Many companies were scrambling to comply with the General Data Protection Regulation (GDPR) of the European Union, a broad data privacy law. It was implemented in May 2018. Companies worldwide would be required to comply with the EU law, which covered EU citizens’ data from anywhere in the world. Fines of up to 20,000,000 euro or 2% of their global annual turnover (or revenue) could result, depending on the severity.
The GDPR established rules for “data processor” and “data controller”, which included rights and freedoms that were granted to data subjects. These rights include the right for a user not to consent to data collection and to request deletion. Users also have the right to access their data. Many companies were required to create systems and processes to respond to these rights. Some companies were left wondering if their efforts had been in vain because of unanswered questions regarding the meanings of certain clauses.
Some things are more clear than others, but there are still many questions. What lessons have businesses learned? What can we expect of the 2020 GDPR supervisory authorities? What does the rise in other data privacy laws (e.g. California’s Consumer Privacy Act) mean for businesses?
The GDPR, a 88-page law, contains 11 chapters as well as 99 articles. All of these are designed to improve and unify data privacy practices regarding EU residents. It does not apply to EU borders; any company that processes or collects data from EU citizens must adhere to GDPR.
Odia Kagan is a Fox Rothschild LLP partner and chair of the GDPR compliance practice and international privacy. She said that there is no blueprint for GDPR compliance. Businesses must ask themselves, “Basically, what does the GDPR compliance mean for me?” Kagan explained that the answer may differ from one company to another.
She stated that she tried to get to grips with the basics and then move on to more complex topics. “There are common rules for everyone,” she explained. “GDPR isn’t a one-off deal; it’s an ongoing process. It’s an ongoing compliance process that requires you to continue and reevaluate. Even companies with a lot of work have likely to have more to do. “
GDPR codifies data processing and collection standards, creating broad rules that govern the use of EU data outside of the EU. Kagan stated that every company should consider the following when working towards GDPR compliance.
- Extensive disclosure: Companies must provide a detailed description of the data they collect, how it is stored, processed, and for what purpose. This should include information about who the data is shared with and how long it is kept.
- Users must have more control over their data. If requested, users can request a copy or a copy of their data. Users can request that their data is deleted or modified. The user can also consent to the sharing of their data with third parties for purposes other than outsourced processing.
- Compliance downstream: All third-party service providers and companies must also comply with GDPR. Otherwise, the company collecting data could be held responsible. This means that if you collect user information by hand but outsource processing to non-compliant companies, you may still be liable for data breaches. Third-party cookies are also important to consider and how they may collect and track general data.
Kagan stated that the added complexity came from the fact that EU companies had an advantage. “The Data Protection Directive was implemented in national laws by the 28 EU countries. This basically covered 80% of GDPR regulations. “
The EU has a clear advantage over the U.S. in terms of data protection legislation due to subsequent improvements to the Data Protection Directive (ePrivacy Directive 2002). U.S. companies had a difficult time keeping up with GDPR implementation. Clients asked Kagan if she had a checklist that they could follow. Her response was “yes” …” but it is not a one-size fits all program. Kagan explained that they began with the same requirements for all businesses.
Failure to comply with GDPR can lead to severe penalties: fines of up to 10,000,000 euros and 2% of the global annual revenue for the preceding year. This could be a serious blow to many businesses. Enforcement has been generally more permissive than the maximum penalty. This looming threat made GDPR compliance a crucial challenge for U.S. businesses.
It is a smart move to work with an attorney or consultant to ensure compliance with any broad law such as GDPR. Donovan Buck, BrandExtract’s vice president of software engineering, stated that it is a good place to start.
Buck stated, “If you don’t know where to begin, the law can be really easy to understand.” Although it is quite long, the text is easy to understand. It also has a preamble that… [that] conveys the spirit of law. He said that the law isn’t so scary. “Read the law, it’s not so bad. “
Even those who have read the law know that the GDPR left many questions unanswered before and after its implementation in May 2018. The European Data Protection Board is the supervisory authority that oversees GDPR and has provided clarifications and guidelines for companies to ensure compliance. The board will likely provide additional clarifications on key topics in the coming months. The following are some of the GDPR regulations that the board has already covered or is working to release guidelines.
- Clear and transparent disclosure is required to obtain consent from data subjects. Companies must inform users about their data collection, usage, and sharing. This does not mean that you should include fine print in your terms and conditions. It must also be clearly stated in plain English. Without this, consenting to the processing of data might not be valid under GDPR.
- Territorial scope. In November 2019, clarifications were made by the European Data Protection Board about which companies GDPR applies to. These guidelines clarify what constitutes an EU establishment and what companies target users within the EU. The guidelines also address the need to establish an international cooperation mechanism to enforce the GDPR on companies that are not within the EU.
- Legal basis for processing: The European Data Protection Board published guidelines in April 2019 regarding the legal basis for processing personal data within the GDPR. These guidelines defined what data was required for collection, termination and application of the rules.
Kagan stated that despite the European Data Protection Board’s clarification, there are still many questions. Cross-border transfers is another area that needs clarification. This refers to the way data is sent outside of the EU. Another open question is the issue of joint controllers, which is when multiple companies have access to user data. It is not clear how to define those rights and responsibilities.
Kagan stated that “a lot of unique issues remain open” and that compliance is more difficult. “
More enforcement could be beneficial, she said, as it will let other companies know what is fair play and what is not.
While GDPR enforcement has been limited, few fines even close to the 10 million euro penalty have been imposed. There are signs that regulators are increasing enforcement and that fines will soon be higher (and more severe). Companies need to make sure they follow the definitions provided by regulators for elements of law such as “disclosure” or “consent,” and not their interpretation.
Buck stated that many companies aren’t following the letter and spirit of GDPR compliance. We often see companies that insist on putting full disclosure about what they are doing with data that is buried in terms-and-conditions pages that require a lawyer’s interpretation. This doesn’t conform to the letter or spirit of the law. This is the largest mistake I see companies make. “
According to the GDPR, data subjects must be informed in a clear, concise, transparent, understandable, and easy-to-find manner. “
According the Enforcement Tracker, which is a GDPR fine tracker and monitor, the biggest fines against Google include a fine of 50 million euros against Google by France’s Data Protection Authority, a fine of 110 million euros against Marriott International by the United Kingdom Information Commissioner, and a fine of 204 million Euro against British Airways by the United Kingdom Information Commissioner.
The fines against Marriott International International and British Airways were not finalized yet. However, the decision will be made after the companies and member states have had the opportunity to present their cases. Both incidents are related to data breaches that took place in 2018. The Google fine was already imposed because Google failed to give “specific” or “unambiguous consent to users for the creation of a Google Account during the setting up of an Android phone.