Over the last two months, many Americans have seen an influx of privacy notices and updates come through their email inboxes and as click-throughs on numerous websites. Those notices are the result of a new privacy regulation regime from Europe, which has meant big changes for a lot of U.S. companies.
The General Data Protection Regulation (GDPR) was officially adopted by the European Union (EU) in 2016. Very simply put, these regulations require companies to protect data that is collected from EU citizens and imposes penalties on those companies that fail to do so. While the GDPR became effective in 2016, companies were provided a two-year window to become compliant. The enforcement deadline triggered on May 25, 2018. Despite this two-year delay in enforcement, very few U.S. companies were fully compliant by the May 25th deadline, and many large U.S. corporations (notably Facebook) publicly admitted to struggling to achieve compliance in time.
The GDPR enforcement deadline brought significant ramifications. Companies in all sectors have been scrambling to digest the complex regulations and adjust their privacy policies to comply. EU and U.S. authorities, as well as a number of publications, have estimated that half of all U.S. companies impacted by the regulations are not compliant.
Many U.S. websites chose to cut off access to customers in the EU altogether, to avoid potential violations of the regulations. A number of prominent U.S. newspapers, in particular, made this choice, and began blocking access from Europe on May 25, leading to widespread controversy as European citizens complained that regulations designed to protect them had instead deprived them of access to important news sources. On the very first day of enforcement, a non-profit watchdog group in the EU filed complaints against Google, Facebook, Instagram, and WhatsApp for alleged violations of the GDPR, claiming that the companies’ compliance programs did not actually meet the requirements of GDPR.
Here at The Lynch Law Group, our attorneys have seen firsthand how U.S. companies are reacting to the GDPR, as we are counseling clients through their own compliance issues. Many small and midsize businesses are grappling with questions about whether they need to comply with the GDPR at all, how compliance would impact their business, and how to actually achieve it. The GDPR is a complex regulatory scheme and there are no “one size fits all” answers to these questions.
Hopefully, this blog will help companies grasp the basics of the GDPR, allow them to begin asking the right questions to gain an understanding of their compliance obligations, and set a course for complying with this complex regulatory scheme.
How does the GDPR apply to U.S. businesses?
The European Union has imposed restrictions on the use of personal data by companies since 1995. The original EU Data Protection Directive applied to companies that maintained operations in European Union member states. Many U.S. companies, even those that did significant international business, did not fall within the reach of the 1995 Directive. As a result, relatively few U.S. companies worried about complying with the privacy regulations. One of the primary goals of the GDPR was to close this perceived “loophole” and to bring a greater level of extra-territorial impact to the EU privacy regulations.
The GDPR protects the “personal data” of individuals within the EU. The definition of “personal data” in the regulations is extremely broad and covers “any information” relating to a data subject, including names, identification numbers, location data, and “online identifiers.” Guidance documents suggest that the generic term “online identifiers” includes IP addresses, as well as online account numbers and email addresses.
Given this broad definition of personal data, it is virtually impossible to interact with EU citizens online from a business context without gathering some form of “personal data.” For instance, if a U.S. company runs a website through which it sells products, and in the process of selling a product for shipment to Europe the purchaser is required to provide an email address, that company has now gathered “personal data” subject to the EU GDPR.
My company is small; surely, we don’t have to worry about this?
Unlike many U.S. regulations, the GDPR does not have any “de minimis” exemption. While some aspects of the regulations only apply to companies physically located in the EU or who process a substantial volume of personal data, the basic requirements of GDPR apply to all companies regardless of their size or the volume of business they do in the EU. In theory, if a U.S. company receives a notice under the GDPR, from even a single customer, that the customer wants their data deleted (one of the rights created by the GDPR), and the company fails to comply, it would be in violation of the regulations.
