The European Union’s new data protection law is the reason behind recent privacy updates from several tech platforms. Major multinational companies are reviewing their privacy terms to adhere to the General Data Protection Regulation (GDPR) that goes into effect later this month. Although the rights granted by the law do not extend to people living outside the EU, some companies prefer using a single global standard because of the logistical challenges of maintaining multiple standards. However, the broad territorial scope of the law may require all US non-governmental entities to review their web presence to determine if they are subject to GDPR.
What is GDPR?
The growing need to address the challenge of digital data, including cross-border information flows, prompted the EU to review its previous data protection directive and harmonize laws across its member-states. The key changes include an extended jurisdiction that covers non-EU entities, requirements for simple language for informed consent, and severe penalties in the event of a violation. The jurisdictional scope of the law is its most demanding aspect as entities with mere web-presence in the EU may have to abide by GDPR requirements if they collect or process personal data on EU residents. For example, a small business in the U.S. selling clothes online to a person in France is obligated to process credit card data per GDPR guidelines.
Personal data, as defined by the EU, is similar to Personal Identifiable Information (PII) in the US. It includes any data that can be used directly or indirectly to identify an individual (e.g. a web cookie or medical record). Data are exempted only if they are not traceable to an individual.
Rights of Individuals
To ensure individual privacy, the law gives people more control over their personal data. Specifically, individuals have the right to:
- access, amend and erase their personal data
- restrict dissemination or processing of information by third parties
- request their personal data in machine readable format to transmit to another company/organization
- object to processing of information for profiling or direct marketing purposes including for research unless it is in the public interest
- request companies not to rely solely on automated algorithms for decision-making.
Complying with these individual rights requires data handling entities to ensure that their technological systems meet certain requirements.
Requirements for businesses/organizations
The law dictates specific measures for the entities that process or collect personal data. Foremost, it is mandatory to obtain an individual’s consent before processing his or her personal data; a clear ”opt-in” is required instead of the current “opt-out” strategy. The form for seeking consent should be in plain language indicating the purpose of collecting data. Given the complexity of requirements, companies are encouraged to implement design features that allow pseudonymization and encryption of data to ensure individual privacy. Any breach of data needs to be reported within 72 hours. Furthermore, they are required to keep records of all processing activities.
At the organizational level, the law is more demanding for businesses that actively engage in large-scale data collection or processing. Some companies need to have a Data Protection Officer and conduct an impact assessment. For example, a security company that monitors a shopping center would need a Data Protection Officer, but a local doctor processing the personal data of patients might not. Similarly, a Data Protection Impact Assessment is required if the processing of data can cause high risk to the rights and freedoms of individuals.
Failure to comply with the rules can be costly: the EU can fine entities up to 20 million euros (or 4% of their global revenue) - depending on the type of violation.
GDPR applies to U.S. Entities
The territorial scope of GDPR brings U.S. companies and organizations under the EU jurisdiction even if they have no physical presence in the EU. Not only large tech companies like Facebook and Google but also hospitality, travel, or e-commerce companies will have to review their data and privacy standards. Even a non-profit or higher education institution collecting personal data from an individual based in the EU falls within the scope of GDPR. In short, if an entity has a web-presence, it may be a good time to check if they collect or monitor any personal data originating in the EU.