GDPR just took effect in the EU and most companies, there and in the US, are confused about what it is and what they are supposed to do. We provide a brief look at the regulations and how they might affect US companies.
2. THE EU GDPR
WHY US COMPANIES SHOULD CARE
JAMES C. ROBERTS III, ESQ.
GLOBALCAPITAL
GLOBAL CAPITAL STRATEGIC GROUP | GLOBAL CAPITAL LAW GROUP PC
3. WHO IS GLOBALCAPITAL?
Disruptive Tech Counsel
globalcaplaw.com
Our clients create, finance, distribute or implement disruptive tech
4. A FEW PROJECTS OF OURS
1st digital licenses
for Snoopy & for
Barney.
Outside corporate
counsel
Counsel on 1st music VR project
5. THIS IS NOT LEGAL ADVICE
For example,
1. You and we have not agreed to an engagement
2. We don’t know your particular situation--e.g., your
facts
6. THE PRESENTATION IS BASED ON
GENERALIZATIONS
• As an introduction to GDPR and its impact on US
companies, these slides include generalizations that
might not (probably do not) apply to all situations.
• There is a lot of disagreement about the application
of all of GDPR in all circumstances.
• Courts will change the current understanding.
8. WHAT IS THE GDPR?
• It is among the first regulations enforced at the EU
level
• Typically introduced at the EU level and implemented but
national laws by member states
• “Uniform” regulation of collection and use of all
“personal” data of EU citizens
9. (AT LEAST) THESE CORE PRINCIPLES OF GDPR
• “Data protection by design”
• EU Citizens own the data you collect, receive or use
• Companies need data “plumbing” to demonstrate that
their use of the data conforms to the regulations
10. US PRIVACY LAWS V. GDPR
• US privacy law is a patchwork of federal and state laws
• GDPR (largely) consolidates regulation & enforcement
• GDPR creates rights in the data and those rights are
controlled by the EU Citizens
• Requires certain legal bases for collecting, using &
sharing data, even after consent has been given
• Significant risk of substantial penalties
11. EXAMPLE: CONSENT
US privacy law:
• Consent can be inferred
• Once consent is received, data can be collected, used and
shared (largely) without risk
GDPR:
• EU Citizens must give informed and affirmative consent (or
there must be an alternative legitimate basis)
• EU Citizens can control data and its use
13. EU CITIZEN OWNERSHIP OF THE DATA
EU citizens own their data. Therefore:
• EU citizens have rights in their data that they can
exercise
• They can let you use (and create) data based on
“informed and affirmative” consent
• They can have you change the data, give you a copy,
erase it and forget them
14. THINK OF: THE EU CITIZEN AS DATA LICENSOR
The EU citizen:
• Owns his or her data
• Lets others use it only with affirmative consent (or other
legitimate basis)
• And “opt in” to specific uses.
As with any license, the owner may:
• Revoke consent (the license), or amend or request
removal of data.
15. CONTROLLER V. PROCESSOR
GDPR maintains the Controller/Processor distinction
• Controller determines the “purposes and means” of
processing data.
• Processor processes PII on behalf of the Controller.
• If the Controller is outside of the EU, it must appoint
an EU representative.
16. EXAMPLE: CONTROLLER V. PROCESSOR
P&G engages a market research firm
• Market research firm determines scope, goals,
means, message: includes NA, EU, ME.
• P&G approves.
• Market research firm is the controller.
• Passes the “purpose and means test.”
17. “LAWFUL BASIS” REQUIREMENT
• Processing must be ‘necessary’
• No “lawful basis” if you can reasonably achieve the
same purpose without the processing
18. OK TO COMMUNICATE RE: A CONTRACT
• Can communicate in anticipation of, and in relation
to, a contract (e.g., contacts for notice provisions or
fulfilling the contract)
• Does not permit wider use of personal data (e.g.,
newsletter, other marketing)
19. CONSENT: HOW DO YOU GET IT?
Consent is:
freely given, specific, informed and unambiguous
indication of the data subject's wishes by which he or
she, by statement or by a clear affirmative action,
signifies agreement to the processing of personal data
relating to him or her.
Be prepared to show your process meets these conditions
20. CONSENT: WHAT DOES IT MEAN?
Affirmative opt-in, i.e.
• no pre-ticked boxes or other default consent.
• Clear and specific statement of consent.
• Consent requests separate from other terms and
conditions.
• Vague or “overall” consent is not enough: specific
consent for specific things.
21. SAYING ADIOS TO CONSENT
User must be able to withdraw consent at any time
as easily as giving consent.
