Our websites are global, our e-commerce offerings reach customers around the world, our Internet radio broadcasts elicit responses from listeners around the globe and our consultants often hail from London to New Delhi.
Whether people pay us, whether we pay them, or whether we just correspond with people interested in our products, services and programs, we often exchange personal data that includes email addresses, phone numbers, and physical addresses. This personal data is increasingly protected by regulations around the world, especially when it is collected online. Nowhere is this regulation more stringent than in Europe.
In just six months, new European privacy regulations, called the General Data Protection Rules (GDPR) will take effect, with large new fines and a strong European Union (EU) commitment to enforcement. This new law fundamentally increases protection of personal data and its reach extends far beyond the borders of the EU. Companies all over the world are preparing for the change. Are you?
This blog post provides an overview of the new GDPR, suggests steps which companies might take to better understand and stay on the right side of these rules (including by “self-certifying” your company’s compliance) and provides some U.S.-based resources in the form of the websites of the Department of Commerce and U.S. Better Business Bureau. For those who collect personal data from citizens in EU countries, the time to act is now.
EU Data Protection Law in a Nutshell
Europe has a different type of protection for personal data then the U.S. For instance, U.S.-based data privacy laws are sectoral: we protect an individual’s health data, financial data and even individual movie rentals. Due to the abusive use of personal data collected before and during WWII, European countries have taken a much harder line than the U.S. when it comes to private collection of personal data. As one of the first laws of the then-new European Union, the Data Protection Directive was passed in 1995 and created a comprehensive data protection law for Europe. All personal data of European individuals is broadly protected and controlled over that data, which rests with the individual and includes: (1) a right to review the data, and correct as appropriate, and (2) a right to consent to “secondary uses” of the data, including whether or not the data may be shared or sold to third parties for purposes unrelated to the original purchase or service.
In 2016, European lawmakers went one giant step further. The EU created a stronger set of data privacy laws designed to further harmonize the data protection laws of the region and better correlate them to 21st century technologies. Now this law, the GDPR, is shaking up the way companies around the world collect, process, retain, share and delete personal data collected from European citizens. Every company working with data flows from Europe should be closely reviewing their data policies, procedures and processing to see if their compliance is required.
Why Should Companies in the U.S. (or Anywhere Outside the EU) Care About the GDPR?
The GDPR is expressly extraterritorial. The EU intends for these regulations to apply not only in Europe, but anywhere personal data of Europeans is collected, stored, processed, transferred or shared. The GDPR applies, for example, if your company sells a product to a French citizen, regardless of where your business is located and whether you store that data on servers in the EU, the U.S. or elsewhere.
This is important because the GDPR has teeth. Tired of companies worldwide ignoring their laws, the EU created penalties in the GDPR that are making even the largest companies wince. Penalties may be assessed up to 4 percent of worldwide annual revenue or 20 million Euros (whichever is greater) with fines going into effect on May 25, 2018. The clock is ticking…
How Can Your Company Continue to Receive Personal Data from Individuals in EU Countries?
A year ago, after the passage of the GDPR, DOC employees rushed to the table to their European Commission (EC) counterparts to figure out how to keep personal data flowing from the EU to the U.S. without interruption. They hammered out an agreement called the EU–U.S. Privacy Shield to provide a framework by which U.S. companies could review, and if appropriate, modify their data processing processes and “self-certify” their compliance to the Privacy Shield. A properly self-certifying U.S. company can then hold itself out to European citizens and companies as legal to receive and process personal data. Adoption of the Privacy Shield framework is optional for U.S. companies, but offers the easiest route to continue data flows from Europe.
Preparing for the EU-U.S. Privacy Shield
The Privacy Shield requires U.S. companies to review their handling of personal data, including how the company provides notice when collecting personal data, how the company allows the individual to access and control that data and how the company retains and deletes personal data. U.S. companies also are responsible for the personal data they pass to others, including vendors, and thus the U.S. remains accountable for ensuring that the data is processed in compliance with GDPR requirements. European citizens are also have the right to raise concerns about the use of their personal data, and initiate reviews and investigations.
