What is the General Data Protection Regulation (GDPR) and How Will it Change Your Business This May 2018?
All eyes are on Europe now as the Union works to implement their new data protection regime, one that is expected to have a ripple effect into the States. Europe is known for having a regulated privacy regime when it comes to consumer data, as opposed to the United Statesâ decentralized and self-regulating regime. The General Data Protection Regulation (GDPR) hopes change how the US treats data collection, processing, and use. Within this article, we discuss Europeâs current data protection laws, Americaâs laws and its changes, and how these changes may impact your business.
1. Europeâs Privacy Protection Regime
Europe is known to be have a greater regulatory scheme in terms of consumer data and protection, and provides certain rights such as the right to be forgotten online.  Before the GDPR, Europe had the Data Protection Directive (DPD), a directive with the purpose to regulate the process of personal data within the European Union (EU). The Directive  establishes the same level of data protection throughout all member States, and facilitates the free flow of information through equal levels of protection.The directive was built on seven principles, including:
The DPD made parties responsible for the data they managed during operations within the EU, but also when controllers used equipment in the EU to process personal data. The directive was such that even controllers outside the EU had to comply with the directive, even if they were processing data outside of the European Union.
What is Considered Personal Data?
The DPD defines personal data  as âany information relating to an identified or identifiable natural person (âdata subjectâ).â It defines an identifiable person as one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
What is considered electronic communications? (WhatsApp, Facebook Messenger?)
The DPD applies to anyone who processes personal data. The DPD defines this process as any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
What does EU require from controllers?
The Directive requires processors of personal data to establish technical security safeguards, provide notification to users whose data is being collected, and establish ârightsâ for users to be informed about their data, how it is used, and to object to the transfer or make corrections to the data information.
How many years do they have to keep their info for?
While the DPD establishes directives and guidelines for data collection and processing, the language within itself is broad and open to interpretation. For example, the DPD requires data be âprocessed fairly and lawfully,â collected âfor specified, explicit and legitimate purposes, and not further processed in a way incompatible for those purposes,â and âadequate, relevant, and not excessive in relation to the purposes for which they are collected and/or further processed.â It relies on the member states to âlay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific used,â but does not define what are appropriate safeguards within the expectations.
Do they need individual consent?
Processors require a person to consent, in the term that the user must give specific and informed indication of their wishes by which the subject signifies their agreement to the processing of their personal data. The DPD also requires a user to give unambiguous consent, and process the date only if ânecessaryâ to specific circumstances established within the directive.
Are Privacy policies enough to be considered consent and/or notice?
Whether privacy policies are enough to comply with the DPD is an issue that many argue and struggle with. A privacy policy is considered to follow an âopt-outâ policy, where users have to actively âopt-outâ of the terms of a website in order to refuse the collection of their personal data. Others argue that the notice and choice regime of these policies are the equivalent of giving the userâs notice and obtaining âconsent,â because its considered that by use of their website that users consent to the data collection and processing.
The DPD also requires that processors give the users information about who is collection their data, the purposes of data collection, and âin so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.â
Are there any penalties and fines for breaches?
The Directive includes sanctions to member states that infringe on the provisions established within the directive, and allow for persons whoâve suffered damages as a result of âunlawful processingâ to seek compensation against the data controller.
How will the change affect these answers?
The DPD was a start for Europe, but innovation and developments in data collection required more than what the directive could provide. The proposal for a reform of data protection rules in Europe was submitted in 2012, with the intention to eliminate the fragmented and expensive administrative measures that came with implementing and enforcing the DPD across the different member states. The text was finalized and approved in 2016.
Itâs important for practitioners to understand the European practice to be aware of the changes and implications to the laws.
2. The General Data Protection Regulation (GDPR)
The GDPR goes into effect on May 25, 2018, and will have a big impact on the United Statesâ data collection and processing as we know it. Among the changes are the right for users to access the personal information that companies collect, the obligation for companies to establish better management systems for collected data, and a series of fines for failure to follow the Regulation. Furthermore, the GDPR is expected to establish a responsibility for companies to obtain explicit consent of the people they collect information from and about.
The rules that companies must abide by when processing personal data information, and how companies must do so in a transparent manner for consumers to be aware of what data is being collected and for what specific purpose it is being used for.
What is the rule? Key elements or requirements
The GPDR established a series of ârightsâ for the subjects of data collection, including notifying users of any data breaches âwithout undue delay,â the right to access the information that is being collected from them and for what purpose (including providing a copy of the personal data to access), and the right to erase certain personal data upon request. It also attempts to integrate âPrivacy by Design,â a concept used to describe the need of implementing appropriate technical and organizational measures in an effective way, as opposed of adding data protection measures after a system is fully designed.
