A new data protection framework, the General Data Protection Regulation (“GDPR”), goes into effect in the European Union on May 25, 2018, replacing the Data Protection Directive 95/46/EC (“Directive”). See Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”).
The GDPR is directly applicable in member states without implementing legislation. Similar to the Directive, it restricts the processing and disclosure of personal data, which is defined as “any information relating to a data subject.” GDPR Article 4(1). Greater restrictions apply to “sensitive personal data,” such as information about racial or ethnic origin, political opinions, and religious and philosophical beliefs. GDPR Article 9(1). The GDPR harmonizes data protection rights across Europe and creates significant changes for both European and nonEuropean businesses, including increased territorial and subject-matter scope, along with stiffer penalties for non-compliance.
Increased Territorial Scope
Perhaps the most significant change presented by the GDPR is its extended territorial jurisdiction, which purports to apply to all companies processing data from European data subjects, regardless of where the companies are based. The GDPR covers overseas organizations that satisfy one or both of two tests: (1) “the offering of goods or services” in Europe or (2) “the monitoring of” behavior within Europe, even if the organizations prove they are not established within the European Union and do not process data there. GDPR Articles 3(2)(a) and (b). Once covered, organizations must appoint representatives in the European member states where they offer goods or services or monitor behavior. GDPR Article 27(3). Examples of companies that may be covered by the expanded scope of the law include (1) certain online retailers that target European consumers by using a local language and (2) entities that price goods and services in a local European currency. See GDPR Recitals 23-24.
Increased Subject Matter Scope
Another key scope change under the GDPR is its treatment of so-called data “processors,” which are companies and persons who work with data at the direction of controllers. Processors include companies like cloud service providers and payroll vendors; controllers include companies like retailers who collect and maintain customer data. Unlike the Directive, the GDPR imposes direct data-protection obligations on processors. These new obligations include maintaining written records of processing activities, designating a data protection officer, naming a representative when not established in the European Union, and breach notification. GDPR Article 30.
Notably, the GDPR also prohibits processors from sub-contracting without written consent. GDPR Articles 26(1a), (2)(d) This means that cloud providers with sub-processor infrastructure, such as Amazon IaaS and Dropbox SaaS, along with businesses that subcontract elements of their supply chain requiring the use or transmittal of “personal data,” will likely need to update their disclosure procedures to obtain consent from counterparts for the sub-contracted elements of the business.
Compared to the Directive, which left applicable fines to the discretion of member states, the GDPR significantly increases the stakes for non-compliance. Where applicable, there is a tiered approach to fines. A company can be fined up to 4% of global turnover or €20 million, whichever is greater, for the most serious infringements, such as insufficient customer consent for the processing of data. GDPR Article 83. Fines up to 2% of global turnover or €10 million, whichever is greater, apply to other types of violations, such as the failure to comply with breach notification requirements or the failure to maintain adequate records. Id.
Under the GDPR, fines are tied to the revenues of an “undertaking,” not merely the entity that constitutes the relevant controller or processor. GDPR Article 83. Recital 150 explains that where fines are imposed, “undertaking” should be understood in accord with the Treaty on the Functioning of the European Union, which addresses competition law. In that context, the European Court of Justice has sometimes defined “undertakings” to encompass entities engaged in economic activity, regardless of legal status and financing.
The GDPR contemplates private litigation against data controllers and processors. GDPR Article 79. In contrast with U.S. litigation norms, any person who has suffered “material or non-material damage” as a result of a violation has the right to receive compensation from controllers and processors. GDPR Article 82(1). Individuals also have a right to lodge complaints with supervisory authorities, and to mandate a consumer protection body to bring claims on their behalf. GDPR Articles 77, 80.
Unlike the Directive, which is silent on the issue, the GDPR imposes notification obligations in the event of a personal data breach. For data controllers, the GDPR adopts a two-tiered approach to breach disclosure. First, the breach must be reported to supervisory authorities unless it “is unlikely to result in a risk for the rights and freedoms of natural persons.” GDPR Article 33. Whether a breach implicates risks to the “rights and freedoms of natural persons” is likely to be subject to significant consideration in the event of a breach, but preliminarily seems likely to encompass at least those breaches involving sensitive data such as health information. Where required, the disclosure is to be made “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach].” Id.
