The GDPR: An Update, and a Hope
This article provides a summary of the GDPR-like provisions at home, some comparison points for the parroting American statutes, and a glimpse of the global compliance considerations occasioned by the contrasting European and domestic approaches.
October 31, 2019 at 11:45 AM
9 minute read
In 2016, the European Union raised the highest banner in the battle to protect consumer privacy. The General Data Protection Regulation (GDPR) went effective in May 2018, instantly upping protections throughout Europe and affecting commerce worldwide. Five years later, the regulation has continued to pose pressing questions to American businesses. Yet, the United States has not enacted a similar national provision. States such as California have adopted copycat measures similar in purpose but significantly less daunting in effect. Accordingly, this article provides a summary of the GDPR-like provisions at home, some comparison points for the parroting American statutes, and a glimpse of the global compliance considerations occasioned by the contrasting European and domestic approaches.
|Background
Numbering nearly 100 Articles, the GDPR was intended to protect both consumer data and information collected on individuals at large. The regulation contains two key definitions: (1) "data controllers," who determine the purpose of data collection (think of a supermarket tracking an individual's shopping tendencies), and (2) "data processors," who process the data for the controllers (think of the tracking company retained by the supermarket). Either or both entities might be obligated to appoint a Data Protection Officer. "Consumer" is not defined, as a purchase is not required to trigger protections (i.e., the GDPR protects all Member State citizens).
Philosophically, the GDPR aims to elevate corporate concern for information not universally considered public domain. Further, employee data has been spotlighted as part of that concern. Both sets of information are subject to the GDPR's steering principles, which emphasize consent, accuracy, confidentiality, and termination of retention.
Practically speaking, the Regulation requires businesses to not only safekeep stored information but also encrypt it in case it falls into a third party's hands. Structurally, each Member State is required to anoint a "supervisory authority," with ultimate authority reposing in the EU's Data Protection Board. Interestingly, the GDPR concomitantly creates a private cause of action for affected individuals, a rarity for Europe.
|Jurisdiction
As an EU regulation, the GDPR has the force of law in all 28 Member States—whether or not it remains in force in the United Kingdom after Brexit on Halloween is another question.
The GDPR relies upon a sequential test for the threshold question of applicability. First, as defined in Article 2, the "material scope" must be evaluated. The key activities are processing of data within the EU; expressly excluded are an individual's maintenance of personal/household items and systems employed by criminal authorities.
Second, the "territorial scope" must also be satisfied. Here the regulation expands dramatically, as it covers the processing of data on EU nationals (1) by EU companies (both within and without the EU) on EU nationals, and (2) by foreign companies ("by a controller or processor not established in the Union"; Article 3). Notably, the GDPR also covers companies with employees located within the EU: If the company monitors all employee performance, the company is thus likely subject to the GDPR.
Significantly, while data collection is not per se prohibited, individuals possess an inviolate right to object to processing and to be erased. See "Recital 47." Likewise, third parties (i.e., data processors) who have no relationship with the data subject are not necessarily prohibited from storing and selling their information. The onus is on the data collector to inform the individual if their data will be shared with processors because there must be valid consent given by the individual. Articles 6 and 7.
Also noteworthy is the GDPR's express coverage of "transnational data flow." This protection ensures that EU companies cannot sell data to American companies or individuals unless the latter has specifically addressed the European standard. Such references to the GDPR are not yet part of the American copycat provisions to date, chiefly represented by a California statute.
|Riding the California Wave
In 2018, California created its California Consumer Privacy Act (CCPA), which will go into effect on Jan. 1, 2020. This statute establishes the rights to know, access, opt-out, and request deletion of business data of "consumers," defined by the tax code in California Code as someone who is in the state either permanently or resident for other than a "transient purpose."
The CCPA does not address the development of data-gathering systems, but rather emphasizes collected information. Although not targeting a company's methodology, the CCPA still provides California residents with a detailed layer of protection. For example, even a foreign state business that collects and processes data of its California employees may be subject to the CCPA. Pursuant to §1798.140(c)(1), the Act applies if the business has an annual gross revenue that exceeds $25,000,000; buys, sells, receives, or shares information for commercial purposes of at least 50,000 consumers, households, or devices; or, derives at least 50% of its annual revenue from selling consumer personal information. With similar detail, the CCPA creates damages range between $100 and $750 per incident for its private cause of action, with no aggregate cap on liability. The defense to predicate occurrences of theft or negligent loss of information is the implementation of "reasonable" security procedures.
|Other Domestic Ripples
Approximately 20 states have at least addressed a privacy law; however, significantly less have seen a Bill move to fruition.
