Overview of the New Data Privacy Regulations in the European Union
April 3, 2018
On May 25, 2018, the European Union’s (EU) new data protection rules—the General Data Production Regulation (GDPR)—will take effect.1 The GDPR replaces the 1995 Data Protection Directive2 and is designed to harmonize data privacy across Europe. Specifically, the GDPR provides EU internet users with new powers over when and how their “personal data” is collected and processed. Organizations in non-compliance risk significant fines of up to 4 percent of global revenue or €20,000,000, whichever is higher.3 While the GDPR is an EU regulation, in certain cases, the regulations can apply extraterritorially.4 Thus companies that sit outside the borders of the EU cannot afford to ignore these regulations.
I. What is protected?
The GDPR is aimed at protecting “personal data” of EU internet users. The regulations afford protection to persons regardless of citizenship so long as those individuals are within the EU.5 “Personal data” is any information that can be used to identify a natural person (“data subject”).6 This information includes names, identification numbers, location data, online identifiers or one or more factors specific to a person’s physical, physiological, genetic, mental, economic, cultural or social identity.7 To constitute “personal data” under the GDPR, the data alone need not identify the subject.8 It is enough if the personal data, in conjunction with other information, identify an individual.9
While the definition of personal data under the GDPR is largely unchanged from the 1995 Data Protection Directive, the GDPR has added, among other things, “location data” as a type of “personal data”.10 This addition is significant for online entities or businesses, such as advertisers or media companies, that employ cookies. Under the GDPR, cookies are personal data when they can identify an individual via an electronic device.11
II. Who is subject to the GDPR?
The GDPR applies to organizations within the EU that fall into the categories of “controller” or “processor”.12 A “controller” is a person, business or organization that determines the purpose and means for processing personal data.13 A “processor”, on the other hand, is a person, business or organization that processes the personal data on behalf of the “controller”.14 Notably, it does not matter if some or all of the personal data is processed outside of the EU. As long the processing of the personal data is in the context of activities of the “controller” or “processor”, those entities are subject to the GDPR.15
A company can be both a processor and a controller. For instance, Controller A may pay Company B to conduct data analytics on behalf of Controller A. In this situation, Company B is a processor. But if Controller A also stores or processes the data in any manner, it is both a processor and a controller. Under the GDPR, the distinction between controller and processor is important for compliance because, as a rule, the GDPR treats the controller as primarily responsible for obtaining and managing consent.16 Processors have compliance obligations as well, including obligations related to security and processing.17
Unlike the 1995 Data Protection Directive, there are two situations where the GDPR applies to companies with no physical presence in the EU. The GDPR applies where a company “offer[s] goods or services” to a person located in the EU.18 In this situation, the GDPR applies even if there is no financial transaction or payment.19 Having an internet website that is accessible to EU residents, however, is not enough for the regulations to attach.20 Rather, factors such as offering a service in the language or currencies of the EU member state may trigger application of the GDPR.21
In addition, GDPR applies extraterritorially where a company monitors the behavior of data subjects in the EU “as far as their behavior takes place within the Union.” 22 Tracking the internet activity of an EU data subject in order to make decisions regarding predicting preferences or behavior of the data subject likely falls within the GDPR.23 This would include circumstances, for example, where a non-EU company tracks an EU data subject’s internet activity in order to present targeted advertisements to the EU data subject.
III. What rights to data subjects have under the GDPR?
The GDPR requirements are extensive and complex. A few of the key requirements are discussed below.
1) Right to object to targeting marketing
Data subjects have the right to object to processing for marketing purposes.24 This is an absolute right, and once the data subject objects, the data cannot be used or processed for direct marketing purposes.25 The right to object to direct marketing must be explicitly brought to the attention of the data subject in a clear manner that is separate from other information.26
2) Right of access by the data subject
Data subjects have the right to access information regarding their personal data collected by a controller.27
This information includes28 :Examples of an affirmative act include “ticking a box when visiting an internet website”.28:
- the type of data being processed;
- the purpose of the data processing;
- to whom the data has been or will be disclosed;
- when known, the length of time the personal data will be processed or stored;
- the logic involved in any automatic processing of personal data; and
- known sources of the personal data when a data subject is not the source of the personal data.
