The Long Reach of the GDPR
This is a wake-up call for those who think the new EU General Data Protection Regulation (GDPR), which will be enforced starting in May 2018, is not a serious compliance issue outside Europe. Here’s why you should care:
- Your European partners, affiliates, or customers will have to ensure that you respect the stricter requirements of the GDPR in handling any personal data they share with you.
- The GDPR expands the territorial scope of Europe’s privacy laws: it applies directly to processing in support of activities in Europe, as well as to the offering of goods or services to European residents and “monitoring” their behavior, even from outside the EU.
- The GDPR imposes new obligations and potential liabilities for processors as well as controllers. You need to be aware of those responsibilities even if you feel confident that you will always be characterized as a “mere processor” following the instructions of a European controller.
The GDPR replaces the 1995 EU Data Protection Directive. While it carries over most of the principles and terminology of the Directive, it also adds new principles (such as “privacy by default and by design” and a “right to erasure” or the “right to be forgotten”) and deliberately seeks to raise the bar for privacy protection, notably with stricter rules for establishing consent and responding to requests for access or correction. It includes new requirements for parental consent for collecting data about children and for security breach notification to authorities and individuals.
While the GDPR does away with bureaucratic “registration” requirements with the national data protection supervisory authorities, it does contemplate prior consultation with those agencies for “risky” processing activities. In place of registration, the GDPR introduces more internal privacy and security governance and management procedures, with provisions for internal data protection officers, data protection impact assessments, and detailed record-keeping (with exceptions for smaller organizations that do not handle sensitive data). It also raises the stakes for enforcement actions, providing for fines of up to EUR 20 million or 4% of worldwide annual revenues (whichever is higher).
All these stricter rules apply to organizations in the EU / EEA countries, and the GDPR carries over from the Directive the prohibition on transferring personal data outside the region to countries (such as the US) lacking an “adequate” level of legal protection for personal data. The GDPR recognizes the existing legal means of assuring such protection: an “adequacy” determination by the European Commission (such as the decisions favoring Canada and Switzerland, as well as US companies voluntarily participating in the EU-US Privacy Shield Framework program), EU-approved model contracts, binding corporate rules (BCRs) approved by the relevant national data protection supervisory authorities, or “derogations” such as express consent, contractual performance, or emergencies.
The good news is that an organization currently relying on one of these means of lawfully transferring data from the EU / EEA can continue to do so after May 2018. But the rest of the story is that all of these methods may require some tweaking to accommodate GDPR. Privacy Shield is already under review, and national authorities reviewing new BCR applications will certainly do so with GDPR as the standard. Model contracts already incorporate by reference the law of a selected country or adequacy decision, so they will tend more or less automatically to follow the evolution of GDPR. The GDPR redefines the standards for informed consent (see Arts. 7, 49(1)(a)), and that should be reflected in the form of notice and consent, for example, that organizations rely on to collect and transfer data across borders.
In short, more disclosures may be required up front to collect and move data, and then, once the data is received in the US or another country outside Europe, the data will still have to be handled with attention to the new GDPR requirements concerning, for example, record-keeping, subject access, and security breach notification, to avoid liability issues for the controller in Europe and for the controller or processor abroad.
The Directive did not apply unless there was an act of processing on the territory of a Member State (Art. 4). The GDPR has a broader scope; it “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” (Art. 3(1)). That appears to extend the regulation directly to a US web hosting company, for example, or an Indian BPO firm, a Chinese technical support service, or any number of foreign service providers that in the past operated outside the scope of European law (except indirectly through model contracts), when those services are used by a European data controller.
The language of Article 4 also arguably applies to the activities of a US headquarters or affiliate in handling personal data in support of the activities of a European subsidiary. Traditionally, the headquarters or technical support operation would need model contracts or Privacy Shield to receive personal data from the European affiliates, which means that the US entities would be restricted in handling the data according to principles broadly consistent with the Directive. But if the US entities are directly subject to the GDPR after May 2018, they will also be obliged to comply with the full panoply of new GDPR obligations of a controller or processor, as the case may be, which is more detailed than what is spelled out in model contracts or Privacy Shield. This suggests the need for appropriate training and awareness efforts aimed at the relevant staff and contractors handling European data. The US and other entities outside Europe may also require a data protection officer, revised privacy and security policies and security breach notification procedures, updated contracts with vendors, and a review of insurance and other risk management policies to account for the increased liability exposure.
