Discussions on privacy laws have taken front and center in recent weeks as GDPR (General Data Protection Regulation) begins to be enforced by European Union (EU) member states on May 25, 2018. As we have been discussing for a while, there is confusion as data collectors try to figure out the impact of this legislation. There is no question that large, multi-national corporations will have to comply and many of these corporations are already in compliance. However, with this deadline just around the corner, smaller companies that do not actively target EU residents are struggling with how this legislation impacts them.
Until all these laws are harmonized, the safest route for smaller companies may be to comply with GDPR, state, federal, local and industry regulations as much as possible. While the GDPR deadline is looming, it is worthwhile for smaller data collectors to consider the following aspects.
The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” (A guide to the EU GDPR can be found here.)
Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of the location of the data collector. The definition of personal data is broadened to the extent to include any information “that can be used to directly or indirectly identify the person.” Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
GDPR also imposes new obligations on how the data is to be handled and stored. For example, EU residents will have a “right of access” that requires data collectors to provide specific details about how information is processed. GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request. The penalties for non-compliance may total anywhere from 4% of the annual global turnover of the breaching data collector or €20 Million (whichever is greater).
We have been getting questions from our clients about how GDPR may impact them. The knee-jerk reaction from many American companies appears to be to ignore GDPR if their business is not focused on EU residents. Admittedly, there are many questions concerning how GDPR regulations can be enforced on data collectors outside of the European Union. Of course, betting on the fact that the EU will not be able to broadly enforce these regulations is not the best strategy.
The consensus is that general marketing to customers that may include EU residents will not trigger an obligation under the GDPR. Rather, it appears at this time, that EU residents will need to be directly targeted for GDPR to apply to data collectors outside the United States. Commentators have provided the following analysis on this issue:
For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.
Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .nl from the Netherlands — would certainly seal the case.
Even if GDPR compliance may not be a priority for smaller data collectors, it is still worthwhile at this time for data collectors to consider compliance for the following reasons:
– GDPR compliance is not costly. At this point, compliance may be adding a few new disclosures to their website.
– GDPR compliance has a positive impact for customers that trust you with their data. Even if large, multi-national corporations have the most at stake, working toward GDPR compliance will only make data safer. Keeping data safe may result in more business and cutting losses related to a cyber incident.
– GDPR compliance puts you ahead of the pack. There is no doubt that the GDPR regulations are the most-strict and punitive we have seen to date. However, GDPR compliance is only going to help data collectors comply with state, federal and industry standards that they may already be required to follow. Further, if the GDPR is successful, data collectors can be certain the U.S. will adopt similar standards.
Now that it is clear that GDPR compliance may be a concern even for data collectors that are not necessarily targeting EU residents, a discussion as to the potential for liability can be guided by the following points:
The issues concerning GDPR are not new. Data collectors have been struggling with compliance with federal, state, local and industry data collection requirements for years. For example, an employer in Chicago, Illinois may hold information for its employees that are residents of Illinois, Wisconsin or Indiana. This employer may have been trying to harmonize privacy regulations for years at this point. Consequently, data collectors should use GDPR as another opportunity to access the safeguards they have in place to protect data.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|