While the immediate focus of the EU is likely to be on large tech companies such as Facebook, Apple, and Google, the GDPR establishes a robust set of processes for EU citizens to file complaints against companies who don’t handle their data appropriately. With no “de minimis” exemption, responding to a complaint with the explanation that, “Our company is small, and we do very little business with the EU. We had no idea we were in violation of any regulations” will not be a successful defense. Indeed, since one of the fundamental purposes of GDPR is to close the “loophole” that has existed since 1995 by which many U.S. companies avoided having to comply with EU data regulations, it is likely that EU regulators will not be kindly disposed to companies who ignore the GDPR and hope that their size will keep them under the radar.
We use a vendor to manage our customer data. I’m sure they are compliant.
One of the key aspects of the GDPR is that it establishes a concept called “enterprise liability.” While this concept is highly technical and can get complicated, the bottom line is that every company that collects “personal data” from EU citizens is responsible for complying with the GDPR and cannot delegate that compliance to other companies or vendors. If a U.S. company is using a third-party service provider to manage its data or manage the data its website collects, the company will be responsible for any GDPR compliance beaches by that third-party service provider, to the same extent as if the company itself had caused the breach. In fact, failing to properly monitor and ensure compliance by a third-party service provider that a company shares data with is a violation of the GDPR.
U.S. small and midsize companies should absolutely leverage their vendor relationships to help them achieve compliance with the GDPR. But for the vast majority of companies impacted by the GDPR, relying entirely on data managers to ensure compliance will not be sufficient.
What’s the big deal, anyway?
When the GDPR was enacted in 2016, the prevailing headline was just how draconian the penalties for violations would be. Under the GDPR, a company can be fined up to twenty million euros, or up to 4% of the company’s annual worldwide revenues, whichever is higher. While fines and penalties that high will likely be reserved for massive data breaches by large companies, EU authorities have made it clear that they intend to punish violations of GDPR harshly, in order to deter future violations and force companies to take compliance seriously. Even if an individual company’s risk of being dragged in front of EU regulators is low, the magnitude of the potential penalties will make that risk intolerable for many companies. It is also worth noting that shortly before the enforcement date of the GDPR, California enacted its own data privacy statute that closely mirrors the core elements of the EU regs.
The California law, Assembly Bill 375, does not go into effect until 2020, and includes a “de minimis” exemption (not found in the GDPR) so that it only applies to companies who do significant business in California. Nevertheless, it appears that GDPR-style regulations are the future, and more states are expected to consider similar bills in the coming months. Even if a company could arguably fly under the radar of EU regulators, many will still be responsible for compliance with the California law, or could get caught in the growing web of such regulations in the future.
So, what do we do?
As mentioned above, a number of prominent U.S. websites and publications chose to simply block all traffic from the EU on May 25. That represents a viable option and alternative to worrying about complying with the GDPR. If a company does very little business in the EU, and receives very little web traffic from the EU, the most cost-effective option may be to work with the company’s vendors to put up walls that detect when a customer or website hit originates from the EU and to block those contacts. However, given the recent California law, and the likelihood that other states will join California in the relatively near future, that option may be a stopgap, only.
If cutting off all business with the EU is not an option, or not an option your company wants to explore, then complying with the GDPR is the only other responsible choice. While there is no “one size fits all” solution to achieve GDPR compliance, the first step required by the regulations is a thorough and educated investigation of what data the company collects, how it handles, secures, and uses that data, and what data is actually essential to the company’s operations (as opposed to data the company likes to have, but could live without). Once that kind of risk assessment / investigation is done, the company can then craft a compliance program that is right-sized for the company, does not interfere with the company’s regular business operations, and does not break the bank.
While the GDPR regulations are complex, the attorneys at The Lynch Law Group have more than 50 years of combined experience dealing with international business compliance issues, have been dealing with EU data privacy laws for the last eight years, and are currently advising many companies with their GDPR obligations. We would be happy to use that experience to help your company navigate these regulations and continue to be successful.
For further information, contact any of the attorneys below via email or by calling The Lynch Law Group at (724) 776-8000. Members of our GDPR Compliance Team are:
- Mike Oliverio, firstname.lastname@example.org
- Frank Botta, email@example.com
- Delia Bouwers Bianchin, firstname.lastname@example.org
- Lauren Mathews, email@example.com