Second, the breach must also be reported to the affected individuals without “undue delay” where it “is likely to result in a high risk to the rights and freedoms of natural persons.” GDPR Article 34. However, the controller is not required to provide this additional data-subject notification under certain circumstances, such as where the controller has anonymized the data and rendered it unintelligible to any person not authorized to access it.
When a data processor, unlike a data controller, experiences a personal data breach, it must notify the data controller but otherwise has no other notification or reporting obligation under the Regulation. GDPR Article 33.
Data Protection Officers
The GDPR eliminates the requirement under Article 18 of the Directive for data controllers to notify local data protection authorities of their data processing activities, and limits requirements to obtain approval for data transfers. However, the GDPR increases internal recordkeeping requirements and requires the appointment of data protection officers for controllers and processors engaged in certain high-risk activities— i.e., where one of a company’s core activities is the regular monitoring of data subjects or special types of sensitive data. GDPR Article 37.
Like the Directive, the GDPR prohibits the transfer of personal data outside the European Union to any jurisdiction not found to offer an adequate level of data protection. Because the U.S. has not been granted a complete adequacy decision, U.S. companies that receive data from the European Union must consider whether they have adopted appropriate methods for the cross-border transfer of data. The most common are the Privacy Shield, Standard Contractual Clauses, and Binding Corporate Rules. The specific requirements for these mechanisms are laid out in GDPR Articles 44-50.
Privacy Shield. Like its predecessor, the Safe Harbor Framework, the Privacy Shield is enforced by the Federal Trade Commission and Department of Transportation, and any U.S.-based organization that is subject to the jurisdiction of one or both agencies may participate. To do so, organizations must selfcertify annually, and, among other things, publicly agree to adhere to the Privacy Shield Principles, such as notice, choice, access, and accountability for onward transfer of personal data. Over 2,500 U.S.-based businesses maintain active Privacy Shield registrations, including Adobe Systems, Airbnb, Inc., Allergan plc, Baxter International Inc., Citrix Systems, Inc., Deloitte LLP, Eli Lilly and Company, Facebook, Inc., Fair Isaac Corp. dba FICO, Foot Locker, Inc., Google Inc., Hard Rock Café International (USA), Inc., J Crew Group, Inc., LinkedIn Corp., Merck & Co., Inc., Microsoft Corp., PricewaterhouseCoopers LLP, Ralph Lauren Corp., Raytheon Co., Reddit, Inc., and Snap Inc. See Privacy Shield Framework, Privacy Shield List (Active), available at https://www.privacyshield.gov/ participant_search.
Standard Contractual Clauses. As an alternative or supplement to the Privacy Shield, standard contractual clauses, or “model clauses,” can be incorporated into contracts governing the transfer of data from the European Union. The GDPR streamlines the requirements for the model clauses and, in contrast to the Directive, explicitly provides that clauses previously approved by the European Commission can be agreed and used by the parties. GDPR Article 46. Although not subject to ongoing monitoring, the clauses can be challenged legally, including by individuals whose personal data they cover. One such challenge was made recently by the same individual who previously challenged the Safe Harbor Framework, see Data Protection Commissioner v. Facebook Ireland (Case No. 4809) , and the European Court of Justice is now evaluating the mechanisms used to facilitate the transmission of personal data from Europe to the U.S.
Binding Corporate Rules. As an alternative or supplement to entering into standard contractual clauses for each cross-border data transfer, organizations fielding a substantial number of complex internal transactions may wish to implement binding corporate rules (BCRs) governing intra-group international data transfers. GDPR Article 47. BCR, which must be approved by the national Data Protection Authority for each applicant, can be used only for intra-group transfers, and do not provide a basis for transfers made outside a single corporate group or group of enterprises engaged in a joint economic activity. The data protection authorities of nearly two dozen European countries have adopted a “mutual cooperation procedure” whereby approval of BCR by the lead data protection authority for an organization established in Europe is treated as a sufficient basis for providing a national permit for the BCR in other European countries. The cooperation process is closed for just under 100 companies, including Accenture, Airbus, American Express, BMW, Bristol-Myers Squibb, e-Bay, Ernst & Young, GlaxoSmithKline plc, Hermes, HP Enterprise, Michelin, Novartis, and Shell International B.V. To date, the most common lead authorities include CNIL France, ICO UK, and Dutch DPA.
