General Data Protection Regulation (GDPR)

Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

The European General Data Protection Regulation (GDPR) comes into force on May 25, 2018.  This gives companies only two months to prepare for and comply with the GDPR. Companies should be conducting data mapping to identify all cross-border transfers of personal data so that they can determine the best way to comply with the GDPR requirements.

Illustration of binary code rippling out from the European Union flag, in relation to GDPRThe GDPR has been, perhaps, the most widely talked about privacy regulation for the past year and a half after it was approved by the EU Parliament on April 14, 2016 because of the sweeping changes it will bring to how the global digital economy operates with regard to processing personal data. GDPR will apply to all EU-based companies, irrespective of whether personal data is processed inside or outside of the EU. The GDPR will also apply to companies outside the EU that offer goods or services to individuals in the EU and/or that monitor or track the online behavior or activities of individuals in the EU.

Any transfer of personal data to a third country can take place only if certain conditions are met by the data exporter and the data importer. If a company is transferring EU personal data outside of the EU, that company must identify a valid transfer mechanism to legally transfer that personal data.  The most widely used transfer mechanisms are: (1) transfers within the EU and adequacy rulings; (2) appropriate safeguards; and (3) derogations.

Transfers Within the EU and Adequacy Rulings

Under GDPR, personal data can be moved between EU member states (and Norway, Liechtenstein, and Iceland) without restriction.

Cross-border transfers may also take place without a need to obtain further authorization if the European Commission determines that the third country’s body of national law ensures an adequate level of protection for personal data. The European Commission considers several factors when determining if the country has an adequate level of protection, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order and criminal law.

Appropriate Safeguards

In the absence of an adequacy determination, cross border personal data transfers are permitted if the controller and processor use EU-approved safeguards. The most widely used transfer mechanisms are binding corporate rules, model contractual clauses, and certification mechanisms (e.g. Privacy Shield).

Binding corporate rules (BCRs) are internal codes of conduct adopted by multinational companies to allow transfers between different branches of the organization. BCRs are a favored mechanism because of their flexibility, ability for tailored customization, and a lower administrative burden once implemented.

Model contractual clauses are legal terms contained in a template data processing agreement drafted and ratified by the EU. Model contractual clauses can be burdensome because companies are required to enter new model contractual clauses to cover each new third party and each new purpose for processing or transfer.

Because the European Commission does not recognize the U.S. as an adequate third country, U.S. companies can comply by certifying under the EU-U.S. Privacy Shield that they meet the high data protection standards set out in the Privacy Shield.  The Privacy Shield remains subject to the same criticism that ultimately resulted in the downfall of its predecessor (Safe Harbor), that it does not fully protect the fundamental rights of individuals provided under EU privacy laws.

Derogations

In the absence of either an adequacy decision or the implementation of an appropriate safeguard, a cross-border transfer can still take place in limited circumstances, where an exception applies. These circumstances include situations where the individual explicitly consents after having been informed of the risks of data transfer in the absence of an adequacy decision and appropriate safeguards, the transfer is necessary for the performance of a contract between the parties, or if the transfer is necessary for important reasons of public interest. The permitted derogations are fact-specific and are generally not intended to be relied upon as a company’s primary transfer mechanism.

Guidance for GDPR Compliance

Transferring personal data out of the EU without a valid transfer mechanism can result in significant fines and increased regulatory oversight.  Beginning on May 26, 2018, compliance with the GDPR will be essential for companies engaging in cross-border transfers of personal data.

To comply with the GDPR, companies should first identify and map all cross-border data flows.  Companies should then examine and assess for each of these flows whether the receiving country is in the EU (and Norway, Liechtenstein and Iceland) or is otherwise deemed adequate.  If not, the company should consider whether any appropriate safeguards have been put in place, and/or whether any specific derogations apply.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)With the European’s Union’s new General Data Protection Regulation (or GDPR) taking effect in less than 100 days, the interest of many U.S. Companies has been piqued as to how the GDPR may affect their overseas and internet-based businesses.  This article on CFO.com, “Why GDPR Matters,” which I co-authored with Bill Shipp from Vaxient, LLC and Jonathan Marks, CPA from Marcum, LLP, tackles this hot issue and answers why GDPR should matter to U.S. companies in a wide variety of industries.

