Over the past several weeks, you have probably been receiving e-mail from various online service providers announcing updates to their privacy policies. While these e-mails often claim that they are being done because the organization values your privacy, there is actually a deeper root. On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) became effective. With the implementation of the GDPR, the EU has now enacted the most stringent and far-reaching restrictions and privacy shields on the collection of personal data from EU residents. Previously, the United States set the standard for privacy regulation and as long as a service provider complied with the United States’ requirements then it was likely well protected worldwide. The EU has now raised the bar and US companies whose online services are available to EU residents need to think about GDPR compliance.
The GDPR’s protections extend to the personal data of individuals or “natural persons” that are EU residents. The GDPR defines personal data as “any information relating to an identified or identifiable natural person (data subject).” An “identifiable person” is any one natural person “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” In addition to this identifiable personal data, the GDPR also has granted special protection status to “sensitive data”, which includes “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data (when used to uniquely identify a natural person), and data concerning health or a person’s sex life or sexual orientation.” The collection and processing of personal data of a child younger than 16 years old is specifically prohibited, except with the consent or authorization of a parent, which consent must be reasonably verified by the entity collecting the data. This means that an entity that collects or processes any of the personal data of a natural person residing in the EU must (i) obtain the explicit consent for the processing and collection of that data, or (ii) have a legitimate purpose for the processing and collection of such data.
Even though the above protections are limited to the protection of personal data of EU residents, the EU has drafted the GDPR so that it applies to entities that are based outside of the EU if their activities are related to (i) the offering of goods or services to EU residents, whether or not the activity is connected to a payment, or (b) the monitoring of the behavior of EU residents when their behavior takes place within the EU. Whether an entity is subject to the GDPR depends on whether it is clear that the entity is intending to offer services to natural persons in one or more of the EU member states. Under these criteria, if the entity has a website that is marketing particularly to residents of an EU country, accepts Euros as payment for its services, and ships its products to the EU, the entity will probably be subject to the GDPR.
The potential application of the GDPR is not limited to an entity’s online presence. For instance, if an entity employs EU residents, even if not directly but through a subsidiary or an affiliate, the entity may be subject to the GDPR. Also if an entity has an EU franchise, agent or representative, it could find itself with access to potential sources of personal data, regardless of how small or limited, that may subject the entity to the GDPR. For instance, an entity may collect personal or sensitive data that is protected by the GDRP in the platforms it uses for benefits programs, for payroll, in its employee contact lists or directors, or in its or recruitment or job application files. Other places where issues may arise are in customer relationship management tools, software applications, IT maintenance and security activities, remote log ins, business-related travel and event attendance, professional development and training or external reporting websites.
The EU has put some teeth into the GDPR by imposing significant fines on entities that are found to be in violation. The penalties are based on the entities global revenue and the infraction. For instance, an entity that fails to report a data breach within 72 hours may be subject to 2% of their global revenue up to €10 Million. For the second infraction, however, the fine increases to 4% of an entity’s global revenue up to €20 Million. It remains to be seen how the EU will enforce the GDPR and gain jurisdiction over entities that are US based and do not have any operations in the EU besides having a website that may be accessible by EU residents. That being said, many companies are taking action now to implement changes to their privacy policies and data handling protocols to ensure that they are compliant and avoid any potential issues in the future.
Stacie D. Nyborg, Attorney
DISCLAIMER: This Advisor is one of a series of business, real estate, employment, estate planning and tax bulletins prepared by the attorneys at Fauver, Large, Archbald & Spray, LLP. This Advisor is not exhaustive, nor is it legal advice. You should discuss your particular situation with us or with your own attorney. Our legal representation is only undertaken through a written engagement letter and not by the distribution or use of this Advisor.