Production of Documents for Litigation. The GDPR introduces a new provision restricting the transfer of data to countries outside Europe for use in litigation. See GDPR Article 48. Although there is no comparable limitation under the Directive, the U.S. Supreme Court has previously addressed similar “blocking statutes” and held that, subject to a balancing test, the laws “do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” Société Nationale Industrielle Aéreospatiale v. U.S. Dist. Court for the Southern District of Iowa, 482 U.S. 522, 544 n.29 (1987). Since then, courts in the U.S. have usually, but not always, held that the U.S. interest in discovery outweighs the foreign interests inherent in preventing the transmittal of data. See, e.g., Laydon v. Mizuho Bank, Ltd., 183 F. Supp. 3d 409 (S.D.N.Y. April 29, 2016) (permitting discovery from UK-based entities pursuant to the Federal Rules of Civil Procedure and rejecting argument that the mere risk that production of documents would violate UK law was a sufficient basis to resist discovery); but see SEC v. Stanford International Bank Ltd, 776 F. Supp. 2d 323 (N.D. Tex. 2011) (sovereign interest in protecting the privacy of bank records was great enough to require use of the Hague Convention to obtain the records). Therefore, a court in the U.S. may order the production of documents containing personal data even if that would potentially subject the producing party to sanctions under the laws of another country. Businesses engaged in cross-border litigation should monitor post-GDPR developments in whether U.S. courts order the production of documents stored in Europe.
In the months before the GDPR goes into effect on May 25, 2018, organizations should prepare for the changes it may bring. Key tips include: (1) understand how you use European personal data; (2) perform a systems gap analysis to ensure compliance; (3) evaluate contracts with third parties, such as cloud service providers, to determine if the agreements should be modified to address the new rules, and assess whether there are appropriate mechanisms in place to transmit personal data within and outside the organization; (4) determine whether the organization is required to name a data protection officer; and (5) be ready for prompt breach notification.
Recent Developments in Cybersecurity in the United States: The Proposed Data Broker Accountability and Transparency Act of 2017
In the wake of disclosures of major data breaches affecting hundreds of millions of American consumers by numerous companies including Yahoo, Whole Foods, Uber, and Equifax, and even the SEC and IRS, federal legislation regarding consumer financial data is being seriously discussed in Washington, D.C. Presently, there is no federal law requiring notification to consumers or remedial measures when a data breach impacting American consumers occurs. Instead, companies that handle the personal identifying and financial information of American consumers must comply with a patchwork of 48 different state regulatory schemes regarding when and how to notify affected consumers, and remedial action following a breach. On September 14, 2017, U.S. Senator Chris Markey (D-MASS) introduced Senate Bill 1815, “The Data Broker Accountability and Transparency Act of 2017.” Co-sponsored by Senators David Blumenthal (D-CT), Sheldon Whitehouse (D-RI), Al Franken (DMN), and Bernie Sanders (I-VT), SB 1815 would (1) give consumers access to, and the ability to correct, their personal information held by data brokers, (2) allow consumers to stop data brokers from using, sharing, or selling their personal information for the marketing of financial services, (3) require data brokers to develop comprehensive privacy and data security programs and to provide “reasonable” notice in the event a breach occurs, and (4) empower the Federal Trade Commission to enforce the law and to promulgate regulations including establishing a centralized website for consumers to view a list of covered data brokers and information regarding consumer rights. “Data brokers” are principally credit reporting firms, but the Act would apply to any company that maintains personal information of non-employees/non-customers for the purpose of selling that information or providing it to anyone other than the consumer. Following its introduction, the bill was referred to the Senate Commerce Committee, which conducted hearings in November 2017. We will continue to monitor this legislation; in the meantime more information about SB 1815 is available at https://www.congress.gov/ bill/115th-congress/senate-bill/1815/all-info.