Stephen Kelly, shareholder with Hill Ward Henderson in Tampa, FL.

Recent Fines for Violations of the GDPR

On Jan. 21, French Data Protection Authority (CNIL) imposed a fine of $57 million on Google, Inc. for violations of the General Data Protection Regulation (GDPR), which was enacted on May 25, 2018. Examples of other fines imposed by member states in the European Union (EU) range from $5,500.00 in Austria to more than $450,000.00 in Portugal. With maximum allowable GDPR fines reaching to up $20 million or 4% of a violating party’s worldwide revenue, business decision makers are taking note.

What Does This Mean for US Businesses?

Could a European regulator reach a U.S. business under the purview of the GDPR, possibly imposing hefty fines? To date, there are still more questions than answers. The GDPR is drafted in generalized, vague language, and its provisions can be supplemented by local law in each member state. Since enforcement and fine setting are also done at the member state level, jurisdictional inconsistencies are inevitable. At this early stage of GDPR enforcement, even leading compliance advisers are reduced to some level of guesswork in providing guidance to those regulated by the GDPR. However, for U.S. businesses some useful guidelines are emerging.

Territorial Scope of the GDPR

The first question for any U.S. business is about the territorial scope of the GDPR. Under Article 3(2) of the regulation, the GDPR extends to any entity that: has a place of business in the EU; offers goods or services to data subjects in the EU; or monitors the activities of data subjects in the EU. Unless a U.S. business falls into one of these three categories, its activities are not subject to GDPR enforcement. Note that a “data subject” is any person located in the EU, regardless of citizenship. Conversely, the GDPR does not apply to personal data obtained from any person located outside the EU, even if the person is a citizen of a Member State.

Place of Business in the EU

The question of physical presence is whether a U.S. business has established commercial activity in the EU through the exercise of stable arrangements. For this factor, the bar is low, and it can be satisfied by a direct physical presence, an EU presence of a related company, or the location of even a single business representative in the EU. U.S. businesses should carefully consider whether they, or any of their subsidiaries or affiliates, have offices, warehouses, distribution locations, data centers, or any other physical presence in the EU. Regarding personnel, consider whether the business has sales personnel, purchasing agents, or other types of stable arrangements for business or legal representatives.

Offering Goods or Services to Data Subjects in the EU

This ground for regulation can take effect even if no payment is received for goods or services offered, delivered or rendered. However, a business will not be subject to the GDPR merely because it has a website that is accessible from the EU or because data subjects in the EU can contact the business via the U.S. contact information provided on a website. A more intentional and directed action is needed to trigger regulation.

A U.S. business should consider whether it is: advertising in any local EU publications, television, radio, or electronic media outlets or through a website having an EU country-specific top-level domain; offering goods in the local language or currency of any EU member states; paying any search engines to facilitate access by EU data subjects; or using the names of specific member states for targeted online advertising, social media handles, or online search terms or metatags.

Monitoring the Activities of Data Subjects in the EU

Monitoring the activities of data subjects in the EU may trigger GDPR regulation if the monitoring is done for the purpose of profiling the data subject, particularly in order to make decisions concerning the data subject or for analyzing or predicting his or her personal preferences, behaviors or attitudes. This would include, for example, profiling EU data subjects for the purposes of targeted advertising or other targeted marketing efforts. Merely maintaining a list of customer contact information, without more, would not meet this standard for GDPR regulation even if some of the customers are located in the EU.

The GDPR recitals also suggest that activity can fall under this provision where data subjects in the EU can be monitored, such as by security video or by the monitoring of company equipment, such as GPS tracking devices on company vehicles or mobile devices. U.S. businesses should consider whether their BYOD policy permits them to access the employee’s personal data that is not related to his or her employment.

Data Sharing Among Business Partners

Article 28 of the GDPR restricts data controllers from sharing personal data with data processors who have not provided significant guarantees of compliance. This means that many U.S. businesses will be asked by their business partners to demonstrate compliance and to provide contractual indemnities for noncompliance. Such indemnities should be carefully considered to avoid significant exposure.

Lessons Learned From the Google Fine

If a U.S. business falls under the GDPR, what can it learn from the recent fine imposed on Google? The CNIL’s decision is instructive on how to meet the notice and consent requirements in the GDPR, at least in the view of French regulators.

According to the CNIL, Google violated the GDPR in two ways. The first violation was Google’s failure to comply with the transparency and notice provisions. Evidence showed that Google users had difficulty in accessing essential information about Google uses the personal data. For example, the CNIL cited users’ difficulty in accessing Google’s legitimate purposes for processing personal data, the duration of data storage, the categories of data used for personalized advertisements, and other essential information. To locate this information, which was dispersed across several locations, web pages, and documents, users had to navigate several online buttons and links, often requiring more than six or seven actions. Much of the information was presented in vague and generalized language, and the CNIL was not satisfied that this was sufficiently clear or comprehensible so that the users could understand the nature and extent of Google’s data processing and its consequences to the user.

Regarding the second violation, the CNIL determined that the issues noted above left users too uninformed to provide valid consent to Google’s data processing. For example, some of the notice language broadly stated that the information Google collects is used to improve the services offered to all of its users. Other statements said that the information collected and how it is used depends on how the user engages Google services and how the user manages his privacy settings. To the CNIL, these sweeping statements were too uninformative to users.

In addition, some of Google’s evidence of consent for personalized ads included online check boxes that were automatically checked by default, meaning that the user had to uncheck each box to withhold consent. CNIL found that these automatically pre-checked boxes were not unambiguous because they did not result from clear affirmative action by the user. Finally, the CNIL found that the users’ consent was not specific because it was obtained by Google as a blanket consent for all of Google’s data processing activities, as described in Google’s Privacy Policy. The CNIL determined that the GDPR requires consent that is specific to each legitimate processing purpose.

Those under the regulation of the GDPR should take note of the rationale provided by the CNIL. In short, data subjects must be presented with clear and concise statements of how and why personal data is collected, how it is used, how long it is stored, and who will have access to it.  This type of notice must be provided for each data processing activity, and the data subject must provide clear affirmative consent. Generalized language dispersed throughout many links, buttons, and documents is insufficient to provide adequate notice, and automatic pre-authorization is too ambiguous to show clear affirmative consent.

Stephen Kelly, a Tampa patent attorney, is with law firm Hill Ward Henderson.