New European Privacy Rules Have a Broad Reach and the Time to Comply Is Now
Meeting GDPR requirements can take some time, so, if your organization is impacted by the GDPR and compliance efforts are not already underway, it is time to get started.
December 04, 2017 at 11:09 AM
6 minute read
The European Union's next generation privacy law, the General Data Protection Regulation is being implemented now, and full compliance is required by May 25, 2018. The GDPR will directly or indirectly affect companies in Georgia and around the world that do business in the EU or otherwise process personal data that comes from the EU. Penalties for noncompliance can be as much as 20 million euros (approximately $23.5 million) or 4 percent of an organization's global turnover, whichever is greater. Meeting GDPR requirements can take some time, so, if your organization is impacted by the GDPR and compliance efforts are not already underway, it is time to get started.
Article 3 of the GDPR asserts a broad extraterritorial reach, so your organization does not have to have EU locations to be affected. Collecting personal data about individuals that are in the EU in the course of offering goods or services is sufficient. If your website includes prices in euros or other EU currencies or has French, German or other EU language versions, your organization could be subject to GDPR. Monitoring behavior in the EU through website tracking tools or other means also could bring an organization in scope. Even if your organization does not collect personal data directly from individuals in the EU, your organization still may be affected indirectly as a result of GDPR contract-related requirements if your organization acts as a service provider (often a “processor” in EU terminology) for someone that is covered.
The GDPR, which builds on existing EU privacy law, consists of 99 articles and 173 explanatory recitals. For organizations with robust programs for compliance with existing EU privacy laws, the GDPR includes a number of new requirements that will require enhanced compliance measures. For organizations new to EU privacy rules, compliance likely will be a heavier lift. Some key areas include:
Basis for Processing, Notice and Consent
Unlike in the U.S., where personal data usually can be processed unless there is a prohibition, under EU law there must be a lawful basis for all processing of personal data.
Consent of the data subject can be one such lawful basis for processing, but it must be freely given, specific, informed and unambiguous. These are not new features of EU data protection law, but the GDPR does include enhanced notice obligations which means consumer notices may need to be revised. GDPR Articles 5-7, 12-14.
For “special categories” of personal data, such as health information, genetic information, biometric information or information about racial or ethnic origin, political opinions, sex life or philosophical, beliefs processing continues to be prohibited except in limited circumstances. Article 9.
Contract Requirements
Controllers (decisionmakers) are only permitted to use processors that provide “sufficient guarantees” that processing will be done in compliance with the GDPR and contracts with data processors must address specific points identified in the GDPR. Since these are new requirements, existing contracts will need to be amended. Processors also must flow these requirements down to subprocessors and controllers must approve (or at least have the ability to reject) each subprocessor that a processor may want to involve in the processing of personal data. Article 28.
Recordkeeping
Controllers and processors are required to keep detailed records of their processing activities, including information about the categories of information being processed, the purposes for which data is being processed, the categories of recipients of the data, documentation of transfers to third countries and the basis for that those transfers, a general description of data security measures and, where possible, the anticipated length of data retention. Article 30.
Data Security and Data Breach Notification
The GDPR includes broad data security obligations and, in the event of a data breach, controllers are expected to notify EU regulators within 72 hours of becoming aware of it. Consumers also must be notified without undue delay if the breach is likely to result in harm to the consumer. Articles 32-34.
Data Erasure/The Right to Be Forgotten
The GDPR builds on EU case law to give individuals an enhanced “right to be forgotten.” This right is not unlimited, but it gives individuals the right to have personal data about them erased if certain circumstances apply.
Data Portability
In certain cases, controllers must provide individuals with their personal data in a structured, commonly used and machine readable format and individuals must be able to transmit this information to another controller without hindrance. Article 20.
Data Protection Impact Assessments
Building on concepts of privacy by design, controllers are required to conduct assessments of processing activities, particularly those involving new technologies, which could present high risks to individuals. Article 35.
Data Protection Officer
Controllers and processors that, as part of their core activities, monitor individuals on a large scale or process sensitive categories of data may be required to appoint a qualified data protection officer and provide funding and resources necessary to carry out the DPO's responsibilities. Articles 37-39.
Transfers of personal data to the U.S. or other third countries lacking “adequate” privacy protections
As is the case under existing EU law, transfers of personal data from the EU to the US or other countries that the EU does not find to have an “adequate” level of data protection are prohibited unless additional safeguards are in place, such as participation in the EU/US Privacy Shield program, use of standard or (“model”) contractual clauses, or binding corporate rules. Articles 45-49.
One of the goals of the GDPR is to create a more uniform set of rules for data protection applicable across the EU and regulators are issuing guidance on an ongoing basis to promote uniform application of the GDPR's rules. Nevertheless there will be a number of areas where law may vary from one EU member state to another so it is important to consider the law in individual EU Member States where your organization does business.
Kevin Coy is a partner at Arnall Golden Gregory and advises privacy sensitive organizations on U.S. and international privacy and data security issues.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCould Everything Be Alright Without Me Knowing? The State of Professionalism Among Attorneys
Trying to Reason With Hurricane Season: Mediating First Party Property Insurance Claims
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250