When the personal data is transferred to another country or an international organization, the data subject has the right to be informed of the required safeguards relating to the transfer.29 The controller is also required to provide a copy of the personal data undergoing processing.30
3) Right to erasure (‘right to be forgotten’)
In certain circumstances, a data subject has the right to have personal data erased by a controller.31 For instance, if the personal data is no longer necessary for the purposes for which it was collected, the individual has the right to have it erased.32 If the personal data has been unlawfully processed, an individual has the right to have it erased.33 If the data subject withdraws consent, and there is no legal ground for processing the data, the data must be erased.34
4) Right to breach notification
Under the GDPR, breach notification is required in certain circumstances. In particular, controllers are required to communicate personal data breaches to data subjects where the breach is likely to “result in a risk for the rights and freedoms of individuals”.35 Notification should describe the nature of the breach as well as recommendations for the data subject to mitigate the breach.36
Notification of a data breach to data subjects should be made “without undue delay.”37 While “undue delay” is not defined in the GDPR, factors such as the nature of the breach and the potential adverse effects on the data subject should be considered when determining how quickly to notify the data subject.38 Notification procedures “should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.”39 In addition to notification requirements to “data subjects”, notification of a personal data breach must be made to the member state’s “supervisory authority” within 72 hours of a breach.40
Notification of a data breach is not required where the controller has implemented protection measures, such as encryption, that render the data unintelligible.41 In addition, notification is not required if it involves disproportionate effort.42 In this case, a public communication of the data breach may be effective.43
IV. What are the consequences of failure to comply with the GDPR?
The upper limits of potential administrative fines for failure to comply with the GDPR are significant. Processors and controllers can be fined up to €20,000,000 (~$25 million in USD) or up to four percent of the company’s annual “global turnover” (total revenue) for the preceding year, whichever is greater.44 For global companies such as Apple and Google, four percent of global revenue is a substantial amount of money. However, it is important to note that administrative fines depend “on the circumstances of each individual case”.45 According to the GDPR, the imposition and amount of a fine shall depend on consideration of a variety of factors including: 46
- the nature, gravity and duration of the violation taking into account the number of data subjects affected and the level of damage suffered by them
- the intentional or negligent character of the violation;
- the actions taken by the controller or processor to mitigate harm;
- the degree of responsibility of the controller or processor;
- previous violations by the controller or processor; and
- the categories of personal data affected by the violation.
Any fines or corrective actions are assessed or imposed by a “supervisory authority”.47 A “supervisory authority” is an independent public authority established by each member state.48 Each member state can have more than one “supervisory authority”.49 A supervisory authority has the power to issue warnings, reprimands and compliance orders in lieu of or in addition to the imposition of a fine.50
Finally, the GDPR is a baseline for data protection in the EU, and EU member states may introduce further conditions for data processing.51 Global companies and organizations thus need to be aware of country-specific regulations that may go above and beyond the requirements of the GDPR to avoid any country-specific violations.
The GDPR is a complex set of requirements aimed at protecting the personal data of EU internet users. Given the risk of non-compliance, companies and organizations cannot afford to ignore the GDPR. Fines for non-compliance, however, are not automatic, and by the terms of the regulations themselves, a company’s good faith effort to comply with the GDPR will be considered in the event of any violation.
1 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 (hereinafter “GDPR”).
2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281) 31. (hereinafter “1995 Data Protection Directive”)
3 GDPR at Art. 83(5).
4 Id. at Art. 3(2).
5 Id. at Art. 3.
6 Id. at Art. 4(1).
8 Id. at Recital 26
10 Id. at Art. 4(1).
11 Id. at Recital 30.
12 Id. at Art. 3(1).
13 Id. at Art. 4(7).
14 Id. at Art. 4(8).
15 Id. at Art. 4(1).
16 Id. at Art. 5(2), Art. 7(1).
17 Id. at Art. 28, Art. 32, Art. 33(2).
18 Id. at Art. 3(2)(a).
20 Id. at Recital 23. The use of a language also used in the controller’s state is not sufficient to establish intent to offer goods and services. Id.
22 Id. at Art. 3(2)(b).
23 Id. at Recital 24.
24 Id. at Art. 21(2).
25 Id. at Art. 21(3)
26 Id. at Recital 70.
27 Id. at Recital 63.
28 Id. at Art. 15(1).
29 Id. at Art. 15(2), Art. 46.
30 Id. at Art. 15(3).
31 Id. at Art. 17(1).
32 Id. at Art. 17(1)(a).
33 Id. at Art. 17(1)(d).
34 Id. at Art. 17(1)(b).
35 Id. at Art. 34(1).
36 Id. at Recital 86.
37 Id. at Art. 34(1).
38 Id. at Recital 87.
39 Id. at Recital 88.
40 Id. at Art. 33(1).
41 Id. at Art. 34(3)(a).
42 Id. at Art. 34(3)(c).
44 See, e.g., id. at Art. 83(5).
45 Id. at Art. 83(2).
46 Id. at Art. 83(2).
47 Id. at Art. 58.
48 Id. at Art. 4(21).
49 Id. at Art. 51.
50 Id. at Art. 58(2).
51 See, e.g., id. at Art. 6(2), Art. (8), Art.9(4).
The articles on our website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the views or official position of Robins Kaplan LLP.
If you are interested in having us represent you, you should call us so we can determine whether the matter is one for which we are willing or able to accept professional responsibility. We will not make this determination by e-mail communication. The telephone numbers and addresses for our offices are listed on this page. We reserve the right to decline any representation. We may be required to decline representation if it would create a conflict of interest with our other clients.
By accepting these terms, you are confirming that you have read and understood this important notice.