Julie Negovan, Griesing LawWhat US Construction Companies Need to Know About the GDPR to Avoid Fines
On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) took effect. This law makes significant changes to European data privacy and security requirements for companies dealing with individuals located in the EU (whether they are citizens, immigrants, or visitors at the time their data is collected).
August 06, 2018 at 09:24 AM
7 minute read
On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) took effect. This law makes significant changes to European data privacy and security requirements for companies dealing with individuals located in the EU (whether they are citizens, immigrants, or visitors at the time their data is collected). So what? How would such a technical EU regulation effect a U.S.-based construction company?
The EU has always had a different take on the protection of personal information than the United States. GDPR was implemented because, essentially, the EU's old data protection laws that were first enacted (way back in 1995) were perceived to be inadequate to keep up with the explosive growth in data and the technology surrounding it. According to the GPDR website, the new regulation was designed to “to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy.”
|What Information Is Involved?
GDPR aims to protect the “personal data” of EU residents—including how the data is collected, stored, processed and destroyed. Importantly, the meaning of “personal data” under the GDPR goes far beyond what you might expect considering how similar terms are defined in the US. Under the GDPR, “personal data” means information relating to an identified or identifiable natural person. A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.
While that information is not generally the target of collection by U.S. construction firms, some such information is routinely provided by subcontractors, consultants, and vendors during the contracting process. It is particularly likely that such information is collected where the team members are participating in a project using building information management (BIM) protocols.
|How does the EU Regulation Reach the United States?
A major change made by the GDPR is the territorial scope of the new law. The GDPR replaces the 1995 EU Data Protection Directive which generally did not regulate businesses based outside the EU. However, now even if a U.S.-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.
Under Article 3 of the GDPR, your company may be subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed. This is the case where the processing relates to the offering of goods or services or the monitoring of behavior that takes place in the EU.
Thus, the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR. Particularly, if your website pursues EU residents—accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, or markets in the language of an EU country, the GDPR will apply to your company.
Since this is a brand-new law, and the application of the language concerning the scope of the prohibitions has never been tested, it is important for all U.S. companies to be aware of the possibility of the law's enforcement against them.
|What Should I Do?
For U.S. companies, interactions with those situated in the EU will have to be adjusted to obtain explicit consumer consent to collect personal information. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”
For example, say a New Jersey-based company is looking to run a campaign to advertise for partners for a project (vendors, subcontractors, consultants) in France and has set up a webpage to collect email addresses. At the very least, the company will need a checkbox—without a default “x” in it—accompanied by clear language about what it will be doing with these email addresses. And it's not allowable to ask the user to click on a link to a long “terms and conditions” document filled with legalese.
Once the data is collected, U.S. companies will then have to protect it under the GDPR's rules. In particular, the tough new GDPR 72-hour breach notification rule will certainly require special attention. When there's a breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,” then your firm will need to analyze whether the exposed or affected EU personal data identifiers can cause “risk to the rights and freedoms” of EU citizens.
The GDPR gives some leeway in weighing the risks, but inadvertent exposure of email addresses or personal data that contains sensitive information, would require notification to an EU regulator or “supervising authority” within 72 hours. Where there's “high risk” to fundamental property and privacy rights—typically, exposure of credit card numbers or account passwords—then the EU citizens affected will also have to be notified.
There are still many questions of how the EU will enforce these actions against the United States and other multinational companies. What we do know is that the EU is serious about a uniform data and privacy law and major U.S. companies have changed their practices as a result.
|What Happens if I Don't?
The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company's global annual turnover of preceding financial year, can reach up to 4 percent or €20 million (whichever is greater) for noncompliance with the GDPR, and 2 percent or €10 million (whichever is greater) for less important infringements. So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2 percent of its global revenue or €10 million.
There are reports predicting that more than 50 percent of companies within the scope of the GDPR will not be compliant by the end of 2018, even though the deadline of May 2018 has passed. Considering that one of the main objectives of the GDPR was to expand the territorial scope of protection, companies based outside the EU should not be surprised to find that they are a particular target of EU data regulators.
As a precaution, U.S. construction companies should evaluate their communications with their EU partners to determine whether they may be subject to regulation under the GDPR, and if so, how to structure those communications to protect against any possible violation.
Julie Negovan is of counsel in Griesing Law's commercial litigation practice group where she focuses her practice on construction, energy, health care, class actions, mass torts and complex commercial litigation. She can be reached at 215-501-7844 or [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Federal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute read
Judge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute read
Supreme Court's Ruling in 'Students for Fair Admissions' and Its Impact on DEI Initiatives in the Workplace
6 minute read
Membership Has Its Privileges: Bankruptcy Court Examines LLC's Authority to File Bankruptcy
8 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
