The E.U. General Data Protection Regulation (“GDPR”) is a new regulatory framework, which aims to protect citizens of the European Union from data and privacy breaches.[1] Passed by the E.U. Parliament in April of 2016, the GDPR is set to take effect May 25th, 2018, following a two-year transitional grace period.[2] However, this regulation reaches far beyond the borders of the European Union, and is set to become the new international standard for data protection.[3]
The GDPR will usher in a myriad of new standards for data security and privacy. The focus of these provisions is creating and protecting rights for “data subjects,” the GDPR’s term for individuals who give their personal information to companies.[4] One such right is what the GDPR dubs the “right to be forgotten.” This is also referred to as the right to erasure, and it obligates companies to erase personal data when: (1) “the personal data are no longer necessary in relation to the purposes for which they were collected,”[5]; (2) “the data subject withdraws consent,”[6]; (3) “the data subject objects to the processing,”[7]; or (4) “The personal data have been unlawfully processed.”[8]
The GDPR establishes a strict 72-hour notification timeframe when companies suffer a personal data breach.[9] For comparison, a proposed bill in Congress, the Personal Data Notification and Protection Act of 2015, would have established a relatively lengthy 30-day notification period.[10] The GDPR also substantially strengthens the requirements for obtaining valid consent from subjects to process their personal data, with the intent of making consent forms easier for data subjects to understand and withdraw from.[11] Certain organizations, depending on the sensitivity and/or volume of data they process, must appoint a Data Protection Officer, who will be responsible for internally monitoring the company’s data policies to ensure compliance.[12] Despite the many additional provisions in the GDPR, these provisions are likely the leading cause of the uproar among corporations.
Why should American-based organizations concern themselves with the GDPR? The answer to that question lies in the most dramatic provision of the GDPR: its extra-territorial application. The provisions of the GDPR are not limited to organizations incorporated or physically located within the E.U.; it applies to “all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”[13] Essentially, this means any company or organization offering goods or services to E.U. citizens must comply with the new data protection standards, even if they are located entirely within the United States.[14] More importantly, non-European companies that manage E.U. citizens’ data and fail to comply with the GDPR will be subject to substantial fines for non-compliance. The penalties for non-compliance can reach as high as 4% of total global revenues or €20,000,000 (approximately $24 million), whichever is higher.[15]
Considering the potentially devastating impact non-compliance could have on a firm, it’s not surprising that many companies are treating compliance as a top priority. In a 2016 survey by PricewaterhouseCoopers (“PwC”), 54% of respondents indicated that GDPR compliance and readiness was their organization’s number-one priority regarding data and privacy.[16] An additional 38% cited GDPR preparedness as among several top priorities.[17] Despite this, more than half of affected U.S. companies are expected to be non-compliant with the GDPR when it comes into force this May.[18] This figure is particularly striking considering the regulation’s two-year transition period. One possible factor slowing the implementation may be the cost of compliance; PwC found that of the companies it surveyed, 77% anticipated spending upwards of $1 million to strengthen their data policies.[19]
While the GDPR is certainly set to change the global data and privacy landscape, it may not be the burden that many companies initially anticipated. These new provisions can be perceived as a ratcheting up of existing standards,[20] and as a codification of best business practices for data security.[21] Implementation of heightened security standards may also yield residual benefits for multinational organizations, especially financial institutions. Officials from the American Bankers Association have noted that for companies forced to comply with the GDPR, creating a uniform policy for all data will be more pragmatic than segregating E.U. data.[22] For companies that take this approach the increased protection offered to U.S. data subjects, combined with the mandated transparency regarding data breaches, could generate substantial good will for U.S. corporations.[23] Moreover, compliance will ensure that U.S. companies can remain competitive in European markets.[24] If the GDPR establishes a new industry standard, even companies that do not handle E.U. data may start to feel the pressure to match the policies of their multinational competitors.
[1] The EU General Data Protection Regulation Portal, http://www.eugdpr.org/the-regulation.html (last visited Sept. 22, 2017).
[2] Id.
[3] See Sean Michael Kerner, HPE Explains What European GDPR Privacy Regulations Mean to U.S. Firms (May 1, 2017), http://www.eweek.com/security/hpe-explains-what-european-gdpr-privacy-regulations-mean-to-u.s.-firms; Press Release, PricewaterhouseCoopers, GDPR Compliance Top Data Protection Priority for 92% of US Organizations (Jan. 23, 2017), http://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html.
[4] See The EU General Data Protection Regulation Portal, http://www.eugdpr.org/the-regulation.html (last visited Sept. 22, 2017).
[5] Article 17 does also carve out limited exceptions to this right. See Council Directive 95/46, art. 17, 2016 O.J. (L 119) 1, 2 (EC).
[6] Id.
[7] Id.
[8] Id.
[9] Council Directive 95/46, art. 33, 2016 O.J. (L 119) (EC).
[10] Personal Data and Notification Act of 2015, H.R. 1704, 114th Cong. §101(c) (2015).
[11] Council Directive 95/46, art. 7, 2016 O.J. (L 119) 2 (EC).
[12] The EU General Data Protection Regulation Portal, http://www.eugdpr.org/gdpr-faqs.html (last visited Sept. 22, 2017).
[13] Id.
[14] Id. See also, Alex Bennett, For U.S. Businesses, GDPR Takes Effect Next Year. Here are 9 Requirements You’ll Need to Meet, BUSINESS.COM (July. 13, 2017), https://www.business.com/articles/nine-gdpr-requirements-for-2018/; Jeff Stone, New European Union Financial Rules to Give U.S. Customers Protection as Well, Wall Street J. (Apr. 24, 2017, 11:29 PM), https://www.wsj.com/articles/new-european-union-financial-rules-to-give-u-s-consumers-protection-as-well-1493085780; Press Release, PricewaterhouseCoopers, GDPR Compliance Top Data Protection Priority for 92% of US Organizations (Jan. 23, 2017), http://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html.
[15] Council Directive 95/46, art. 83, 2016 O.J. (L 119) 5 (EC).
[16] PwC surveyed 200 c-suite executives and General Counsels from large U.S. companies about their organization’s plans to prepare for the GDPR. Press Release, PricewaterhouseCoopers, US Companies Ramping Up General Data Protection Regulation (GDPR) Budgets, (Jan. 23, 2017), http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-gdpr-series-pulse-survey.pdf.
[17] Id.
[18] Patrick Lastennet, A ‘Wait and See’ Approach for GDPR is Going to be Pricey for U.S. Organizations Doing Business with the E.U., Entrepreneur (Sept. 5, 2017), https://www.entrepreneur.com/article/299583.
[19] See supra note 11.
[20] See Steve Wood, GDPR is an Evolution in Data Protection, Not a Burdensome Revolution, Information Commissioner’s Office: Blog (Aug. 25, 2017), https://iconewsblog.org.uk/2017/08/25/gdpr-is-an-evolution-in-data-protection-not-a-burdensome-revolution/.
[21] See Lastennet, supra note 13.
[22] Jeff Stone, New European Union Financial Rules to Give U.S. Customers Protection as Well, Wall Street J. (Apr. 24, 2017, 11:29 PM), https://www.wsj.com/articles/new-european-union-financial-rules-to-give-u-s-consumers-protection-as-well-1493085780.
[23] Id.
[24] Wood, supra note 15.
