by Francoise Gilbert

The adoption of the EU General Data Protection Regulation (GDPR) is likely to remain one of the most significant enactments of the past twenty years in the area of data protection. The GDPR, which goes into effect May 25, 2018, will sweep away the national data protection laws currently in effect in the European Union and European Economic Area (EU/EEA). The GDPR creates a tsunami of obligations for numerous businesses that are established outside the EU/EEA but process personal data of EU/EEA individuals. Some of these obligations and concerns are described below.

1. Territorial Scope

Organizations that are not established within the EU/EEA are subject to GDPR when they process personal data of data subjects who are in the EU/EEA if the processing activities are related “to the offering of goods or services” to such data subjects in the EU/EEA, or “the monitoring of their behavior” to the extent that their behavior takes place within the EU/EEA.

2. Personal Data Under the GDPR

The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person.” This broad definition includes types of information that U.S. companies usually do not view as “personal,” such as device identifiers, IP addresses, cookies, or RFID tags. The GDPR also protects “special categories” of personal data, which includes, among others, genetic data and biometric data, as well as data pertaining to health, religion, and sexual interest.

3. Data Protection Principles

The GDPR is based on seven Data Protection Principles that require the personal data to be:

Processed lawfully, fairly, and in a transparent manner (lawfulness, fairness, and transparency principle)

Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes (purpose limitation principle)

Adequate, relevant, and limited to what is necessary in relation to the purpose(s) (data minimization principle)

Accurate and, where necessary, kept up-to-date (accuracy principle)

Kept in a form that permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data is processed (storage limitation principle)

Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (integrity and confidentiality principle)

Additionally, the data controller is responsible for, and must be able to demonstrate compliance with, the above principles (accountability principle). Inability to do so subjects organizations to fines that could reach EUR 20,000,000 or up to 4% of global revenue.

4. Legal Grounds for the Processing

Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. There are only six grounds that make the collection and processing of personal data legal. One of them is consent, but the consent must be “freely given, specific, informed and unambiguous,” and the request for consent must be unbundled from other terms and conditions.

The GDPR offers other grounds to legitimize the processing. These include: when the processing is necessary for the performance of a contract to which the data subject is party; for compliance with a legal obligation to which the controller is subject; to protect vital interests; for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

5. Accountability and Record Keeping

The GDPR requires each data controller or processor to demonstrate compliance with the data protection principles and, unless the entity has fewer than 250 employees, to keep a detailed record of processing operations. Organizations are also expected to ensure that they design their products in accordance with Data Protection by Design Principles, and Data Protection by Default Principles, and that they be able to prove that they did so. This means, for example, ensuring that only the minimum amount of personal data is collected and processed for a specific purpose; the extent of processing is limited to that which is necessary for each purpose; the data is stored no longer than necessary, and access is restricted to that necessary for each purpose

Data controllers are also required to conduct data protection impact assessments for high risk processing before processing personal data when the processing is likely to result in a high risk to the rights and freedoms of individuals. If the impact assessment indicates high risks in the absence of measures to be taken by the controller to mitigate the risk, the supervisory authority must also be consulted

6. Obligations of Processors

The GDPR contains extensive provisions regarding the role and obligations of processors. In particular, data processors must execute and comply with a written data processing agreement that meets the requirements specified in the GDPR in order to be allowed to provide their services to the data controllers. They are also expected to implement appropriate security standards, comply with the cross-border data transfer rules, maintain adequate documentation (with exception) and in some cases carry out data protection impact assessments and/or appoint a data protection officer. Processors are directly liable to sanctions if they fail to meet these criteria and may face claims by individuals for compensation.

7. Security: Breach of Security

Controllers and processors must maintain a comprehensive security program adapted to the nature of the personal data collected, used, or shared. In addition, the GDPR introduces a new obligation to disclose security breaches affecting personal data. Controllers must notify the Supervisory Authority of the occurrence of a breach without undue delay, and where feasible, not later than seventy-two hours after having become aware of it. The reporting is not required if the breach is unlikely to result in a risk for the data subjects. When the breach is likely to result in a high risk to the individuals, the controller must notify the affected individuals without undue delay. When a breach of security affects a processor, the processor must notify the controller without undue delay after having become aware of the breach.

