The European Union (EU) passed comprehensive privacy regulations last year with its Global Data Protection Regulation (GDPR). These laws will go into effect May of 2018, less than a year away. While companies with a significant EU presence may already be fully aware of the GDPR's mandates, and are taking steps to ensure their compliance, many purely US-based companies, who purposely or inadvertently collect data from EU individuals over the Internet, are still under the mistaken belief that these laws will not apply to them.
The GDPR creates a uniform privacy regime across the EU for the first time, replacing the current patchwork of member state laws implementing the current privacy Directive, and impacting all businesses and industry sectors collecting data from European Union individuals. But now, it’s not just companies with a European presence which may be affected. There is growing concern/anticipation in the online, digital advertising and e-commerce communities that the new EU regulations are “ripping the digital ecosystem apart,” and American companies should take notice.
“I’m surprised more marketers have not woken up to the implications of GDPR. The new regulations will be a significant challenge for the ecosystem and it’s difficult to forecast how technology will adjust.” – said Stepehn Loerke, CEO of the World Federation of Advertisers, in an IAPP article.
To understand the concerns, an analysis of the distinctions between the new regulations and the existing EU data protection directive is appropriate. The GDPR mostly follows its predecessor, the EU Data Protection Directive 95/46/EC, with a few major distinctions:
GDPR Becomes Law Upon Implementation:
The GDPR is a regulation which takes legal effect immediately across all EU member nations, upon its implementation in May 25, 2018, and does not need to be approved and adopted by member states (as did the Directive).
2. Personal Information Now Includes Web Traffic / Device Information:
The GDPR has expanded the definition of “personal information”. Personal information, under the EU Directive, included directly personally identifiable information (such as one’s name, address, credit card number, health information, etc.) and indirectly personally identifiable information (such as “the Reyes & Schroeder Associates privacy attorney working in Los Angeles”). However, it was unclear under the EU Directive if indirect identifiers included IP addresses or cookie strings, which have traditionally been viewed as non-personally identifiable information. Under the GDPR, this ambiguity is resolved. The GDPR’s definition of personal information now includes web traffic identifiers, IP addresses, website history tracking, mobile device IDs and location data, in addition to the more traditional forms of personal information.
The GDPR has a carve-out for, what it calls “pseudonymous data”. This is data that has been subjected to technological security measures (i.e. hashing or encryption), so that the data no longer directly identifies an individual without the use of additional security keys. The use of pseudonymized data allows greater flexibility for companies to conduct data profiling without the data subject’s express consent.
3. Applicable to Data Processors:
Unlike the EU Directive, the GDPR no longer solely regulates data controllers (i.e. those responsible for the collection and storage of personal information), but now also applies to data processors (i.e. any entity that accesses, manipulates and/or processes the personal information in any manner).
Any person who has suffered damage as a result of infringement of the GDPR has the right to receive compensation from the data controller or the data processor responsible for the harm.
4. Extraterritoriality Enforcement:
The GDPR contains explicit extraterritoriality enforcement provisions, indicating the Regulation is meant to apply to any entity offering goods or services to EU individuals or processing the data of EU individuals, regardless of whether or not that entity has offices in, or connections with, the EU.
Article 3 of the GDPR states that the Regulation will apply to the processing of personal data of individuals who reside in the EU, when the processing is conducted by a controller or processor that is not established in the EU, if such processing relates to: (i) the offering of goods or services in the EU, whether payment is required or not (applicable to data controllers); or (ii) the monitoring of such individual’s behavior, to the extent that such behavior takes place within the EU (applicable to pure data processors).
5. Independent Data Protection Officer (DPO):
The GDPR requires all companies, which are subject to its enforcement, employ an independent DPO to oversee the entity’s data collection, use, privacy and security policies and practices. This DPO should be in a position to be an independent auditor, and should not be a member of the company’s IT or security team. Failure to appoint a DPO is a violation.
6. Reporting and Consent Requirements:
Additionally, as with the current EU Directive, transnational data flows with countries not deemed “adequate” by the EU Council, are impermissible when such data contains personal information of EU individuals. The United States is currently not “adequate”, and consequently, any EU personal data collected or processed in the US would automatically violate the GDPR, unless certain limited conditions (discussed below) are met (such as the EU-US Privacy Shield). Also, like the current Directive, companies will need to follow the GDPR’s standard principles of notice, choice (requiring opt-in consent for the processing of personal information), accountability for onward transfer (aka - restrictions on transnational data flows), security, data integrity and purpose limitation, access, recourse, enforcement and liability.