To assist U.S.-based companies in determining how GDPR may affect their business, Fox Rothschild has also developed a GDPR mobile app called “GDPR Check” (details and download information here).  The app is designed to help companies determine which areas of their business (if any) may require GDPR compliance.

If you have any questions about how GDPR may affect your company, we encourage you to consult a knowledgeable attorney and experienced professionals.

The clock is ticking toward the May 2018 implementation of the EU’s General Data Protection Regulation (GDPR) and, according to PwC’s recently released Pulse Survey, U.S. companies are now investing significantly in compliance measures. Per the survey, 92% of respondents consider GDPR a “top priority” for 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million.

Illustration of binary code rippling out from the European Union flag, in relation to GDPR“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation,” said Jay Cline, PwC’s U.S. Privacy Leader. “The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for U.S. companies that offer goods and services to EU citizens.”

In December, prominent GDPR analyst Chiara Rustici advised businesses “to ring fence 4 percent of 2016 global turnover and earmark it as budget for 2017 compliance.” (Because of its proximity to the release of the EU Article 29 Working Party’s own GDPR guidance, which clarified certain key enforcement issues for member states, Rustici’s budget advice was unable to fully account for the new information.)

“American multinationals that have not taken significant steps to prepare for GDPR are already behind their peers,” Cline also said. This statement echoes Rustici’s advice in 2016, in which she stated that “there are no excuses for not having a GDPR budget in place before the end of 2016.” Though more than a year remains for companies to achieve compliance, and further guidance is expected from EU data protection regulators, PwC cautioned that companies should not wait to make it a priority.

For organizations wondering where to start, here are perhaps the most important steps they should take.

Need for Data Portability and Data Mapping

In its December guidance, the Article 29 addressed a major issue that companies will need to develop infrastructure and processes to address. Namely, it discussed data portability – the ability for an EU citizen to access their personal data and easily transfer it to a different service provider. Closely tied into this concept are two central rights within GDPR: the Access Principle, whereby a user can discover what personal data of theirs a company holds, and the “right to be forgotten,” whereby a user can request the deletion of that data. To turn these concepts into reality, Article 30 of GDPR practically obligates companies to create comprehensive data maps to easily discern what data the company possesses, where it is stored, how it flows, with whom it is shared, and how it is used.

The guidance also indicated the need for companies to develop systems, technological or otherwise, to respond to individual requests under the data portability provision. According to the Working Party, “one of the ways in which a data controller can answer requests for data portability is by offering an appropriately secured and documented Application Programming Interface (API). This would enable individuals to make requests for their personal data via their own or third-party software or grant permission for others to so do on their behalf.” Regardless of process, fulfilling the data portability and data mapping requirements represent no small IT investment for affected companies.

Budgeting

GDPR applies to companies as a whole, and for budgeting purposes, leaders should also take the regulation into account across the full enterprise, as opposed to merely in the legal, compliance and IT areas. “[T]he budget is there to ensure that any interaction of EU-based individuals with a brand’s real and digital estate follows the EU data protection principles,” noted Rustici, and “that will mean product design, user experience, distribution and after sales support, HR, marketing, legal, risk and compliance, storage and security should all own a share of the corporate GDPR budget.”

A good GDPR budget may allocate money to some or all of the following line items:

  • data inventory and mapping
  • privacy and state-of-the-art safety by design
  • solutions to enable data portability and the right to be forgotten
  • internal GDPR training
  • stress-testing GDPR resilience, information security, and audit
  • enterprise-wide coordination and compliance
  • vendor management
  • hiring of a GDPR architect, CISO, and/or DPO

Hire a Data Protection Officer

Relevant to the last line item above, GDPR requires companies that process personal data “as a core activity” and/or monitor data subjects “on a large scale” to hire a Data Protection Officer (DPO). This role acts to independently oversee corporate compliance. In its 2016 Guidance, however, the Article 29 Working Party went so far as to recommend voluntary designation of a DPO when GDPR does not specifically require it.

The guidance also indicated that the terms “large scale” and “core activity” as they pertain to the DPO requirement will also be broadly interpreted. Regulators will consider a number of factors including the volume of data, its geographic breadth, and its importance to a company’s operations. The Article 29 Working Party clarified this point by way of example: “the core activity of a hospital is to provide health care. However, a hospital could not provide health care safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.” Following this example, organizations operating in highly regulated industries, such as healthcare, financial services, insurance and consumer businesses, should anticipate the need to hire a DPO.

