Companies that collect personally identifiable information from individuals within the European Union should be aware of the new General Data Protection Regulations (“GDPR”) approved by the European Parliament earlier this year and effective mid-2018. The GDPR will replace the current Directive 95/46/EC (“Directive”). Although implementation is two years away, compliance with the GDPR is onerous. Businesses should begin to take steps now so that they are fully compliant by the deadline.
The GDPR governs the collection and processing of “personal data,” a term broadly defined to include any data that directly or indirectly identifies a living individual. This data includes online identifiers, device identifiers, cookie IDs, and IP addresses. The GDPR applies to businesses that collect personal data as well as those that process personal data.
The conditions for collecting personal data have become stricter. Businesses must obtain an individual’s consent to use his or her personal data. The individual must clearly give consent; ways to obtain consent may include the person checking a box when visiting a website or giving the individual the ability to manage technical settings. The consent must be separately obtained and not a part of a broader agreement addressing other topics. The services of a business cannot be contingent on obtaining the individual’s consent, unless the business has a legitimate reason for needing the personal data. The GDPR requires parental consent to collect data for children under 13 years old.
The GDPR requirements related to informing the individual how the personal data is used are more extensive than what the Directive currently requires. In addition to the requirements under the Directive, businesses must provide individuals with the contact information for the company’s “data protection officer,” the legal basis for processing the data, the details of data transfers outside the EU (if permitted), the duration of retention, the individual’s right to restrict and erase the personal data, and the individual’s right to withdraw consent.
An individual may revoke consent at any time when the processing of personal data is for direct marketing or if there is no legal basis for the collection. Businesses are required to provide the individual the same methods of withdrawing consent as for obtaining the individual’s consent. Individuals also have the right to require that the personal data be erased when they revoke their consent. If an individual revokes consent, the business that collected the personal data must inform other businesses that are using the data.
To reduce the possibility of data breaches, the GDPR subjects businesses to greater data governance obligations. Some of these obligations include conducting Privacy Impact Assessments, which analyze risks of noncompliance with the GDPR, and appointing a data protection officer, whose duties include advising on compliance and conducting compliance training. In the event of a data breach, the GDPR provides that all breaches must be reported to the appropriate supervisory authority and possibly the individuals whose personal data was compromised, depending on the severity of the breach. During and after a breach, businesses must maintain specific documentation and the remedial action taken.
Transfers of personal data to countries outside the EU are restricted unless a safe harbor is in place. The current safe harbor for transfers to the United States will no longer be valid; however, discussions are ongoing as to implementing a new safe harbor under the GDPR regime.
The penalties for noncompliance with the GDPR are severe. An individual can bring an action against a business for damages stemming from a violation of the GDPR. Administrative fines are imposed on a case-by-case basis and can range from €10,000,000 (approximately $11,307,300.00 USD) to €20,000,000 (approximately $22,614,600.00 USD), or 2% to 4% of global turnover, whichever is higher.
If you have any questions regarding the General Data Protections Regulations, please contact us.