The European Union GDPR’s Impact on American E-Commerce and Digital Advertising: A New Era in Digita
The European Union (EU) passed comprehensive privacy regulations last year with its Global Data Protection Regulation (GDPR). These laws will go into effect May of 2018, less than a year away. While companies with a significant EU presence may already be fully aware of the GDPR's mandates, and are taking steps to ensure their compliance, many purely US-based companies, who purposely or inadvertently collect data from EU individuals over the Internet, are still under the mistaken belief that these laws will not apply to them.
The GDPR creates a uniform privacy regime across the EU for the first time, replacing the current patchwork of member state laws implementing the current privacy Directive, and impacting all businesses and industry sectors collecting data from European Union individuals. But now, it’s not just companies with a European presence which may be affected. There is growing concern/anticipation in the online, digital advertising and e-commerce communities that the new EU regulations are “ripping the digital ecosystem apart,” and American companies should take notice.
“I’m surprised more marketers have not woken up to the implications of GDPR. The new regulations will be a significant challenge for the ecosystem and it’s difficult to forecast how technology will adjust.” – said Stepehn Loerke, CEO of the World Federation of Advertisers, in an IAPP article.
To understand the concerns, an analysis of the distinctions between the new regulations and the existing EU data protection directive is appropriate. The GDPR mostly follows its predecessor, the EU Data Protection Directive 95/46/EC, with a few major distinctions:
GDPR Becomes Law Upon Implementation:
The GDPR is a regulation which takes legal effect immediately across all EU member nations, upon its implementation in May 25, 2018, and does not need to be approved and adopted by member states (as did the Directive).
2. Personal Information Now Includes Web Traffic / Device Information:
The GDPR has expanded the definition of “personal information”. Personal information, under the EU Directive, included directly personally identifiable information (such as one’s name, address, credit card number, health information, etc.) and indirectly personally identifiable information (such as “the Reyes & Schroeder Associates privacy attorney working in Los Angeles”). However, it was unclear under the EU Directive if indirect identifiers included IP addresses or cookie strings, which have traditionally been viewed as non-personally identifiable information. Under the GDPR, this ambiguity is resolved. The GDPR’s definition of personal information now includes web traffic identifiers, IP addresses, website history tracking, mobile device IDs and location data, in addition to the more traditional forms of personal information.
The GDPR has a carve-out for, what it calls “pseudonymous data”. This is data that has been subjected to technological security measures (i.e. hashing or encryption), so that the data no longer directly identifies an individual without the use of additional security keys. The use of pseudonymized data allows greater flexibility for companies to conduct data profiling without the data subject’s express consent.
3. Applicable to Data Processors:
Unlike the EU Directive, the GDPR no longer solely regulates data controllers (i.e. those responsible for the collection and storage of personal information), but now also applies to data processors (i.e. any entity that accesses, manipulates and/or processes the personal information in any manner).
Any person who has suffered damage as a result of infringement of the GDPR has the right to receive compensation from the data controller or the data processor responsible for the harm.
4. Extraterritoriality Enforcement:
The GDPR contains explicit extraterritoriality enforcement provisions, indicating the Regulation is meant to apply to any entity offering goods or services to EU individuals or processing the data of EU individuals, regardless of whether or not that entity has offices in, or connections with, the EU.
Article 3 of the GDPR states that the Regulation will apply to the processing of personal data of individuals who reside in the EU, when the processing is conducted by a controller or processor that is not established in the EU, if such processing relates to: (i) the offering of goods or services in the EU, whether payment is required or not (applicable to data controllers); or (ii) the monitoring of such individual’s behavior, to the extent that such behavior takes place within the EU (applicable to pure data processors).
5. Independent Data Protection Officer (DPO):
The GDPR requires all companies, which are subject to its enforcement, employ an independent DPO to oversee the entity’s data collection, use, privacy and security policies and practices. This DPO should be in a position to be an independent auditor, and should not be a member of the company’s IT or security team. Failure to appoint a DPO is a violation.
6. Reporting and Consent Requirements:
Under the GDPR, companies are mandated to report hijacking incidents within 72 hours and ensure parental consent for children under-16.
Finally, (and of particular concern to those who violate the GDPR) the GDPR provides for sanctions of up to 4% of a company’s annual gross revenue for violations of any of its terms; no small cost.
Additionally, as with the current EU Directive, transnational data flows with countries not deemed “adequate” by the EU Council, are impermissible when such data contains personal information of EU individuals. The United States is currently not “adequate”, and consequently, any EU personal data collected or processed in the US would automatically violate the GDPR, unless certain limited conditions (discussed below) are met (such as the EU-US Privacy Shield). Also, like the current Directive, companies will need to follow the GDPR’s standard principles of notice, choice (requiring opt-in consent for the processing of personal information), accountability for onward transfer (aka - restrictions on transnational data flows), security, data integrity and purpose limitation, access, recourse, enforcement and liability.