A GDPR architect – a CTO, CISO, CIO, data privacy lawyer, compliance officer, or all of the above – may also be required however. As Rustici warned, “Think of a DPO as a ship’s captain and of a GDPR architect as the naval engineer. [T]o set sail to the seas you rely on a good captain, who can chart a course and avoid thirty-foot waves; but to build or make a ship sea-worthy, and ensure that it can withstand even thirty-foot waves, you first rely on a good naval engineer.”

Other Initiatives

Ensuring data portability and enabling data mapping, budgeting across the organization for GDPR, and designating the DPO and other important roles are only three of the most prominent steps U.S. multinationals are taking in the new year. Other top priorities could include reviewing and revamping privacy policies, examining procedures to ensure consent for collecting/processing personal data, and improving vendor management programs. Many organizations are also considering data localization, including moving data centers to Europe, while others are assessing the viability of transitioning operations out of Europe altogether.

 

In the wake of yesterday’s referendum decision in the UK to leave the European Union, markets are tumbling and predictions on its impact are far from scarce. Despite the turmoil, privacy officers should follow the old British refrain: Keep Calm and Carry On.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)That’s because no matter the uncertainty or negotiations or eventual regulatory environment, it will likely take years for the UK to untangle itself from its 40+-year membership in the European Union. Even given that fact, the UK may well remain within the European Economic Area. For U.S. companies with transatlantic operations concerned about eventual GDPR compliance, the best course is to continue a measured but deliberate approach.

The Immediate Impact

In terms of U.S.-UK data transfer standards or compliance requirements, there is little to no immediate impact. Though the European Court of Justice’s decision in the Schrems case last fall shifted focus to the EU Data Protection Directive and the invalidated Safe Harbor framework, the true source of law for U.S.-UK data transfers is the UK Data Protection Act of 1998. The DPA incorporates and even expands upon the Directive’s principles. Furthermore, the Brexit vote is not Brexit itself. Until the UK actually negotiates its exit from the EU, it remains a member and subject to its regulations.

The EEA Option and GDPR

The UK may elect to remain within the European Economic Area. Doing so would allow the country to engage in free trade with EU member states, assuming that the UK remains harmonized with EU laws. A decision to remain in the EEA would mean that GDPR will eventually take effect in the UK as originally planned.

The Fully Independent UK Option

If the UK exits both the EU and EEA and does not take action on data protection, it would likely become a “third country” as far as EU data protection laws are concerned, assuming the same status as the U.S. If that occurs, EU-to-UK data transfer could be subject to restrictions and an adequacy determination, a la Switzerland, Canada, and Israel. Such restrictions seem unlikely, however, since the DPA currently stands as one of the more comprehensive and strict data protection regulations in Europe. The UK has also already begun working towards eventual adoption of the GDPR.

Much like the “Brexit-lite” option of remaining in the EEA, FieldFisher, a leading European privacy firm, has speculated that the UK may consider adopting a law that amounts to “GDPR-lite”, though such a decision may have pitfalls.

For now, the best course for U.S. companies is to take “Keep Calm” and take a wait-and-see approach to Brexit, while continuing to work towards general GDPR compliance.

Luxembourg politician Viviane Reding proposed three years ago to overhaul the EU Data Protection Directive. Now, European Union officials have settled on an agreement to replace the Directive with new privacy legislation called the General Data Protection Regulation (GDPR). It is not EU law just yet, but the EU Parliament is expected to fully approve it during its next meeting. Upon approval, the GDPR will become law in 2018 across all 28 EU Member States and replace the widely inconsistent laws previously implemented to comply with minimum data protection requirements set out in the directive.

Illustration of binary code rippling out from the European Union flag, in relation to GDPRFirst enacted in 1995, the Directive needed to be updated due to a routine change in the technology sector. It is anticipated the EU government will synchronize privacy laws across the Euro zone through GDPR. Heavy fines are expected for any company’s failure to implement these new requirements.

