If your business operates in European markets or otherwise handles data related to European Union ("EU") citizens, then you are already familiar with Europe’s stringent data protection laws. Last week, EU officials reached agreement on a new General Data Protection Regulation (“GDPR”). Subject to approval by the European Parliament and Council in the coming weeks, the GDPR will take effect in 2018, replacing EU Data Protection Directive 95/46/EC, which has served as the governing framework for data privacy in the EU for the last two decades.
The GDPR will have far-reaching consequences for businesses that deal with data related to EU citizens. Important changes include the expansion of individual privacy rights, strict data-breach notification requirements, and significantly enhanced sanctions for non-compliance with EU law. In addition, the expanded territorial scope of the GDPR means that more businesses will potentially be subject to penalties for non-compliance with EU law.
What Businesses Should Know
It is no surprise that more regulation will require more compliance. In a recent global survey report published by Ovum, 68% of global respondents expressed their belief that the GDPR would dramatically increase the cost of doing business in the EU, and more than 50% believed that their companies would be fined as a result of the GDPR. There are several ways in which businesses may be forced to adapt in order to comply with the proposed regulations.
1. Expansion of Individual Privacy Rights
The GDPR significantly expands individual privacy rights. For example, the GDPR raises the bar for obtaining individual consent, which is a widely used legal basis for processing personal data under EU data protection laws. Companies that rely on this mechanism will need to carefully examine their existing strategies to ensure compliance with the GDPR.
In addition, the GDPR codifies and reinforces the EU’s "right to be forgotten." In broad terms, this means that if individuals no longer want their data to be processed, and there is no legitimate reason for a company to keep that data, the "data shall be deleted." The codification of this right in the GDPR follows the European Union Court of Justice’s 2014 decision requiring Google to amend its search results pursuant to an individual’s "right to be forgotten." The GDPR affirms that this right extends to all Internet users in Europe, but leaves unanswered key questions regarding which Internet intermediaries must comply with such deletion requests and under what circumstances companies may deny deletion requests on free expression grounds.
2. 72-Hour Breach Notification Requirement For All Businesses
The GDPR imposes strict new data-breach notification requirements. Specifically, the new regulations require companies to notify both individuals and the relevant data protection authority in each EU country within 72 hours of the breach if a breach is a significant risk for exposed individuals. In contrast, each American state determines such breach notification requirements, which are generally far less onerous.
3. Increased Penalties—Up to 4.0% of Worldwide Annual Revenue
Perhaps the most significant business impact of the GDPR is the potential for harsh penalties for non-compliance. Specifically, the regulations would allow for an administrative fine of up to 4% of a company’s worldwide annual revenue. This is a potentially crippling penalty for any business that heightens the need for attention to compliance efforts.
4. Expanded Territorial Scope
Under the GDPR, the territorial scope of EU data protection regulations will include not only EU-based businesses, but also businesses outside the EU to the extent that their data processing activities are directed toward offering goods or services to individuals in the EU or monitoring user behavior in the EU. This expanded territorial scope could lead to significant new compliance obligations for companies without operations in the EU, particularly in light of the significantly enhanced penalties for non-compliance.
5. One-Stop Shop
One potential positive for businesses is the “one-stop shop” concept. Where a company is involved in processing data that has cross-border effects, the GDPR provides that the supervisory authority of the EU member state where the company has its “main establishment” or “single establishment” may serve as the lead supervisory authority for the company’s data protection compliance throughout the EU. Moreover, unlike EU Data Protection Directive 95/46/EC, the GDPR will not require enactment by individual member states and should create more consistency regarding data protection throughout the EU.
Check your Data Plan Now
Businesses that handle data regarding EU citizens should consider strategies for adapting to the new EU regulations before these more stringent provisions take effect. Ice Miller’s Data Security and Privacy Practice advises clients on such issues of international data protection, international data transfers, and compliance.
Nick Mercker and Eric McKeown are members of Ice Miller’s Data Security and Privacy Practice.