GDPR Article 3(2) also extends jurisdiction to controllers or processors with no establishment in the EU, if they offer goods or services to EU residents or monitor their behavior (this is especially significant since the GDPR extends the definition of “personal data” to include “online identifiers”). That may reach a great many online retailers and service providers, as well as online analytics and fraud prevention services, most of which are not based in Europe. Those companies also should be updating their privacy policies, contracts, and security procedures, and considering whether they need to designate data protection officers and conduct data protection impact assessments. The GDPR may impose difficulties for some networked business applications, as it requires more disclosures about third-party data sharing and opt-outs or opt-ins for marketing (depending on the sensitivity of the data). While the GDPR contemplates a role for industry standards, for the most part those have not yet evolved in Europe, and there is little detailed guidance as yet from the authorities.
Under Article 27, each controller and processor subject to the GDPR that does not have a legal establishment in the EU, and performs more than occasional processing of European personal data, is obliged to designate in writing a “representative” established in an EU country. Perhaps European law firms or corporate service companies will come forward to offer their services as such representatives, but it is likely that this requirement will be ignored by multitudes of foreign companies that theoretically fall within the expansive jurisdiction of the GDPR. In any event, it might be difficult for a European individual or authority to bring a foreign company before a European court or agency if the company had no assets in Europe, but there is always the potential for negative publicity and pressure on the company’s European customers to suspend dealing with a “rogue” offshore firm.
“Only a Processor”
The GDPR retains the distinction between a controller (the entity that decides, alone or jointly with others, what data to collect and how it is used) and a processor that merely processes data on behalf of a controller. A web hosting company or payroll processing firm, for example, is usually treated as a processor; its customer is the controller of the personal data. In the past, a vendor or affiliate in the US or India, for example, could reasonably take the position that it would sign a services contract with a European customer, do its job, and let the customer keep it informed about any relevant requirements. With the GDPR, however, there are more responsibilities and potential liabilities for a processor.
The GDPR requires due diligence in selecting processors and a written agreement obliging them to follow the instructions of the controller and relevant supervisory authorities and to conform to the GDPR itself. Article 32 of the GDPR imposes security obligations on “the controller and the processor” (this may entail more written policies and record-keeping than some processors have been accustomed to in the past) and Article 33 obliges the processor to notify the controller “without undue delay” after becoming aware of a security breach, since the controller now has obligations to notify the authorities – typically within 72 hours – and in some cases the affected individuals. The GDPR (Arts. 28 and 29) also requires processors to obtain the controller’s authorization to use sub-processors and then bind sub-processors contractually to essentially the same obligations to follow the instructions of the controller and the authorities and comply with the GDPR. Processors must comply with GDPR rules for transferring data to countries outside the EU/EEA (see Arts. 28(3)(a), 44-49). Processors must cooperate with the controller in complying with requirements for data impact assessments or prior consultation with the relevant data protection supervisory authority (Art. 28(f)).
As a practical matter, processors will also often be instrumental in responding to complaints, inquiries, and instances where data subjects exercise their expanded rights under the GDPR for access, correction, objections, restrictions on processing, temporary suspension of processing, and communication of corrections to third parties.
Importantly, GDPR requires processors to appoint an internal data protection officer and maintain records of their processing activities if they employ 250 or more persons or handle any of the sensitive categories of data under Articles 9 or 10, or if the processing carries a risk to the “rights and freedoms” of data subjects (Arts. 30, 37). European controllers that handle such data will presumably insist on such record-keeping by processors to ensure their own compliance. Because some of these tests are relatively subjective, and the market for many IT services is highly competitive, we predict that it will soon be the norm for even smaller vendors targeting the European market to designate an internal data protection officer and maintain record-keeping designed to satisfy GDPR compliance standards.
Moreover, in addition to administrative actions by the national supervisory authorities, the GDPR provides a right to “an effective judicial remedy” against processors as well as controllers, either in a Member State where the processor or controller has an establishment or where the individual data subject resides (Art. 79), and Article 80 says that data subjects can be represented before the supervisory authority or the court by a nonprofit advocacy organization (which is unusual in Europe). Claims may include compensation for both “material and non-material” damages. This is all rather new for privacy litigation in Europe, and it remains to be seen whether it will be practicable, especially with respect to service providers that lack any establishment in Europe. They may well be concerned about the prospects for indemnification to their European customers, however, as Article 82(5) specifically contemplates that a controller or processor can “claim back” the portion of damages for which the other party is responsible.
In the past, it has been fairly simple for a processor in the US to represent in the service contract that it is in compliance with “all applicable laws.” After May 2018, that clause may well trigger a little more introspection. There are steps even a “mere processor” must take, in terms of training, organization, policies and procedures, documentation, security, and contracts, to feel comfortable in the GDPR environment.
The GDPR holds some promise for greater uniformity and less bureaucracy in European data protection, but it clearly is meant to reach farther and deeper than its predecessor, and it will have an impact far beyond the EU. For organizations that deal with information about European residents, it is time to get informed and make preparations. The clock is ticking.