The EU General Data Protection Regulation (“GDPR”) represents an effort by the European Union to give people located in Europe control over their personal information. The GDPR is both extensive in the requirements it places on businesses and expansive in relation to how far it potentially reaches around the world. Let’s take a look at several critical elements of the regulation in this EU GDPR Summary.
The GDPR is an effort by the European Union to give individuals in the EU the right to control the collection and use of their personal data. The GDPR requires companies to follow ten principles of which the key elements will be explained later in this article:
- Lawfulness – Personal data can only be collected if there is a lawful basis.
- Fairness – Data must not be collected unfairly such as with malware.
- Transparency – Your data collection practices must be disclosed in easy to understand terms.
- Purpose limitation – You can only collect data for specific, legitimate purposes.
- Data minimization – You can only collect data you require for the specific purpose.
- Accuracy – Data must be accurate and updated. You must correct errors.
- Storage limitation – You can only hold data for limited periods of time.
- Integrity – All parties involved in the data processing must comply with the GDPR.
- Confidentiality – You must secure personal data.
- Accountability – You must be able to document and show compliance with these principles.
Companies should apply these principles when considering vague and ambiguous aspects of the GDPR.
The GDPR is a maddening regulation for many businesses in the United States. The regulation is often written more as a narrative than traditional law, which makes it unclear what specific steps a company must take to comply in real-world situations. Drafters littered the regulation with phrases such as “undue delay,” “large scale processing,” “reasonable,” and “disproportionate effect.” Unfortunately, the drafters of the GDPR did not define these phrases, so companies are often forced to come up with interpretations with supporting defensive positions.
Perhaps more importantly, the GDPR represents a cultural shift in privacy. As a business owner in the United States, you are used to collecting and using personal data with few limitations. The standard in Europe is different, and the GDPR codifies this standard by shifting the power of control to individuals and away from businesses. Here’s what one member of the Article 29 Working Party had to say on the issue:
Put another way, be prepared for a good number of “well, this area is unclear, and you have the following options…” scenarios. Companies will need to work with privacy lawyers such as myself to develop defensible positions for various GDPR ambiguous requirements.
You might expect to find a discussion of GDPR penalties at the end of this article, but we’re going to tackle the subject now. Compliance with the regulation can be frustrating and it is tempting to cut corners, so you need to know what is at stake. Let’s take a look a few examples of how enforcement agencies have issued GDPR penalties in the last 18 months.
- $56 million against Google by French authorities.
- $22,000 against Knuddles app by Germany for a data breach.
- $124 million against the Marriott by UK authorities.
- $440,000 against Portugal hospital for not securing patient data from employees.
- $229 million against British Airways by the UK.
- $5,300 against cafe with security camera filming “too much of public area” in Austria.
- $243,000 against Polish marketer who sent unsolicited outreach email messages.
- $68,000 against MrTango website for accidentally exposing customer payment information for two days.
Yes, the GDPR packs a punch. Penalties can be as high as four percent of a companies worldwide revenues or twenty million Euros. However, the sanctions must also be effective, proportionate, and dissuasive. Put another way, a tomato-growing blog bringing in $500 a month isn’t going to get hit with a twenty million Euro penalty. Regardless, the penalties are significant. A “bury your head in the sand” strategy will not be effective in fighting off GDPR fines.
The GDPR Players
The GDPR involves a number of players that will be mentioned repeatedly in this article. Understanding the GDPR will be easier if you grasp who the players are and their roles.
a. Article 29 Working Party
Hello, comrade! The Article 29 Working Party was an advisory group responsible for riding herd on the GDPR. The Article 29 Working Party provided guidance on how to comply with the GDPR, particularly on unclear issues within the regulation. While we still rely on WP29 advice, the EU disbanded the group upon the GDPR going into force on May 15, 2018 and replaced it with the European Data Protection Board (EDPB).
b. Data Subjects
The GDPR applies to scenarios where a third party collects data from “data subjects” (individuals) located in the EU. You may read that the GDPR applies to “citizens” of the EU. This interpretation is incorrect. If a person is not located in the EU when the data collection takes place, even if they are a citizen of an EU Member State, the GDPR does not apply.
The GDPR divides collectors of data into two categories – controllers and processors. A controller is a party who determines the purpose and means of the processing of personal data. If you run a website, for example, you are a controller since you decide whether to allow comments, transactions, email newsletter signups, etc.
A processor is a party that processes personal data on behalf of a controller. Assume we have a website that has an email newsletter. The site uses MailChimp to send out the newsletter. The website is the controller, and MailChimp is the processor.
e. Data Protection Officer
The GDPR requires that companies hire a data protection officer (“DPO”) in some situations. The responsibility of the DPO is to make sure the company complies with the GDPR. He or she will also interface with the public on privacy issues.
f. Supervisory Authority
A supervisory authority is a government agency that investigates GDPR violations. The supervisory authority is the equivalent of the FTC or various attorney generals in the United States.
