The European Union’s GDPR Takes Effect May 25: Are You Ready?
Welcome to the first installment of The Privacy Report. Some of you may have been followers of Robinson Bradshaw’s Genomics Law Report blog, which has evolved into this new blog because—especially with the gene patent wars over for the time being—the content of the GLR was moving in the direction of privacy law and regulation. This shift was also evident in the concerns being expressed by our clients in health, research and IT.
In response to these changes, we are refocusing, and the result is The Privacy Report. We will report and analyze current legal developments in privacy and IP law and the related regulatory environment. We will discuss the law in a clear and non-technical way, concentrating on the practical implications for those on the front lines in health care, research and IT.
In this first monthly post, I review the European Union’s new General Data Protection Regulation, which takes effect May 25. A rotating panel of Robinson Bradshaw attorneys will join me in reporting on other developments that we believe could affect your business.
Please note: If you were on the distribution list for the GLR, you will continue to receive updates from The Privacy Report. We hope you will enjoy our new focus and remain a subscriber.
After years of development, punctuated by seemingly endless stops and starts, the European Union’s General Data Protection Regulation (GDPR) will finally take effect on May 25. As a Regulation, it will immediately become law throughout the EU, much like a federal law in the United States. By contrast, the predecessor law that it replaces, the 1995 Data Protection Directive, set a detailed standard that individual member countries were required to adopt through national legislation, a process that inevitably produced country-by-country variation. The new GDPR will perpetuate the Directive’s core principles and requirements and add a good deal more.
The key features of the GDPR include the following:
- The GDPR continues the Directive’s broad definition of personal data, covering any information from which a natural person can be identified.
- In principle, the GDPR applies to all processing of personal data derived from persons present in the EU, regardless of where it happens. Processing is defined as any collection, manipulation, use or storage of personal data. Parties that process data are divided into controllers and processors: a controller is a party that directs or controls the processing, while a processor is a party that does anything to the data at the direction of a controller. (The GDPR requirements also apply to subprocessors engaged by processors.) The GDPR covers parties that have establishments (places of business) in the EU as well as parties outside the EU if they offer goods or services to EU residents or monitor their behavior. This standard is not yet clearly defined.
- Personal data can be collected only for “specified, explicit and legitimate purposes” and can be processed only in ways that are compatible with those purposes.
- In most cases, a controller must get specific, informed and unambiguous affirmative consent to collect and process data; merely providing an opt-out right is insufficient. Explicit consent is required for sensitive data, such as genetic or biometric data or data pertaining to health, sexuality or political views. Subjects must be able to withdraw consent at any time and it must be as easy to withdraw consent as to give it. Controllers bear the burden of being able to demonstrate consent upon demand by an EU Data Protection Authority (DPA).
- Data subjects also have rights of data access, rectification (correction) and erasure.
- Controllers and processors must maintain a high level of data security, determined in the context of risk to data subjects, the technological state of the art and industry standards.
- DPAs can fine violators up to 4 percent of gross revenues. Data subjects also have private remedies available to them.
- The controller is responsible for all aspects of processing and must be able to demonstrate compliance with law. The responsibility extends to ensuring that their processors are also in compliance.
Bringing Data to the U.S.
Because the EU has determined that U.S. laws do not provide adequate protection for personal data, transferring data out of the EU will continue to be a significant problem—even for intracompany transfers. As under the Directive, individual consent remains a valid basis for transfer—but it must be affirmative and unambiguous. Absent consent, the available options are the U.S. Department of Commerce’s Privacy Shield program, the unpopular Standard Contractual Clauses promulgated by the EU, and the even less popular Binding Corporate Rules.
Participation in the Privacy Shield means, essentially, that a transferee of data in the U.S. must certify its compliance with GDPR principles and requirements. Some of the major elements of the Privacy Shield include:
- U.S. companies must self-certify their compliance to the U.S. Department of Commerce, with annual renewal.
- Companies are fully responsible for the conduct of their third-party data service providers, which means imposing Privacy Shield requirements on them by contract.
- Companies must respond to EU citizen complaints within 45 days, provide a free alternative dispute resolution service, and agree to binding arbitration before a Privacy Shield Panel whose members are jointly selected by the Department of Commerce and the EU.
- Companies transferring human resources data will be subject to the national DPAs in the EU countries where the data originates.
The U.S. Commerce Department has committed to vigorous enforcement, including referrals to DPAs in the EU.
Is My Company Really At Risk for Noncompliance?
Since the GDPR has yet to take effect, the EU DPAs have no track record of enforcement, nor is there any case law. However, various EU authorities have been making public statements about their enforcement plans, and an official advisory body called the Article 29 Working Party has been issuing “Guidance” documents on specific issues. Putting these sources together, the major themes seem to be:
- There will be no grace period—enforcement will start on May 25.
- Despite a huge increase in enforcement staff, EU regulators will have to be highly selective in whom they investigate and sanction.
- The initial focus of the regulators’ radar will be companies that are big, ignoring the GDPR, or dealing in sensitive data. They will also respond, of course, to instances of actual harm that are brought to their attention by individual citizens or the media.
- For smaller companies, diligent, good-faith compliance efforts are likely to provide some measure of immunity, at least in the short term.
In fact, for smaller and medium-sized American companies, the more significant enforcement is likely to come from the private sector. As many of our clients are discovering, companies that perform processing services in this country for large multinationals like Google and Amazon are being required to sign contracts that promise GDPR compliance, and to impose similar contracts downstream on their own vendors and contractors (who are subprocessors in GDPR terms). Some of these companies find themselves scrambling to assess their data security, to figure out how to provide EU data subjects with their GDPR rights, and to revise their vendor contracts.
What Do We Need to Do?
U.S. companies that are confronting the GDPR for the first time need to take the following initial steps:
- Review your EU connections to determine if you are covered by the GDPR. The standard is not well defined—if you have any doubt, assume that you are covered.
- Assess the way you collect, process, store, retain and delete data to make sure they are all compliant. Consent, transparency and security will be particularly important.
- Audit your contracts, both upstream and downstream. If controllers are demanding that you be GDPR-compliant, make sure that you are. Be equally careful in reviewing the contracts that you are required to impose on your vendors and contractors.
- If you already comply with a major U.S. federal privacy statute—such as HIPAA in the health sector or Gramm-Leach-Bliley in the financial sector—then you are likely to be well on the way to GDPR compliance.
Robinson Bradshaw can help you—efficiently—with every stage of this process. We have already assisted companies in a range of industries, including health care, IT, finance and scientific research. We have experience in assessing GDPR applicability, preparing GDPR-compliant privacy policies, drafting and reviewing GDPR contracts, assisting with Privacy Shield certification and developing long-term compliance strategies. We stand ready to put this experience to work for your company.