8. Cross-border Data Transfers

Transfers of personal data outside the EU/EEA are permitted to countries that have been deemed to ensure an adequate level of protection. These include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay as well as companies that have self-certified their compliance with the EU-US Privacy Shield with the US Department of Commerce.

Transfers are also permitted where appropriate safeguards have been provided by the controller or processor, such as binding corporate rules and standard contractual clauses, or compliance with an approved code of conduct or an approved certification mechanism. The GDPR offers a number of derogations, such as where explicit informed consent has been obtained or where, among other, the transfer is necessary for the performance of a contract. If a transfer is requested by a court, tribunal, or administrative authority, it is only recognized or enforceable (within the EU/EEA) if it is based on an international agreement such as a mutual legal assistance treaty in force between the requesting third country and the EU/EEA or Member State.

9. Rights of the Data Subject

Data subjects receive enhanced access and rectification rights. The information must be provided within one month of the request. The right to data portability enables data subject to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used, and machine-readable format.

A right to be forgotten is available in limited circumstances, such as if the controller has no legal ground for processing the information. Data subjects can restrict processing of their personal data in defined circumstances, such as when the accuracy of the data is contested; the processing is unlawful; or where the data is no longer needed except for legal claims of the data subject.

10. Marketing: Automated Decisions

The GDPR grants individuals the right to object to the processing of personal data for direct marketing purposes. In addition, individuals have the right not to be subject to automated decision making, including profiling. Automated decision making and profiling that produce legal effects concerning the individual or produces similar effects significantly affecting him or her are only permitted where necessary for entering into or performing a contract, authorized by EU/EEA or Member State law, or with the prior explicit affirmative consent of the data subject.

11. Data Protection Officer

In addition to public authorities, organizations are required to appoint a data protection officer (DPO) if their core activities require regular and systemic monitoring of data subjects on a large scale or consist of processing sensitive personal data on a large scale. DPOs must have expert knowledge of data protection law. The DPO must directly report to the highest management level and must not be dismissed or penalized for performing their tasks.

12. Private Right of Action

Data subjects have the ability to bring private claims against data controllers and processors, and to mandate a not-for-profit organization that is active in the field of consumer protection to exercise rights and bring claims on their behalf. Any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to receive compensation from the controller or processor.

13. Multinational Activities: Lead Authorities

Controllers and processors are regulated by the supervisory authority for their main or single establishment in the EU/EEA. The GDPR has developed a cooperation procedure for situations where multiple supervisory authorities are involved in an investigation or enforcement.

14. Fines

Fines are imposed by reference to the revenues of an “undertaking” rather than the revenues of the relevant controller or processor, a term that is generally understood to mean a group of companies. The fines are divided into two categories. For the most serious offences, the fines will be up to EUR 20,000,000, or in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher. For the less-serious offenses, the fines will be up to EUR 10,000,000, or in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is higher.

15. Role of Supervisory Authorities

Supervisory authorities are vested with broad investigative and corrective powers, including the power to conduct on-site data protection audits, issue public warnings, reprimands, and order specific remediation activities.

16. Role of the Member States

Despite the fact that the GDPR is a regulation, intended to provide a single law throughout the EU/EEA, Member States have the ability to supplement or modify the provisions of the GDPR in numerous important areas, for certain types of processing.

Francoise Gilbert is a partner at Greenberg Traurig who focuses her practice and research on U.S. and global data privacy and cybersecurity. She has significant experience in dealing with global data protection issues, including the EU General Data Protection Regulation (GDPR) and numerous other privacy and data protection laws in Europe, Asia, and the rest of the world. Ms. Gilbert is the lead author and editor of the two-volume treatise, Global Privacy and Security Law (Wolters Kluwer), and the co-author of several collective works, including Internet of Things and Data Analytics (Wiley). Ms. Gilbert holds CIPP/US, CIPP/EU, and CIPM certifications, law degrees in the United States and in France, and is admitted to practice law in the United States and in France.