In 2016, the European Union raised the highest banner in the battle to protect consumer privacy. The General Data Protection Regulation (GDPR) went effective in May 2018, instantly upping protections throughout Europe and affecting commerce worldwide. Five years later, the regulation has continued to pose pressing questions to American businesses. Yet, the United States has not enacted a similar national provision. States such as California have adopted copycat measures similar in purpose but significantly less daunting in effect. Accordingly, this article provides a summary of the GDPR-like provisions at home, some comparison points for the parroting American statutes, and a glimpse of the global compliance considerations occasioned by the contrasting European and domestic approaches.

|

Background

Numbering nearly 100 Articles, the GDPR was intended to protect both consumer data and information collected on individuals at large. The regulation contains two key definitions: (1) "data controllers," who determine the purpose of data collection (think of a supermarket tracking an individual's shopping tendencies), and (2) "data processors," who process the data for the controllers (think of the tracking company retained by the supermarket). Either or both entities might be obligated to appoint a Data Protection Officer. "Consumer" is not defined, as a purchase is not required to trigger protections (i.e., the GDPR protects all Member State citizens).

Philosophically, the GDPR aims to elevate corporate concern for information not universally considered public domain. Further, employee data has been spotlighted as part of that concern. Both sets of information are subject to the GDPR's steering principles, which emphasize consent, accuracy, confidentiality, and termination of retention.

Practically speaking, the Regulation requires businesses to not only safekeep stored information but also encrypt it in case it falls into a third party's hands. Structurally, each Member State is required to anoint a "supervisory authority," with ultimate authority reposing in the EU's Data Protection Board. Interestingly, the GDPR concomitantly creates a private cause of action for affected individuals, a rarity for Europe.

|

Jurisdiction

As an EU regulation, the GDPR has the force of law in all 28 Member States—whether or not it remains in force in the United Kingdom after Brexit on Halloween is another question.

The GDPR relies upon a sequential test for the threshold question of applicability. First, as defined in Article 2, the "material scope" must be evaluated. The key activities are processing of data within the EU; expressly excluded are an individual's maintenance of personal/household items and systems employed by criminal authorities.

Second, the "territorial scope" must also be satisfied. Here the regulation expands dramatically, as it covers the processing of data on EU nationals (1) by EU companies (both within and without the EU) on EU nationals, and (2) by foreign companies ("by a controller or processor not established in the Union"; Article 3). Notably, the GDPR also covers companies with employees located within the EU: If the company monitors all employee performance, the company is thus likely subject to the GDPR.

Significantly, while data collection is not per se prohibited, individuals possess an inviolate right to object to processing and to be erased. See "Recital 47." Likewise, third parties (i.e., data processors) who have no relationship with the data subject are not necessarily prohibited from storing and selling their information. The onus is on the data collector to inform the individual if their data will be shared with processors because there must be valid consent given by the individual. Articles 6 and 7.

Also noteworthy is the GDPR's express coverage of "transnational data flow." This protection ensures that EU companies cannot sell data to American companies or individuals unless the latter has specifically addressed the European standard. Such references to the GDPR are not yet part of the American copycat provisions to date, chiefly represented by a California statute.

|

Riding the California Wave

In 2018, California created its California Consumer Privacy Act (CCPA), which will go into effect on Jan. 1, 2020. This statute establishes the rights to know, access, opt-out, and request deletion of business data of "consumers," defined by the tax code in California Code as someone who is in the state either permanently or resident for other than a "transient purpose."

The CCPA does not address the development of data-gathering systems, but rather emphasizes collected information. Although not targeting a company's methodology, the CCPA still provides California residents with a detailed layer of protection. For example, even a foreign state business that collects and processes data of its California employees may be subject to the CCPA. Pursuant to §1798.140(c)(1), the Act applies if the business has an annual gross revenue that exceeds $25,000,000; buys, sells, receives, or shares information for commercial purposes of at least 50,000 consumers, households, or devices; or, derives at least 50% of its annual revenue from selling consumer personal information. With similar detail, the CCPA creates damages range between $100 and $750 per incident for its private cause of action, with no aggregate cap on liability. The defense to predicate occurrences of theft or negligent loss of information is the implementation of "reasonable" security procedures.

|

Other Domestic Ripples

Approximately 20 states have at least addressed a privacy law; however, significantly less have seen a Bill move to fruition.

