The General Data Protection Regulation (GDPR) is the European Union’s new data protection law. It came into force on May 25, 2018, replacing the Data Protection Directive passed in 1995. The Directive had resulted in a patchwork of national laws and compliance challenges. The purpose of the GDPR was to provide a single uniform law governing the protection of personal data across the EU.
The GDPR was also intended to clarify, strengthen, and modernize data protection, particularly given the profound changes since 1995 in the use of personal information on the Internet. The GDPR permits fines of up to 4% of annual revenue and expands its application outside the EU, which is why it is receiving so much attention here in the U.S.
The GDPR applies to your company if:
You are “established” in the EU. There is no precise definition of being “established” in the EU. Recital 22 of the GDPR explains that establishment “implies the effective and real exercise of activity through stable arrangements” in the EU. So it could be, for example, maintaining offices there or something less.
You offer goods or services (whether free or paid) to or you monitor the behavior of EU residents. Mere ability of someone in the EU to access your website does not count as offering goods and services to EU residents. However, if you have an e-commerce site that has currency conversion to euros or has offerings tailored to the European market, then you are likely subject to the law. If you do not intentionally target the EU market, but you have a significant percentage of EU customers, you may have a hard time claiming you are not covered by the law. Monitoring of EU residents would include things like tracking an EU person’s activity across the Internet through behavioral advertising.
The other way you may face compliance obligations is if you are acting as a processor for a controller (e.g. a customer) that is subject to the GDPR. For example, if you have a customer with an EU division and you process EU personal data for them, then you’re subject as a processor under the GDPR and will have contractual exposure for compliance pursuant to the agreements you must have with the customer under the GDPR.
The GDPR attempts to ensure that when personal information leaves the EU, it is covered by substantially the same protections it enjoys in the EU. A few countries (not the US) have been deemed to have sufficient protections such that transfers to those countries are automatically acceptable.
Privacy Shield is an agreement between the EU and US to allow these data transfers out of the EU to the US. While there are other mechanisms under the GDPR to make this export of personal data compliant, if you are collecting personal information directly from individuals in the EU in a B2C context, then certifying to Privacy Shield is generally the only practical way to handle that export.
Keep in mind, Privacy Shield does not equal compliance with the GDPR. It only addresses the issue of the transfer out of the EU. Also, keep in mind that a small US business may be outside the practical enforcement reach of the EU. However, if you certify to Privacy Shield, you are expressly agreeing to be subject to enforcement in the US by the FTC (or DOT). Certain organizations like non-profits are not governed by the FTC or DOT and therefore cannot use Privacy Shield.
Finally, be aware that Privacy Shield has been under attack by EU privacy activists almost since its enactment so it’s possible it may not last forever, at least in its current form.
The GDPR divides the world up into “controllers” and “processors.” Controllers are those choosing the purposes and means of the processing. Processors simply process data on behalf of a controller. Both controllers and processors have direct compliance obligations under the GDPR.
For example, if App Co. operates a consumer mobile app, App Co. is the controller. If App Co. hosts its app on Amazon Web Services, then AWS (since it has access to the data on its servers) is a processor of App Co. AWS may, in turn, have its own processors (referred to as subprocessors) and so on.
Companies are obligated to have agreements with their processors that flow down certain compliance obligations (see Article 28). They are often referred to as Data Processing Agreements (DPAs). If you’ve received a DPA for signature, it means someone with whom you do business believes you and they are sharing personal information in a way that a DPA is required.
If you sign a DPA as a processor, you’re generally agreeing to various GDPR compliance obligations for which you’d have contractual liability for breach of the DPA. If you refuse to sign one, you are likely signaling to the other party that you can’t or won’t comply with the GDPR and, assuming you are in fact sharing personal data subject to the GDPR with the other party, you’d be violating Article 28 requiring a DPA.
Many companies updated their privacy policies to comply with the GDPR resulting in a flurry of emails notifying people of those updates. However, some emails asked for your consent to receive further marketing emails. Email marketing is governed not just by the GDPR insofar as it uses personal information, but also by the so-called ePrivacy Directive, which has been in effect for years, governs communications (e.g. phone, email, texts) and is responsible for those cookie banners seen mostly in the EU. This area can be very complex, but companies are likely seeking these consent for one of two reasons.
First, the GDPR has heightened the standard of what constitutes valid consent. To the extent a company relied on a true opt-in consent pre-GDPR to send email marketing to someone, they would have to refresh that consent to GDPR standards. However, much email marketing is based on a so-called “soft opt-in” where a customer is given the ability to opt out of email marketing at the time of purchase, which handles ePrivacy compliance, and the company can rely on “legitimate interests” rather than consent for GDPR compliance. See these great articles here and here by Phil Lee of Fieldfisher for further information. Note that B2B email marketing has fewer requirements under ePrivacy and generally just an opt-out is sufficient.
However, others may be asking for your consent because they are uncertain as to how they collected your personal information in the first place and their legal grounds for doing so, so they are trying to remediate their list by asking for your consent. This is dangerous ground and people are more inclined to file a complaint in response to what they feel is improper marketing to them. If you have such an email list, seeking fresh consents won’t remediate the list. It will just be another non-compliant marketing email and companies have been fined for trying to remediate their lists by seeking opt-ins. Regardless, if the recipient doesn’t respond, you must treat their silence as opting out of your marketing emails and you should not send “do you really mean it?” follow up emails.
At a very high level, a compliance program might look like the following:
First, it’s better to be e.g. 40% compliant than 0% compliant. The EU has a history of going easier on those who are making a good faith effort to comply in light of their size and resources.
Think of your practical risk. If you are processing basic EU names and emails on a relatively minor scale for your own purposes, are not doing anything egregious with the data, are not Privacy Shield certified, and have no assets or operations in the EU that could be targeted, then EU authorities would probably not prioritize you for enforcement and likely wouldn’t be able to reach you as a practical matter, although you may suffer reputational harm for violations.
If you’re acting as a processor, particularly for a larger company, you have the exposure of losing their business because you are non-compliant. Or, if you simply sign their DPA (or have e.g. privacy compliance obligations in your underlying contract with them), but are not compliant or breach it, you’ll have contractual exposure to the company.
To the extent you do have practical exposure, there are a variety of enforcement mechanisms under EU law from investigations to rights to compensatory damages of individuals to fines of up to the greater of 20M euros and 4% of global annual revenue. Needless to say, focus your compliance resources where you determine you have the greatest exposure.