The General Data Protection Regulation (GDPR) is the latest data protection legislation applicable European Union (EU) member states. The intent of the GDPR is to replace the European data protection framework as set out in the European Data Protection Directive (95/46/EC) (Directive) and be implemented into the national data protection laws of the EU member states. The GDPR will usher in an era of significantly enhanced compliance, governance and accountability obligations upon organisations involved in the processing of personal information of individuals in the EU. This comes in tandem with the potential for significantly increased penalties (i.e. the higher of 4 per cent of an organisation’s global turnover or EUR 20,000,000) for non-compliance.
While GDPR is becoming well understood inside of the EU, its potential implications for organisations doing business outside the EU are less well known. This post shows how, GDPR will capture many more non EU businesses.
What is personal data in the GDPR?
In GDPR personal data is defined as “any information relating to an identified or identifiable natural person”. (Article 4) A low bar is set for “identifiable” – if anyone can identify a natural person using “all means reasonably likely to be used” (Recital 26) the information is personal data, so data may be personal data even if the organisation holding the data cannot itself identify a natural person. A name is not necessary either – any identifier will do such as an identification number, location data, an online identifier or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30 with IP addresses, cookies and RFID tags all listed as examples.
While GDPR covers personal data there is a critical subset of personal data called special data (Article 9). This used be called sensitive data and covers racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Naturally special data should receive a higher level of protection than regular PII.
Scope of application for non-European companies
Companies with an EU or EEA establishment
Pursuant to Article 7(a) of the Main Agreement on the EEA (EEA Agreement), all EEA-States are obliged to adopt the GDPR domestically. This applies not only to the EU member states but also to the EFTA States Iceland, Lichtenstein and Norway, adding another 3 states to the EU 28.
In this way companies who are headquarters elsewhere may fall under GDPR provided they have an establishment (subsidiary or branch) in an EU (or EEA) country, they can be treated as a data controller or processor, for the purposes of GDPR.
Companies selling or monitoring with no EU or EEA establishment
For those companies who don’t have an establishment in an EU or EEA country, but which are processing personal data of natural persons who are in the EU (or EEA) in order to sell goods or services to them or simply the monitoring of their behaviour, will bring a business also fall under the ambit of GDPR. Note Internet use profiling (Recital 24) is expressly referred to as an example of monitoring .
The GDPR’s preamble states that while a website’s mere accessibility is insufficient to ascertain the intent to offer goods and services to persons in the EU, “factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
It is worth reproducing here the actual text from the GDPR
Art. 3(2) GDPR
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
These non EU businesses who are caught by one or both of the offering goods or services or monitoring tests must designate a representative within the EU (Article 27).
Processing companies with no EU or EEA establishment
In the case of EU businesses who want to use a non EU business as a data processer there are also changes. For example an Asian call centre answering calls on behalf of an EU business. As Article 28 of the GDPR stipulates that European controllers (and non-European controllers to which the GDPR applies) may only use “processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements” of the GDPR. In effect the data controllers must sign a contract with non EU processors containing all relevant GDPR commitments.
This will push, non-European companies that wish to sell their services to European companies to fully implement GDPR complaint systems and other such measures to avoid being excluded from EU contracts.
What steps should organisations be taking now?
With the GDPR due to come into force and effect in less than a year, now is the right time for organisations outside of the EU to begin assessing and auditing their operations to (a) determine whether or not the GDPR will apply; and (b) if so, to assess what changes or other steps they may need to start taking in order to ensure compliance. Since this may not be a straightforward assessment, early steps toward assessing and ensuring compliance are highly advisable.
Controllers and processors will need to determine which Member States’ supervisory authorities have jurisdiction over their processing activities; which is the lead authority and which other supervisory authorities may have jurisdiction.
An important aspect of managing compliance risk is to try to stay on the right side of your regulator by engaging positively with any guidance published and taking up opportunities such as training and attending seminars.
When in doubt, consult GDPR experts who can assist by way of helping to assess and navigate the changes that this new legal regime will herald, and to also help ensure that your business activities and processes are compliant with its requirements. Thanks to our colleagues in www.digitorc.com for their assistance in producing this post.