In its current form, the GDPR contains provisions expected to change how data is collected, stored and transmitted in and out of the EU. This includes the following:

  • Instituting more rigorous requirements for accessing and obtaining consent for collecting and individual’s information.
  • Raising the consent age for collecting information to 16 years old (from 13).
  • Mandating that companies must delete an individual’s data if they are no longer using the data for the original purpose for which it was collected.
  • Requiring all companies to notify the EU of data breaches within 72 hours.
  • Implementing one national office to monitor and manage complaints brought under GDPR.
  • Instituting fines up four percent of a company’s global revenue for non-compliance.

The GDPR’s most critical change is that jurisdiction is not a physical or geographical barrier; the jurisdiction will be digitally measured, which means that companies outside the EU could be affected by new regulations by virtue of collecting data that belongs to an EU citizen. As previously mentioned, fines for non-compliance are four percent of a company’s global revenue, and the financial impact to Fortune 500 companies could be in the billions. It remains to be seen how strictly the EU government will enforce these restrictions. Still, companies should begin planning and implementing new business practices into their workflows and expect the EU to be aggressive in its enforcement when the 2018 deadline hits.

The GDPR will also recognize standard contractual clauses and binding corporate rules as authorized frameworks for transferring citizen data out of the EU. The Safe Harbor was invalidated in 2015 in the wake of the Edward Snowden disclosure of the United States’s comprehensive surveillance programs. As such, the recognition of standard contractual clauses and binding corporate rules should, in theory, provide relief to business owners who rely on self-certifying their company’s compliance with Safe Harbor principles. Negotiations between the United States and the European Union are underway to establish “Safe Harbor 2.0.” Both parties are pushing to finalize the framework by the end of January 2016. This would provide another avenue for data transfer to about 4,000 companies that relied on the first Safe Harbor to collect and transfer data.

Following the CJEU’s invalidation of the Safe Harbor Agreement, U.S. companies certified as Safe Harbor compliant have found themselves in murky regulatory waters. We provide insights and suggestions to establishing next steps.

Safe Harbor is Invalid. What Does That Mean?

Illustration of binary code rippling out from the European Union flag, in relation to GDPRSafe Harbor provisions provided U.S. companies a path to comply with EU data transfer regulations. Thousands of businesses who rely on EU-U.S. data exchanges are suddenly non-compliant, and inter-company agreements and BCRs are now more complicated as long-term. The latter data transfer methods are considered valid, but their long-term efficacy is unclear. DPAs are refraining from examining them as the CJEU decided not scrutinize those transatlantic data transfers.

To avoid economic and organizational fallout, companies should avoid drastic changes to or suspensions of current EU-U.S. data transfer methods. Abrupt changes to business models could severely disrupt EU and U.S. economies. DPAs will likely hold back from immediately launching tough regulatory policing campaigns due to limited political capital and resources.

Regardless, companies must be ready for inevitable oversight. In most cases, DPAs will pursue issues based on how well they address their specific privacy agendas.

That is not to say that there will be no new enforcement. Companies should expect increased scrutiny. DPAs will simply have to prioritize the issues and organizations that are most relevant to their particular privacy expectations. Which leads us to our next point…

Plan, Document and Strategize

While European organizations sort out the CJEU decision, U.S. companies have time to review and change compliance plans. .

Begin by auditing current policies for compliance with the seven core Safe Harbor Principles and the Directive. Following policy review, it’s important to ensure that data flows within business models reflect the commitments in company policy.

Next, strategize and weigh the options for adopting alternative data transfer methods. BCRs and contractual agreements provide possible alternatives, but there are no one-plan-fits-all solutions. Even though these alternatives may be deemed invalid in the long-term, they will buffer your company from short-term DPA scrutiny. Additionally, having a record of good faith compliance efforts can only benefit the company.

Track Updates

Be sure to follow developments and updates about data-transfer compliance as many key questions remain unanswered. For example, DPAs may enforce the CJEU opinion as it is, or diverge in its interpretation. And DPAs have yet to indicate how strictly they will police data protection laws. However, DPAs have significantly more authority following the CJEU decision, and U.S. companies must brace for increased regulatory oversight. When General Data Protection Regulation takes effect in May 2018, which bear penalties of 100 million Euros or 4% of global turnover (whichever is higher), DPAs will have immense influence over investigations and company sanctions.