How do other countries’ privacy laws apply to U.S. businesses? Time will tell, as the new European Union General Data Protection Regulation goes into effect in May of next year.
What Happens Next May?
Beginning in May 2018, a significant legal change to individual privacy rights will come into force. The EU GDPR replaces the EU Data Protection Directive 95/46/EC, also known as the “EU Data Directive.” It is designed to standardize European data privacy laws and ensure EU citizens’ data privacy rights.
The EU regulations are based on the idea that privacy is a fundamental right of the individual and not something to be bought and sold by corporations.
Many U.S.-based organizations either have not heard of the GDPR or believe it applies only to organizations based in the EU. The GDPR, however, applies to all organizations that offer goods or services to, or monitor the behavior of, EU data subjects, regardless of the company’s location.
If an organization offers goods or services to or processes data of EU citizens, it likely will be subject to these regulations.
There are two main concerns for U.S. businesses: applicability and enforcement. It is clear that large multinational enterprises will have to comply, but what about the small to medium company that is unsure whether its customers are EU residents?
Presumably, if the small to medium company does not actively “offer goods or services to, or monitor the behaviour of, EU data subjects” it will have no need to comply with the GDPR.
The question, though, is whether the cost-benefit analysis shows it best to comply with the potentially very costly GDPR just in case, or accept the risk.
What About the Cloud?
Cloud service providers, which may have data stored anywhere across the globe, are not exempt from GDPR enforcement. So it is important for all businesses to contemplate how GDPR could affect them.
What about enforcement? After applicability, the most frequently asked questions relate to enforcement. How will the EU enforce the GDPR against U.S. companies?
Again, for multinationals with a presence in the EU, enforcement actions can be brought against company assets held there. However, the EU will not have the same enforcement mechanism for small to medium businesses that have no real presence in the region.
Under the current EU Data Directive, which the GDPR will replace, there has been little to no enforcement against anything but large multinational entities with a physical presence in the EU.
To address the physical presence issues, the GDPR requires organizations subject to the regulation to designate a representative established in the EU who can ensure compliance.
EU Right to Access
The right to access affords data subjects the ability to determine whether a data controller has their personal data, why it has their data, and what the data processor will do with their data. The scope of “personal data” is broader than many organizations outside the EU may realize. It includes
“…any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person.”
That means any organization that holds or processes any of this expansive list of personal identifiers must be ready to accept and address requests for access.
Additionally, after determining that a data controller has data on the subject, the subject has the right to request the lifetime of the storage, the recipients of the data, and the removal of the data. This last option is referred to generally as the “right to be forgotten.”
EU Right to Be Forgotten
The right to be forgotten gives individuals (or data subjects) the right to request that their personal data be removed from a data controller, and it gives the controller the obligation to erase such data “without undue delay.”
This right is not unlimited, however. The GDPR does balance this right with the rights of expression, legal obligation and public interest (e.g., public health). For many data processors, though, such exclusions will not apply.
Conclusion: Better Get Ready
Failure to comply with the GDPR could be very costly.
While the penalties are a tiered structure based on the extent of the infringement, organizations can be fined up to the greater of 4 percent of annual revenue or 20 million euros for failing to protect the rights and data of data subjects.