Are you ready? The biggest companies are already well on their way to compliance. As they know that changes to software and staff procedures can take months or years, AMEX, IBM and other Fortune 500 companies have already rushed to review and revise the way they process personal data. In addition, their technologists and lawyers are being generous in sharing guidance to other businesses. For example, IBM has posted its “Journey to GDPR Readiness” with advice and guidance, and a helpful “count-down clock” to let companies know the time left before the GDPR laws take effect — 163 days, 02 hours and 04 minutes to May 25, 2018 (as of the writing of this paragraph).
Still, many medium-sized and small businesses do not seem to be caught up in the GDPR frenzy. They do so at their own peril.
Do Medium and Small Business Need to Prepare for the GDPR Too?
The GDPR does not contain any type of “small business exemption.” It applies to all businesses of all sizes that collect personal data for commercial purposes from EU citizens.
Small and medium-sized businesses who believe they may not be targeted for enforcement, or think that compliance is too expensive, need to understand that such ostrich-like behavior is risky. Again, the law’s application – and, technically, its enforcement – does not stop at the EU’s borders. The only way to eliminate all risk is to stop collecting personal data from citizens in the EU or comply with the GDPR.
What can you do to prepare? The best option for a small to medium-sized company is to “self-certify” through the DOC. That involves a process of reviewing and updating your company’s processing of personal data. This may involve changing your data processing, your privacy policies, your vendor agreements, and more to reflect the requirements of the Privacy Shield.
The DOC, the Federal Trade Commission, and the U.S. Better Business Bureau (BBB) have created tools to help businesses of all sizes. The DOC and FTC jointly created a Privacy Shield website with detailed guidance on the Privacy Shield Principles, including tips on how to develop compliant data process practices and privacy statements, and where to self-certify with the DOC when the hard work is done.
The BBB created an even more accessible website which is good for smaller businesses and opens with the basic question: “Where do I start?” The BBB’s “Five Step Program” walks companies through the basic questions of whether they need to become Privacy-Shield compliant, and if so, how to do accomplish it. The BBB also provides an affordable service for handling complaints from EU citizens. Called an “independent recourse mechanism,” it is available to all U.S. business who self-certify through the BBB. (Note: you will still need to self-certify with the DOC.)
Overall, don’t wait!
It’s not easy to self-certify. But with the new tools, the European laws are easier to understand and the steps for reviewing and updating your data processing, notification and policies are clear. With only six months to go until the May 25, 2018 deadline, the time to start is now (if you have not done so already).
One reason is that the European Commission (EC) has signaled a clear focus on enforcement of the GDPR. EC officials recently completed their “first annual review” of the Privacy Shield and urged the DOC to more actively engaged in monitoring of compliance with Privacy Shield principles and provide better detection of false claims of certification under the Privacy Shield program. It is clear that the EC will be watching closely as U.S. companies unveil their “self-certification” programs.
Don’t wait! Changes to software and policies can take time, as does training data centers and other staff. Preparation for self-certification is doable with the assistance of existing websites. Of course, there are attorneys who specialize in the GDPR and Privacy Shield, and their responsiveness to your business’ questions — at the right moment when you need it — may save you critical time and money.
If you have customers, consultants and commenters in the EU, you have no choice but to act or expose yourself to liability. The IBM count-down clock continues as it counts down toward enforcement and fines. You won’t want to snooze on this one.
* * *
Fletcher, Heald & Hildreth knows U.S. data privacy and the GDPR. Our attorneys work closely with companies operating on the Internet to ensure compliance with the FTC’s Children’s Online Privacy Protection Act, the EU Data Protective Directive and now the GDPR. We audit client websites for compliance with online advertising and other privacy regulations, and regularly assist with questions regarding the Telephone Consumer Protection Act. If you have any questions, please contact your attorney here at FHH or Kathy Kleiman, FHH Internet Counsel.