|
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) became effective. Many companies struggling to get up to speed are encountering a few blind spots or stumbling blocks in determining whether it applies to them and what they need to do as a result. Below are a few common misunderstandings that may help you as you assess whether your company has any obligations under GDPR.
The Applicability Blindspot: Just Because You’re a U.S. Company Doesn’t Mean That GDPR Doesn’t Apply to You
Many companies may think GDPR does not apply because they are a U.S. company without any European focus or locations. This may not be correct, especially if you have a significant online presence, or engage in significant online marketing and analytics. GDPR applicability follows the resident, not the business location. Article 3(2) of the GDPR addresses the applicability of GDPR to businesses not located in the European Union (EU). It states that the GDPR applies to: “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- “The offering of goods or services, irrespective of whether a payment of the data subject is required to such data subjects in the Union; or
- The monitoring of their behavior as far as their behavior takes place within the European Union”
What does this mean? Much remains to be seen as further guidance, interpretation and enforcement decisions will continue to emerge from Europe. However, many experts cite pre-existing decisions on similar issues that state that “offering goods or services” requires some sort of active targeting of European consumers. In other words, just because you have a website and European consumers may run across it, doesn’t mean that you are “offering goods or services.” However, if you are selling goods or services online with a European-specific domain name (e.g., www.website.eu or www.website.de), or if you allow payment in euros or other European currency, then this has been interpreted (in other contexts) to be sufficient targeting to constitute “offering of goods or services.”
Importantly, even if you are not subjected to the GDPR through “offering of goods or services, ” you still may be subject to the GDPR under the second prong of monitoring the behavior of European consumer located in Europe. (Monitoring the behavior of European tourists on vacation in the U.S. doesn’t count.) This is where many U.S.-only businesses may find themselves subjected to GDPR. To properly understand “monitoring of behavior, ” we must first understand the scope of personal data and activities involved:
- “Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
- “Personal data” means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an ID number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”
Therefore, virtually any activity related to personal data is in scope, and “personal data” is much broader than traditional American notions of personally identifiable information — not only names and email addresses, but also IP addresses, cookies, tags, pixels, GPS location data, etc. As data analytics and marketing becomes more and more sophisticated, it is possible that you are “monitoring the behavior” of European visitors to your websites or apps, and thus subject to GDPR even if you are NOT “offering goods or services” to them. For this reason (among others), many U.S. newspapers are currently blocking access by European visitors until they can figure out how they can comply with GDPR.
The Definition Blindspot: Data Controller vs. Data Processor
A “data controller” determines the purposes and methods of processing personal data. A “data processor” processes the personal data on behalf of the controller. Some companies may be both data controllers and data processors, depending on the nature and purposes of their activities. Understanding these distinctions is important, because the obligations for each differ under the GDPR.
For example, if you are a marketing agency that collects email addresses through your website to send regulatory newsletters related to your services, and use an analytics service to analyze the behavior of the newsletter recipients, you are a data controller and your third party analytics service is your data processor. On the other hand, to the extent you also manage email or social media campaigns on behalf of your client, and thus process data (remember the broad definition above) as a result on behalf of the client to provide insights and value, you are also a data processor, and your client is the data controller.
The Scope Blindspot: It’s About More than Just Your Privacy Policy
Around May 25, our inboxes were flooded with emails from service providers and other companies, informing us of updates to their privacy policies or statements as a result of GDPR. It is therefore easy to assume that the GPDR compliance “fix” is simply an update to the privacy policy and nothing more. Indeed, transparency is an important and consistent principle throughout the regulation. However, it would be a mistake to believe that simply updating your privacy notice is the only thing that you have to think about.
To the contrary, the GDPR regulations set forth a number of fundamental rights for data subjects, and transparency/informed consent is just one of them. There is a high bar for consent, but also several exceptions that may be applicable, such as contract performance and “legitimate interests.”
In addition, companies need to be thinking about how they are equipped to address various requests from data subjects wishing to exercise their GDPR rights. These include, for example, the right to have their data erased, to have it ported to another company (even a competitor), to correct or delete data, to object to or restrict processing, and to not be subject to decisions based solely on automated processing. Companies must also designate a data protection officer and should minimize the amount of data collected and retained for the right purposes. The controller must have written contracts in places with its processors that provide “sufficient guarantees” that GDPR requirements will be met and the rights of data subjects protected. Therefore, an updated privacy policy is simply one piece of a larger puzzle of GDPR compliance.
Brandon N. Robinson is a partner at Balch & Bingham focusing on energy regulation, cybersecurity and data privacy, and emerging technologies. One of the first Alabama attorneys to obtain the IAPP’s CIPP/US certification as a privacy professional, Robinson counsels multiple industries on data privacy and cybersecurity issues. Robinson has worked with a number of agencies in developing industry-wide standards and best practices, and serves as the editor of the firm’s Data Privacy & Security Observer blog, which covers legal developments in data privacy and cybersecurity, and which can be accessed at dataprivacyandsecurityobserver.com.
Brandon N. Robinson
