Categories: Technology

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens).

Who must comply? The GDPR applies to any company that has personal information of EU residents or citizens or that conducts business in the EU, regardless of its home country.

What is the risk of non-compliance? The GDPR mandates documented compliance. The regulations provide for substantial fines of up to €20 million or 4 percent of global revenues for noncompliance. Willful non-compliance is most heavily fined under this tiered system.

How far along are most companies as to compliance? The consulting firm Gartner estimates that more than half of the companies that are subject to the GDPR will not be in compliance throughout this year. They will be at risk.

Who will adopt the regulations? All 28 EU members, plus Iceland, Norway, and Liechtenstein (collectively known as the “European Economic Area”), and likely the United Kingdom, will adopt the regulations.

Will the regulations be enforced extraterritorially? The GDPR applies worldwide as to any company that offers goods or services (even if they are free) within the EU or collects, processes, or maintains (anywhere) personal data about European residents (again, not just citizens).

How is “personal data” defined? The definition includes any information as to a human being (called a “data subject”) that can directly or indirectly identify him or her, including, but not limited to, names; birthdates; physical addresses; email and IP addresses; and health, biometric, and demographic information.

What constitutes compliance? In general terms, a subject company must limit the use of the retained personal data and maintain it securely.

  • Explicit consent is required for each processing activity as to any covered datum.
  • Access, free of charge, must be afforded to any data subject on request to a “data controller” (a person at the company charged with maintaining data), who, in turn, must assure that any “data processor” (any person or company that takes data from consumers and manipulates or uses it in some way to then pass along information to a third party) is compliant as to the requested action.
  • Data subjects have the right to be “forgotten, i.e., to have their data expunged, and may revoke consent at will.

What does the GDPR require if there is a data breach? Data breaches that “may" pose a risk to individuals must be notified officially within 72 hours and to affected persons without undue delay.

This, of course, is only an outline of GDPR requirements and procedures. Any specific advice only can be provided knowing an individual company’s circumstances and needs. One does note that, as is the case in other regards, for example, antitrust, the assumptions prevalent within the EU are decidedly different from those in the United States. As a number of commentators have observed, while there is no defined “right of privacy” in the United States, a company is required to preserve information, including PII and personal health information, or PHI, in the event of litigation. In Europe, which has very limited litigation discovery, there is a defined right of privacy and individuals can cause data describing them to be erased (“forgotten”).

Many of you know also that there is a case pending a decision in the Supreme Court of the United States involving whether the U.S. government can compel Microsoft to produce PII that is collected and stored outside of the United States. An affirmative decision might create a conflict of law that will complicate the data retention abilities of American companies doing business overseas. So stay tuned.

Tags: Data Breach, EU, European Economic Area, GDPR, General Data Protection Regulations, personal data, Stuart M. Gerson
Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.