22. WHAT IS “PERSONAL DATA” UNDER GDPR?
“Personal Data” is (basically) any information that:
• Identifies or
• Could identify someone when combined with
other information
24. GDPR “OVERALL” REQUIREMENTS
• Have a legal reason (“lawful basis”) to collect and use the
data
• Consent is a lawful basis if it is clear and affirmative
consent
• Implement internal procedures: safeguards and training
• Keep it for the minimum period necessary
• The right to be forgotten is paramount, as is permanent
erasure
25. GDPR “OVERALL” REQUIREMENTS (2)
• Inform all EU citizen users of their rights
• Transborder transfer, processing & use subject to
GDPR
• Comply with data breach notifications
• Larger organizations (or ones collecting a lot of data)
must have a Data Officer
• Companies might have to conduct an impact analysis
and report it
26. COMPANIES OBLIGATIONS
Company obligations are based on the principles of:
• Collect the minimum amount of data for specific
purposes
• Keep it and use it for the shortest time possible
• Use the data only for those legitimate purposes
• Provide it to third parties under narrow circumstances
27. COMPANIES OBLIGATIONS (2)
• Do not transfer it outside of the EU & EEA, except
under specific conditions
• Always know what you have, where it is, who is using
it and what the basis of consent is
• Promptly and transparently respond to the exercise of
rights of EU Citizens
• (Other requirements such as internal training)
29. GDPR COVERS ALL EU CITIZENS
Covers data on EU citizens, irrespective of
location of collection/servers, etc.
• If a US company acquires EU citizen data but is
not in the EU, could be subject to GDPR
30. GDPR CAN APPLY TO US COMPANIES . . .
(Basically) depends on the extent of targeting
of, or involvement with, EU citizens
• Collects and/or processes EU citizens’ PII as a regular part of its
business
• E-commerce, payable in Euros and with local language
• Global surveys, especially if in a local language
• EU citizens get “hit” with cookies then GDPR applies
31. GDPR CAN APPLY TO SUBSIDIARIES
• US subsidiaries of EU companies are likely to be subject to
GDPR
• EU subsidiaries of US companies will definitely be subject
to GDPR
• Minority interests will likely trigger coverage
32. BASIC “SMELL TEST”
HOW MUCH OF YOUR BUSINESS DEPENDS ON EU CITIZENS?
• The higher the number—or the higher the percentage of your
business—the greater the risk.
• The bigger you are the greater the risk.
• The more control you have over collection, the greater the risk.
• Controlling or processing.
• Intentional or unintentional.
33. INCIDENTAL COLLECTION: IN THEORY, YES, BUT . . .
Global marketing, per se, that results in such info
unlikely to trigger GDPR
• Even though the law could permit the EU to chase you
34. BE CAREFUL: THIS IS JUST A GUESS
No one really knows how the EU data authorities will
respond.
35. IN OTHER WORDS:
ARE EU CITIZENS A TARGET MARKET FOR YOU?
Then building the data privacy structure implied by the
GDPR is probably a good idea.
36. GDPR: IT’S NOT JUST A PRIVACY POLICY
It’s more about:
• your “data plumbing” than about your privacy policy
(privacy notice)
• Your control of the data you collect and use, i.e.,
knowing what it is, the consent basis for it and where
it is.
• Your responsiveness to EU Citizens’ requests
• Your control through contract provisions of your
relationships with others in the data plumbing
38. SOME RELIEF . . . JUST DO IT.
Some companies are perfectly happy to implement
privacy policies and procedures “compliant” with
GDPR specifications.
It’s best practices. That’s good business.
39. SOME RELIEF . . .
• The EU/US Privacy Shield
• Model clauses/model contracts
40. THE EU/US PRIVACY SHIELD
The “privacy shield” permits companies to fulfill some of the
obligations under GDPR and “shield” themselves from (some)
risk. But
• [the company] “must include robust mechanisms for assuring
compliance with the Principles, recourse for individuals who are
affected by non-compliance with the Principles, and consequences
for the organization when the Principles are not followed.”
41. “MODEL CONTRACTS”
AKA BONDING CORPORATE RULES
Companies in a “group” or a “joint economic undertaking” can
enter into “binding corporate rules” to govern their
transatlantic data transfers under GDPR
• Good for parent/sub relationships
• Must apply with the relevant “data protection authority” at the
member state level
42. WHAT TO DO
• EU/US Privacy Shield and “Binding Corporate Rules” take
time and money and are a little tricky.
• Still not necessarily a bad idea. Some rigidity v. some
flexibility.
• Good for larger firms.