Noteworthy is Nevada's SB-220, which also provides consumers the right to opt-out of having their information disclosed. Distinct from CCPA, this statute fully exempts health care and financial institutions that are subject to the Gramm-Leach-Bliley Act and HIPAA, and more narrowly defines "consumer" and the "sale" of information. The statute, which targets information collected by websites, went effective on October 1st and does not permit a private cause of action.

Making its way into the limelight is NYS Bill S224. Though New York issued cybersecurity regulations for financial institutions in 2017, S224 would alter the landscape by permitting a consumer lawsuit against any corporation. Additionally, while a California cause of action can only be pursued if there is unauthorized sharing of "nonencrypted or nonredacted personal information," the New York Bill would allow for such action when there is any injury. Thus, one organization could face liability even when selling sensitive information that is redacted yet decipherable (i.e., a scoring algorithm that generates promos for consumers who have purchased a red shirt in the last 30 days while maintaining full price for other consumers). Similar to the GDPR and CCPA, negligent or accidental disclosures are also covered; however, private action damages are not detailed.

|

Spotlight and Analysis

Three takeaways result from this inevitable glacier of an international standard.

  • First, businesses operating globally may swarm to consider systems and procedures that satisfy the strictest standard. From the GDPR's start, domestic concerns have recognized the economic opportunities in educating American businesses of this need. See, e.g., Elias Stein, "GDPR Inc.: Profiting From Strict New Security Rules," Barron's (May 26, 2018).
  • Second, the global compliance model may prove inevitable simply because EU Regulations have a nasty habit of sticking around: Unlike our national responses (e.g., the Dodd Frank Act of 2010), a worldwide strategy cannot bank on the prevailing political wind to blow open the door to regulatory dilution or repeal. See, e.g., Matt Egan, "Wall Street Hates the Volcker Rule: Will Trump Finally Kill It?," CNNBusiness.com (Jan. 9, 2017).
  • Finally, the GDPR may just be the privacy standard that Congress has been hinting at for decades—albeit in piecemeal fashion. Apart from landmark considerations such as Roe v. Wade, there are examples dating back 50 years of federal efforts at recognizing one's right to privacy. See, e.g., The Freedom of Information Act of 1967 (protecting against the "unwarranted invasion of privacy"); The Privacy Act of 1974 (ensuring that agencies provide public notice of their "systems of records"); and The Americans with Disabilities Act of 1990 (ensuring that employers recognize the confidentiality of medical records).

However, none of these efforts have successfully unified the states in recognizing an individual's blanket right to privacy of digital/online information. Consequentially, at the moment, two sets of hypotheticals present a difficult choice for American businesses.

Example 1: Hotel ABC operates in both California and Paris. The hotel needs to comply at once with the GDPR and the less intrusive California regulation. Does the hotel simply design one, expansive system geared at pleasing EU regulators, and later justify the cost as a pensive alternative to operating dual systems?

Example 2: Hotel XYZ is headquartered in California and operates solely in the United States. However, it maintains a website viewable worldwide and estimates that less than 50% of its business next year shall come from selling collected personal data. Q: Does the hotel place its faith in complying with the California exemption in the hopes that its worldwide advertising and/or monitoring of employees in the EU does not invite EU disapproval?

|

Conclusion

It thus follows that both businesses operating and advertising in the EU would be well-served to at least discuss GDPR compliance. Short of the unlikely measure of a national standard set by Congress, state laws incorporating the GDPR by reference would ease the burden of the GDPR's transnational data limitation by providing model language for lawyers drafting international agreements. Additionally, local provisions could steer domestically registered corporations towards concrete determinations of their actual European presence.

Of course, last but not least is the goal of protecting the individual. The American responses to the GDPR appear to be struggling with the questions of whether consumers alone possess a minimal right, and whether damages can be accurately foreseen by any statute. As nations are learning to varying degrees, data collection may have enjoyed a generational head start, but individual protections are trending towards not only purchasers but also those targeted for multiple forms of digital scrutiny. Just as "the global economy" has seeped into the vocabulary of businessmen, a truly "general" data protection protocol may already be taking hold.

Scott Colesanti, a professor at Hofstra Law School, has taught EU law as part of four study abroad programs. Suzanne Hassani, Class of 2021, is a member of Hofstra's ACTEC Journal, holds a Security+ certification, and serves as a teaching assistant to Professor Colesanti.