Noteworthy is Nevada's SB-220, which also provides consumers the right to opt-out of having their information disclosed. Distinct from CCPA, this statute fully exempts health care and financial institutions that are subject to the Gramm-Leach-Bliley Act and HIPAA, and more narrowly defines "consumer" and the "sale" of information. The statute, which targets information collected by websites, went effective on October 1st and does not permit a private cause of action.
Making its way into the limelight is NYS Bill S224. Though New York issued cybersecurity regulations for financial institutions in 2017, S224 would alter the landscape by permitting a consumer lawsuit against any corporation. Additionally, while a California cause of action can only be pursued if there is unauthorized sharing of "nonencrypted or nonredacted personal information," the New York Bill would allow for such action when there is any injury. Thus, one organization could face liability even when selling sensitive information that is redacted yet decipherable (i.e., a scoring algorithm that generates promos for consumers who have purchased a red shirt in the last 30 days while maintaining full price for other consumers). Similar to the GDPR and CCPA, negligent or accidental disclosures are also covered; however, private action damages are not detailed.
|Spotlight and Analysis
Three takeaways result from this inevitable glacier of an international standard.
- First, businesses operating globally may swarm to consider systems and procedures that satisfy the strictest standard. From the GDPR's start, domestic concerns have recognized the economic opportunities in educating American businesses of this need. See, e.g., Elias Stein, "GDPR Inc.: Profiting From Strict New Security Rules," Barron's (May 26, 2018).
- Second, the global compliance model may prove inevitable simply because EU Regulations have a nasty habit of sticking around: Unlike our national responses (e.g., the Dodd Frank Act of 2010), a worldwide strategy cannot bank on the prevailing political wind to blow open the door to regulatory dilution or repeal. See, e.g., Matt Egan, "Wall Street Hates the Volcker Rule: Will Trump Finally Kill It?," CNNBusiness.com (Jan. 9, 2017).
- Finally, the GDPR may just be the privacy standard that Congress has been hinting at for decades—albeit in piecemeal fashion. Apart from landmark considerations such as Roe v. Wade, there are examples dating back 50 years of federal efforts at recognizing one's right to privacy. See, e.g., The Freedom of Information Act of 1967 (protecting against the "unwarranted invasion of privacy"); The Privacy Act of 1974 (ensuring that agencies provide public notice of their "systems of records"); and The Americans with Disabilities Act of 1990 (ensuring that employers recognize the confidentiality of medical records).
However, none of these efforts have successfully unified the states in recognizing an individual's blanket right to privacy of digital/online information. Consequentially, at the moment, two sets of hypotheticals present a difficult choice for American businesses.
Example 1: Hotel ABC operates in both California and Paris. The hotel needs to comply at once with the GDPR and the less intrusive California regulation. Does the hotel simply design one, expansive system geared at pleasing EU regulators, and later justify the cost as a pensive alternative to operating dual systems?
Example 2: Hotel XYZ is headquartered in California and operates solely in the United States. However, it maintains a website viewable worldwide and estimates that less than 50% of its business next year shall come from selling collected personal data. Q: Does the hotel place its faith in complying with the California exemption in the hopes that its worldwide advertising and/or monitoring of employees in the EU does not invite EU disapproval?
|Conclusion
It thus follows that both businesses operating and advertising in the EU would be well-served to at least discuss GDPR compliance. Short of the unlikely measure of a national standard set by Congress, state laws incorporating the GDPR by reference would ease the burden of the GDPR's transnational data limitation by providing model language for lawyers drafting international agreements. Additionally, local provisions could steer domestically registered corporations towards concrete determinations of their actual European presence.
Of course, last but not least is the goal of protecting the individual. The American responses to the GDPR appear to be struggling with the questions of whether consumers alone possess a minimal right, and whether damages can be accurately foreseen by any statute. As nations are learning to varying degrees, data collection may have enjoyed a generational head start, but individual protections are trending towards not only purchasers but also those targeted for multiple forms of digital scrutiny. Just as "the global economy" has seeped into the vocabulary of businessmen, a truly "general" data protection protocol may already be taking hold.
Scott Colesanti, a professor at Hofstra Law School, has taught EU law as part of four study abroad programs. Suzanne Hassani, Class of 2021, is a member of Hofstra's ACTEC Journal, holds a Security+ certification, and serves as a teaching assistant to Professor Colesanti.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'So Many Firms' Have Yet to Announce Associate Bonuses, Underlining Big Law's Uneven Approach
5 minute readTik Tok’s ‘Blackout Challenge’ Confronts the Limits of CDA Section 230 Immunity
6 minute readEnemy of the State: Foreign Sovereign Immunity and Criminal Prosecutions after ‘Halkbank’
10 minute readGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readTrending Stories
- 1Recent Decisions Regarding the Telephone Consumer Protection Act
- 2The Tech Built by Law Firms in 2024
- 3Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 4For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 5As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250