The GDPR applies to individuals, organizations, and companies that are controllers or processors of personal data. The Information Commissionerâs Office, who will be enforcing the GDPR, says that those subject to the DPA will likely be subject to the GDPR as well.
What does the GDPR cover?
The GDPR also covers both personal data, including information that can be used to identify a person (name, address, or IP address, for example) and sensitive personal data, such as genetic data, political views, sexual orientation, and more. The GDPR expands protection of consumer data by including pseudonymised personal data within the categories of information it protects.
How does this compare to what we were used to?
One aspect that has many companies and legal scholars questioning is the requirement of consent. The EU GDPR website explains that companies will no longer be able to claim consent from âlong illegible terms and conditions full of legalese.â The GDPR requires that a request for consent be given in an intelligible and easily accessible form, with the purpose for data processing attached to said consent. It must be clear and distinguishable from other matters, and provided in an easily accessible form using clear and plain language.
What types of fines and penalties can companies expect?
The GDPR plans to impose severe penalties to companies in breach of the new regulations, with fines up to 4% of the annual global turnover, or 20 million pounds (whichever is greater.) The fines vary according to the seriousness of the infringing violation, such as not having sufficient consumer consent, or violating one of the core Privacy by Design concepts. However, the fines vary according to the violation, and such require companies to understand the ramifications of every requirement within the new regulations.
Some people still have concerns in regards to the GDPR and the effectiveness of the new regulations. For example, The GDPR requires companies to provide a reasonable level of protection for the personal data they collect, but does not define what constitutes reasonable. Business advocates also argue that the GDPR places too high a standard for companies, and it will impact how these companies administer or do business across Europe.
Any company that stores or processes personal information about European users or within the European countries will likely have to comply with the GDPR. The GDPR is important for practitioners and companies to be aware of, because the changes may require revising privacy policies for the sake of compliance, and ensure that the manner of data collection established on their sites is being effectively disclosed to their users.
What does this mean for a consumer? What does this mean for a company?
For consumers, the GDPR hopes to provide users greater access and information to the types of data that companies and websites collect and process, as well as clear detailed information as to their purposes for data collection. For companies, the GDPR strives to integrate the concepts of consumer privacy into the design and method to which they collect user data from their websites, while also ensuring compliance to the GDPR specifications, or face high penalties for such violations.
3. US v. EU: Impact of the GDPR on US Statutes
The GDPR also has further implications on existing US federal statutes that regulate certain data and data collection. One of these laws is the CAN-SPAM Act, a law that establishes rules for commercial emails, mostly known as spam or advertising emails. The Act applies to all commercial messages, which are defined as âany electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,â including email that promotes content on commercial websites.
The GDPR impacts the CAN-SPAN Act because emails that are sent out to European countries will also have to abide to the new Regulation requirements. Specifically, CAM-SPAN requires users to âopt-outâ from e-mails, which means that email marketers can continue to email these users so long as they donât take action. The GDPR, however, requires consent from a user in order to process user information and data.
This is another example of the difference between European privacy laws and US privacy laws. European law often requires explicit consent from users via an âopt-inâ option, while the US allows consent to be interpreted via the userâs use of a website or platform, and provides them an âopt-outâ option if they so choose to refuse the collection of data. It is a result of Europeâs centralized privacy regime in contrasts to the USâ deregulated regime of privacy and data collection.
Practitioners need to be aware of these new regulations and how they may affect, impact, or even contradict existing US laws in order to ensure compliance and avoid fines.
What does this mean for US attorneys in May 2018?
Data Collection and Privacy within the US has been predominantly limited in regulation to certain areas of information (Financial, medical, and legal institutions). Companies that collect and process consumer information, but did not collect certain type of information, are given the discretion to determine their own policies and methods for data collection. With the GDPR on the rise, practitioners need to be aware and advise clients that there are new requirements in place, and companies will need to comply or learn to avoid processing and collecting data from Europe altogether.
I am a current law student at New York Law School and hope that this information can help you in your law practice. Please note that none of the above in this article should be construed as legal advice, and are instead, my opinion and research.
For more information on the subject:
Data Protection and Privacy
America Should Borrow Europeâs Data Privacy Laws
What is the GDPR, its requirements, and deadlines?
What is the GDPR? The need-to-know guide
Summary: The EU General Data Protection Regulation
GDPR: What Europeâs New Privacy Law Means for E-Mail Marketers
Your Go-To Guide to CAN-SPAM, CASL, and GDPR
CAN-SPAM Act: A Compliance Guide For Business