Each Member State has a supervisory authority. The Information Commissioner’s Office (“ICO”) in the United Kingdom is known for being reasonable when addressing privacy issues with companies. Supervisory authorities in other countries, such as France and Germany, are less forgiving.
History of GDPR
The General Data Protection Regulation went into effect on May 25, 2018. The GDPR is binding on all Member States of the EU. The UK appears to be intent on complying with the GDPR notwithstanding the Brexit mess.
The EU had operated under a Data Protection Directive since 1995. As a Directive, the text was not binding on the Member States. Instead, the Member States were given wide latitude to pass legislation incorporating the concepts of the Directive and enforce said legislation as they saw fit. The result was a wide discrepancy of interpretations and enforcement policies that made it difficult for companies to comply and individuals to understand their specific privacy rights.
The GDPR represents an effort to unify privacy requirements across the EU. As a regulation, the GDPR replaced the Data Protection Directive and immediately became binding law in each Member State on May 25, 2018. The Regulation also updates EU law to reflect the world of modern data manipulation. If one imagines the state of the Internet in 1995 versus 2018, it is easy to see why the EU needed such an update.
GDPR Territorial Scope
The EU takes an interesting approach to determine who, what, and where the regulation applies – a concept known as the GDPR territorial scope. Despite its title, the EU does not determine the reach of the regulation by looking at the location of a company that is collecting data. Instead, the GDPR focuses on three tests found in Article 3:
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
The first two tests are of particular importance. Section 1 essentially means that if a business is located in the European Union or works with a controller or processor in the European Union, then it must comply with the GDPR. For example, you have a website and use a web designer in the EU, you must comply with the GDPR.
We can break the second test into two parts. The first appears relatively straightforward unless you run a typical online business. If you are offering goods or services to parties in the EU, then you must comply with the GDPR. The kicker, however, is the phrasing “irrespective of whether a payment of the data subject is required.” For example, what if you’ve developed an email list that contains addresses of people located in the EU and you send offers to the list? Is that not the offering of goods or services to individuals in the EU?
The second subtest is again problematic in the online environment. Does an analytics program constitute the “monitoring of their behavior” in the EU? How about the use of first and third-party cookies? I cannot offer you a definitive answer to these questions because none exist at this time. The courts will wrestle with these issues and clarify the outcome. Companies attempting to comply with the GDPR will need to evaluate their data collection and usage practices to establish a position and pre-emptive defense to any GDPR violation claims.
Importantly, the GDPR applies to all businesses within the territorial scope regardless of the size of the companies – Google, your grandma’s tomato growing blog, Facebook, your site posting vacation photos, etc.
The GDPR applies to the collection, storage, and use of personal data. Article 4(1) of the GDPR defines personal data as follows:
1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
Is the definition rather broad? Just slightly. The EU is, ironically, acknowledging the brilliance of the modern capitalist with this definition. The expansive nature is an admission that entrepreneurs and companies are bloody brilliant and are likely to come up with data practices nobody is currently contemplating. Instead of creating a category of specific types of data, the EU defaults to an informal “you-know-what-we-mean” standard. Other countries and states are following this trend in their new privacy laws as well, including the Californa Consumer Privacy Act.
a. GDPR Pseudonymization
Yes, pseudonymization is a real word. No, it is not the title of a new Christopher Nolan movie. Pseudonymisation is essentially the act of anonymizing personal data for use. Assume we have a database of personal data. The elements of that data we can use to identify a person – name, email address, IP address, geolocation, etc., are replaced with an artificial identifier such as “murderbot 1, “murderbot 2,” and so on. [“The Murderbot Diaries” by Martha Wells – a humorous series.]
The EU looks favorably on the concept from a data breach perspective. If a hacker breaches a companies’ security, the data has little value unless, of course, the hacker is interested in murderbots. Pseudonymization is a pain in the derriere but provides many benefits under the regulation.
GDPR Legal Basis
The GDPR mandates that companies may only collect and process personal data if a legal basis exists for such conduct. The EU recognizes six categories.
- Consent – The data subject gives their express permission.
- Contract – The data is necessary to enter into and perform a contract.
- Legal Obligations – The data collection and processing is conducted pursuant to a legal obligation.
- Subjects Vital Interest – A party is collecting personal data concerning a flu epidemic.
- Public Interest – A government agency is acting in the public interest.
- Legitimate Interest – A company collects data for a legitimate interest where the collection and processing do not outweigh the fundamental rights of the data subject – an exceedingly vague balancing test.
