the United Kingdom, and how it compares to the data protection laws in Australia, Canada, Israel, and Japan, I suggest consulting the recently published Law Library of Congress report Online Privacy Law (2017 Update). The report updates two earlier reports from 2012 that reviewed the right to personal data protection and the right to privacy on the web in the EU and in selected countries.