What Does This Mean For American E-Commerce and Digital Marketing?:
As a direct result of these major changes (in particular, distinctions 1-4), any American website or mobile application that promotes goods or services to EU individuals (for example, if prices for offered goods or services are provided in Euros) is within the scope of the GDPR. In addition, any American company providing a website or mobile application utilizing data profiling for business analytics, such as web traffic information, cookies, beacons, etc., is within the scope of the GDPR, if such website/app is accessed by an EU individual. Not only that, but under the new regulations, even wholly, American-based digital advertising, targeting or tracking companies, who do nothing more than process web traffic or tracking data, exclusively for the purpose of delivering targeted advertising to an American company’s website, are subject to the GDPR, if an EU individual’s information had been processed.
Dr. Johnny Ryan, head of ecosystem at PageFair, an Ireland-based ad serving technology company claims in an IAPP article, “Companies who create value only by using data and tracking people across the internet . . . will have their businesses seriously disrupted. . . . The EU is finally bringing a standard of privacy to digital, preventing the arbitrary collection and exchange of personal data that has been going on for 20 years. Digital has been in cowboy territory for too long – the [GDPR] is ripping the digital ecosystem apart.”
Essentially, under the GDPR, targeting and tracking companies will need to get user consent to continue with their business models, due to the GDPR’s choice requirements and expanded enforcement. Any and all data linked to a user, that follows the user across the Internet, will need to make itself known and seek express consent from the user, or be pseudonymized before it is accessed.
Dr. Ryan predicts, “the whole digital dynamic will move away from third party” as the GDRP will incentivize mergers and acquisitions of tech companies seeking to exploit media owners’ direct relationships with their readers and viewers.
Not only is the third party digital marketing space of concern for American data processing companies’ business models, but American data controllers, in particular e-commerce companies that advertise goods or services online worldwide, may run afoul of the GDPR. If such companies sell to an EU individual, or even offer goods or services in Euros, any data collected from an EU visitor to the website, including web traffic data, potentially violates the GDPR due to its restrictions on transatlantic flows of data to the US. As mentioned above, unless certain, limited compliance methods are met, such transatlantic flows of data containing personal information of EU citizens is forbidden.
How To Comply with the GDPR and Avoid Liability:
An alternative means of compliance would be to enact what is known as “Binding Corporate Rules” (“BCRs”). Enacting these rules would entail revising a company’s Bylaws or Operating Agreement to include all of the EU data security principles. The company would again need to implement employee training and internal policies which govern the collection, use and storage of personal information in a manner which complies with the commitments. The rules, costs and timing for receiving approval of these BCRs from each country’s DPA can vary. Those utilizing this compliance method have often reported on the cumbersome nature of the approval process, and the accompanying delays, even after the BCRs have been implemented by the company.
Finally, a third approach to meet the EU’s standards, is the adoption of model contractual clauses, to facilitate the transfer of EU personal information from EU individuals located in the EU to third party data recipients in the US. This method is intended for US companies contracting with data controllers in the EU, and does not fit for US companies who collect, process and/or control EU personal information directly from EU individuals. These model contractual clauses can be found on the EU Council’s website at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.
Any U.S. data controller or processor that accesses personal information, sent from an individual in the EU, is in violation of the GDPR, if it does not comply with one of the aforementioned methods. As previously mentioned, the liability for such violations can equal up to 4% of the company’s gross, global, annual revenues. While the extraterritoriality reach of the GDPR has yet to be challenged on a personal jurisdiction basis, and exactly how its provisions will be enforced with respect to purely US companies remains to be seen, the provisions of the GDPR itself are clear and are paving the way for a new era in digital.
Mr. Loerke expects a new global standard will be created as a result of the GDPR, stating in the IAPP article, “Marketers will work with whatever is the toughest data protection globally – like the Children’s Online Privacy Protection Act (1998), which was introduced to protect U.S. children under 13, but has become the international standard.”
Due to its restrictions on transnational flows of data, the expanded definition of personal information to include online identifiers, and the expanded scope of the regulation, applying to data processors and controllers anywhere in the world, the GDRP will certainly have a lasting impact on the digital industry and economy. US companies would behoove themselves to take note, and start preparing for the GDPR’s implementation in May of 2018. In particular, US companies with a digital presence should consider (i) implementing comprehensive, internal data privacy and security policies, and (ii) whether self-certification under the EU-US Privacy Shield framework is appropriate to avoid potential liability under the GDPR.
The Law Offices of Reyes & Schroeder Associates, P.C. is experienced counseling clients on certification requirements, procedures and document drafting for proper certification under the EU/US Privacy Shield framework. Our Attorney Partner, Michael W. Schroeder, is a Certified Information Privacy Professional (CIPP-US), licensed and certified by the International Association of Privacy Professionals (IAPP). For a free initial consultation to determine if EU/US Privacy Shield Certification is applicable and advisable for your company, please give us a call at 818-253-1641.
About the Author: Michael W. Schroeder, CIPP-US, is a licensed attorney in good standing in the State of California.