A companies legal basis for the collection of personal information will almost always be consent, contract, or legitimate interest.
a. GDPR Consent
Noticed a tsunami of cookie pop-ups when visiting websites and apps? These properties are trying to gather your consent to collect personal information about you. While supervisory authorities such as the ICO in the UK have suggested consent should not be the default legal basis for information collection, most companies have taken just such a position. So, what does the GDPR require in relation to consent? We find the answer in Article 7:
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
In brief, a company must obtain express consent for each type of data collection and processing activity. The business cannot require the data subject to provide the information in exchange for access to something. For example, online companies have often used carrots to build their mailing lists – “Get my free ebook on how to meet your dream Swedish Viking and other Viking tips” accompanied by a box asking for the person’s email address. The GDPR allows this approach, but you must cough up the ebook even if the person doesn’t enter their email address.
Obtaining consent can be a tricky proposition. Most companies are failing in this regard. Expect this status to change when the supervisory authorities start focusing on consent issues such as cookie usage.
b. Contractual Legal Basis
c. Legitimate Interest
Before we touch on the legitimate interest basis, allow me to suggest you may want to meditate, have an adult beverage, or go for a walk and contemplate becoming a monk, bartender, or other non-technical position. To understand the legitimate interest legal basis is to understand why companies find it so difficult to function in the European Union.
What is a legitimate basis under the GDPR? A balancing test. The rights of the individuals balanced against the rights of a party to collect information. Here’s the EU guidance:
The legitimate interests of a controller…may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
In reality, a company using the legitimate interest basis should conduct a “legitimate interests assessment” test. One will:
- Identify a specific legitimate interest;
- Detail the processing of personal data necessary to achieve it; and
- Balance the processing versus the rights of the individual.
An example might be where a party has provided you with personal information concerning an event. A company can send additional information regarding the event since keeping the party updated is within the expected use of the information and doesn’t harm the party in question. However, if a company were to sell the personal information to other companies that hold events, such a transaction would not be a legitimate interest since the party would not expect such use.
As you can imagine, the legitimate interest basis is fraught with peril. One risks believing a legitimate interest exists only to be confronted by a supervisory authority with the opposing view and the power to levy fines. Significant fines.
Data Subject Rights
The GDPR focusses on providing individuals in the EU with more control over their data. While the EU creates much of this control through restrictive regulations for controllers and processors, the regulation also grants individuals specific affirmative rights:
- Withdrawal of Consent – A person who has given express consent has the right to withdraw it.
- Data Subject Access – A person can ask if a company has their personal information, including the categories, purpose of collection, and third parties to whom it is disclosed.
- Rectification – A person has the right to correct or complete any data a third party has collected about the individual.
- Erasure – A person can ask a company to delete specific personal data.
- Processing Restriction – The right to force a third party to process personal data for limited purposes.
- Notification – All rights exercised must be passed on by the controller to processors.
- Data Portability – A person has the right to ask for a copy of all their data in a portable format.
- Right to Object – A person can object to a finding of legitimate interest or public interest as a legal basis for the collection of personal data.
- Right to Complain – Companies must publish a notice indicating the person in the EU has the right to complain to a supervisory authority.
- Search Engines – Right to demand a search engine remove personal data from search results.
You should view the list above as a brief summary of each requirement. Each subject has a sub-set of conditions, but a full discussion of each item would convert this article into a novella.
Privacy By Design
The General Data Protection Regulation attempts to not only address current technology and privacy concerns, but the future as well. While the EU does not require companies to employ psychics with hazy crystal balls to forecast the future, it does create a duty for companies to consider privacy when developing new products and services. This concept is known as integrating privacy by “design and default,” which may also be the name of my new band.
The general idea behind privacy by design is to consider what organization measures can be taken to minimize the risk of exposure of the personal information of data subjects. For example, basic steps might include:
- Collecting only the information necessary to complete the task,
- Encrypting the data or using pseudonymization, and
- Eliminating unnecessary data collection or processing activities.
Importantly, these steps should be weighed against the state of the art privacy standards in place at the time, as well as the cost of implementation. In short, the GDPR provides wiggle room, but a company should document the basis for taking and not taking appropriate steps concerning the privacy by design standard.
Data Protection Officer – DPO
The GDPR is a job generator! Yes, the EU has created a new officer position many companies will need to fill. Unlike other company officers, a DPO acts as an independent quasi-government actor responsible for assessing GDPR compliance by the company. The Data Protection Officer also serves as a contact point for the public to submit privacy questions. The GDPR does not require controllers and processors always to designate a DPO. Instead, a DPO must be appointed only:
Where the core activities of the controller or the processor consist of processing operations, which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale.
