The world of data has never been the same: on May 25, 2018, the European Union’s General Data Protection Regulation (“GDPR”) went into full force and effect, changing the way individuals and organizations handle personal data, not only within the EU, but globally. The GDPR builds on existing law not only by standardizing and strengthening the data rights of 511 million EU citizens, but by extending enforcement of these rights to any company that processes or controls EU citizens’ data, with limited exception. The EU first adopted the new data privacy regime in April 2016 and, while penalties for non-compliance can be severe, The Economist estimates that 60% of covered organizations are “not ready” to attain compliance with the GDPR.
Scope, Goals, & Comparison
The goals of the GDPR are threefold: 1) enhanced protection of EU citizens’ data, 2) harmonization of EU data privacy laws, and 3) expanded and more stringent enforcement. Covered “personal data” encompasses any information collected that could directly or indirectly identify an EU citizen including, but not limited to, names, photographs, e-mail addresses, banking information, social networking posts, medical information, and IP addresses. Globally, the GDPR will extend the reach of the EU’s revamped data laws to all foreign companies that “offer goods or services to, or monitor the behavior of, EU data subjects,” regardless of whether the company or the data in question physically reside within the EU. Additionally, non-EU companies engaging in large-scale processing of user data may be required to appoint a compliance representative within the EU. Foreign companies, like their European counterparts, face the same penalties for non-compliance with the GDPR’s mandates.
User Autonomy: Right of Access, Erasure, and Portability
Several key user autonomy rights set out in the GDPR will have the most significant impact on organizations handling EU citizens’ personal data. These include the three complimentary user rights of access, erasure, and portability. Additionally, privacy measures will be required by default, where appropriate, in the collection, storage, use, and dissemination of data.
First, right of access provisions allow end-users to require a data controller to provide confirmation that personal data is being processed, where it is being processed, and for what purpose. Upon request by an end-user, a data controller is also required to provide a copy of data to the user free of charge in an electronic format. Thus, covered companies will need to gauge the likely frequency of such requests and develop the means to ensure sufficient responses to user data requests.
Additionally, the right to be forgotten (“data erasure” within the GDPR) allows a user to require a data controller to permanently delete and cease further dissemination of the user’s personal data. Also, the user may require the controller to instruct third parties to cease processing the user data. In addition to developing policies and procedures to ensure compliance with first-party user deletion requests, companies will need enforceable and robust business associate agreements that provide a right for the company to mandate third-party destruction and ensure compliance. Additionally, the GDPR requires that controllers must simultaneously weigh users’ rights against the “public interest in the availability of the data.” The complete range of scenarios under which an organization could decline a user deletion request is unclear, but would certainly encompass evidence of a crimes or other major wrongdoing such as public fraud. Thus, companies may be required to implement some procedures to ensure that honoring a deletion request does not enable a criminal cover-up.
Further, the GDPR also requires data portability for users, i.e., the ability for a user to take data from one data controller to another in a “commonly used machine readable format.” In conjunction with the right to be forgotten, users should theoretically be able to move all their data from one provider to another as if it were a piece of physical property.
Facilitating the user rights of access, erasure, and portability will present significant logistical and policy considerations for companies. With the rapid growth and availability of cloud computing, some organizations will opt to provide an online portal whereby users can access, account for, obtain, and require deletion of their data. Specialized vendors will provide these services to the great proportion of companies who opt to not perform these sophisticated tasks in-house. Companies will need to assess the quality of services and legal implications for their use.
Privacy by Design/Default
In addition to the rights of access, portability, and erasure, meaningful privacy options must now be provided to users by data controllers through both technical and organizational measures by default. The GDPR will require controllers to limit their retention and processing of user data to only the extent “absolutely necessary” to complete the organization’s duties. Non-end-user access to data must also be limited to an “as-needed” basis. On the technical side, companies will need to audit data gathering processes and products to identify what types of data are being gathered and the privacy measures in place. Database encryption of user data will also become a critical back-end technical component of ensuring privacy by default. HTTPS protocols should be implemented at all web-level interactions with end users. On the organizational side, an audit of policies and procedures and of external business associate agreements will be required to identify appropriate compliance with ensuring users’ privacy. Companies will need to curtail the sale of personal data to third parties without user consent. At the user point of contact, reasonable opt-outs must be provided and honored. Terms of service must clearly set out users’ privacy rights and how the organization ensures compliance with those rights.
Companies who wish to obtain, control, and process personal data must obtain clear and unambiguous consent to do so from users. Consent must now be obtained in a context not obscured by a volume of information or fine print. Users must be able to withdraw consent to the processing of data just as easily as it is given. Explicit “opt-in” consent must be required for obtaining and processing of certain sensitive personal information (e.g., data revealing racial or ethnic origin).
Under the GDPR, a data “breach” is defined as an “accidental or unlawful destruction, loss, alteration, unauthori[z]ed disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Where a breach is identified, a covered organization must notify a state’s supervising authority within 72 hours of first notice of the breach. The GDPR will require mandatory notification of data breaches to the end-user “without undue delay” where a breach is likely to result in “risk for the rights and freedoms of individuals.” A likely example would involve disclosure of personal banking or financial information.
Given the frequency and magnitude of data breaches affecting companies in the U.S., inadvertent data breaches likely present the greatest source of future penalties and litigation under the GDPR. Other than HIPAA, the current legal landscape in the U.S. pertaining to data breaches consists of a 50-state patchwork of varying state laws and regulations. Despite recent efforts to pass and implement data breach legislation and a comparable “Data Privacy Bill of Rights,” U.S. Congressional efforts have proved unsuccessful. As data breach insurance has become increasingly available in the U.S., Companies’ evaluation of such products should include whether coverage includes enforcement penalties under the GDPR.
While a single set of rules now govern all EU member states, member states are required to establish their own independent supervisory authorities (SA’s) to adjudicate complaints and administrative actions (a state-by-state list is provided here). If a covered company commits a serious breach of the GDPR’s mandates—such as a violation of core privacy practices or rules pertaining to user consent—maximum fines can be as high as the greater of 4% of annual global revenue or €20 million (approximately $25 million USD, $31 million CDN). Maximum penalties are expected to be rare and reserved for the most serious breach of regulation. A system of graduated penalties exist for less serious infractions.
The impact of the GDPR on the business of information cannot be overstated. For organizations within the U.S., the most meaningful comparison that can be drawn to the GDPR is with HIPAA. Thus, companies that collect, process, and maintain protected health information may be the best positioned to become leaders in GDPR compliance. But for all companies, significant but attainable safeguards can be implemented. Organizational measures include development and implementation of policies and vendor contracts that ensure the principles of “minimum necessary” collection of user data and “as-needed” access by non-users. Internal policies should require non-use of external portable USB drives, appropriate storage of credentials, and locks on workstations with access to sensitive data. From a technical standpoint, measures such as two-factor authentication, database encryption, and HTTPS protocol at web-level access points will become expected practice. Ultimately, because of the size of the EU and the value of access to its citizens’ data, the GDPR may function as the model guideline for companies who work in the business of personal data. Facebook, for example, has announced that it will adopt the GDPR standards universally across its platform. Will your organization be ready?
This post is for general information purposes and is not meant, by itself, to create an attorney-client relationship or constitute legal, accounting, or other professional advice.