While we can probably agree that the core activities of Facebook and Google involve the systematic monitoring of data subjects on a large scale, where is the line drawn with small businesses? Article 29 Working Party provided the following guidance for “core activities” and “large scale.”
a. Core Activities
Article 37(1)(b) and (c) of the GDPR refers to the ‘core activities of the controller or processor’. Recital 97 specifies that the core activities of a controller relate to ‘primary activities and do not relate to the processing of personal data as ancillary activities’. ‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals.
However, ‘core activities’ should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. For example, the core activity of a hospital is to provide health care. However, a hospital could not provide healthcare safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.
As another example, a private security company carries out the surveillance of a number of private shopping centers and public spaces. Surveillance is the core activity of the company, which in turn is inextricably linked to the processing of personal data. Therefore, this company must also designate a DPO.
On the other hand, all organisations carry out certain activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.
b. Large Scale
[Guidelines on DPOs]
Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a large scale in order for the designation of a DPO to be triggered. The GDPR does not define what constitutes large scale processing, though recital 91 provides some guidance.
Indeed, it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned, which would be applicable in all situations. This does not exclude the possibility, however, that over time, a standard practice may develop for identifying in more specific and/or quantitative terms what constitutes ‘large scale’ in respect of certain types of common processing activities. The WP29 also plans to contribute to this development, by way of sharing and publicising examples of the relevant thresholds for the designation of a DPO.
In any event, the WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
- The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing include:
- Processing of patient data in the regular course of business by a hospital
- Processing of travel data of individuals using a city’s public transport system (e.g. tracking via
- Processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- Processing of customer data in the regular course of business by an insurance company or a bank
- Processing of personal data for behavioural advertising by a search engine
- Processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
- Processing of patient data by an individual physician
- Processing of personal data relating to criminal convictions and offences by an individual lawyer
The Article 29 Working Party throws the net pretty broadly, which is a theme throughout the General Data Protection Regulation.
Data Security and Data Breaches
The GDPR requires controllers and processors to adopt and implement security measures to safeguard the personal information of data subjects. Interestingly, the regulation uses a sliding scale that adjusts based on the type of data stored and the cost of implementation. Put another way, a blog is not required to purchase and install the same security measures as Bank of America. Appropriate steps can include:
- the pseudonymization and encryption of personal data;
- ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
If a data breach occurs, a controller or processor must notify the relevant supervisory authority within 72 hours. Oddly enough, the GDPR doesn’t automatically require companies to give notification to data subjects. Instead, businesses must only give such notice where the breach is likely to result in “high risk” to the “rights and freedoms” of data subjects. If employee Bob’s four-year-old daughter accidentally flushes a memory stick with customer information down the toilet, there isn’t likely to be a high risk to the rights and freedoms of data subjects. If a hacker breached a companies security and made copies of all customer data…well, then.
Cross-Border Data Transfers
The EU included a rather healthy cross-border data transfer protocol in the GDPR that, if one was wont to hypothesize, suggests a certain cynicism. The GDPR restricts the transfer of data from the Union to third parties located in other areas of the world that do not meet specific “adequacy” requirements for privacy.
The EU representatives were concerned about two primary issues. First, companies would seek to evade the GDPR requirements by merely moving all collected data from locations in the EU to external countries. Second, many of the countries in question would not have stringent privacy laws – specifically, the United States, Russia, and China come to mind.
As you may be aware, the United States does not even have a national privacy law, which is problematic when combined with the fact the National Security Agency was caught redhanded hacking the accounts of various government leaders in Europe including the smartphone of Angela Merkel. If an evil American tech company could move data collected in the EU to Nevada, well who is to say what “unnatural things” Mark Zuckerberg would do with it?
Cross-border transfers to lawless privacy jurisdictions such as the United States are, however, still allowed. Companies wishing to make such transfers must put in place specific safeguards, which may include:
- Binding corporate rules,
- Standard contractual clauses adopted by the EU,
- Following an approved code of conduct, and
- Participating in an approved certification mechanism.
Companies in the United States can also meet the Privacy Shield requirements to facilitate the transfer of data. The Privacy Shield is an agreement between the EU and US that establishes privacy standards companies in the United States must agree to before pursuing cross-border transfers – a subject well beyond the scope of this article. Speak with legal counsel if you intend to transfer data from the EU to a non-EU location.
The General Data Protection Regulation represents an effort by the European Union to tackle modern data practices online and off. The GDPR represents an entirely new approach to privacy law, rendering compliance a challenge for most companies. However, the regulation is not going away and, if anything, the themes in the GDPR are spreading across the world and appearing in new legislation in locations such as California, New York, and Canada.
Contact me today for solutions to your GDPR needs.
Richard A. Chapo, Esq.