What The EU General Data Protection Regulation Means For You
By Allison Proffitt
October 10, 2017 | The countdown is on. The European Union’s General Data Protection Regulation goes into effect May 25, 2018. The regulation is significantly more expansive than the privacy directive it replaces and carries hefty financial penalties for non-compliance. But the biggest cause for concern may be its impact for non-European companies, who have no idea that the regulations apply to them.
The GDPR was adopted in April 2016 by the European Parliament. The regulation replaces an earlier directive and includes provisions on a right to be forgotten; "clear and affirmative consent" to the processing of private data by the person concerned; a right to transfer your data to another service provider; the right to know when your data has been hacked; ensuring that privacy policies are explained in clear and understandable language; and stronger enforcement as a deterrent to breaking the rules.
But the GDPR doesn’t just apply within the European Union; it’s not a geographic regulation. Instead, the GDPR applies to anyone handling data from EU data subjects. The regulations have “extraterritorial jurisdictional reach”, explains Debra Diener.
Diener is an attorney and Certified Information Privacy Professional. For years she specialized in privacy within the government at the IRS, Department of the Treasury, and Department of Homeland Security; now she consults privately on privacy and identity management. The GDPR’s mission is to strengthen and harmonize its rules for protecting individual privacy rights and freedoms of EU data subjects, she says. Her concern is that US and international companies are not fully comprehending—or preparing for—how that mission applies to them.
"This regulation applies to the processing of personal data in the context of a controller or a processor in the Union regardless of whether the processing takes place in the Union or not,” the GDPR reads. And the critical language, Diener interjects, is this: "The offering of goods or services irrespective of whether a payment of the data subject is required to such data subjects in the Union, or the monitoring of their behavior as far as that behavior takes place in the Union."
Here’s what that could mean. If a French citizen accesses the website of a US-based company, that in and of itself doesn't mean that that company comes under the jurisdiction of this GDPR, Diener says. But if a company “envisages” that EU data subjects will use its goods or services, then the company is subject to the GDPR. “In other words, if there's an intent to target EU customers, then that company could potentially be subject to this regulation,” she says.
None of this has been clarified in practice yet, and Diener is careful not to make predictions of exactly which situations would subject to GDPR and which wouldn’t. Instead, she’s anxious for US companies to carefully asses their business and see how the GDPR may apply.
The regulation includes broad language, she says, applying to many types of businesses. For instance, it prohibits the tracking of individuals online to create profiles to analyze and “predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements.” The language shows that the EU itself is very concerned about how these data are used, Diener says.
Definition of Data
There are fundamental differences in how Europeans and Americans view personal data. The differences birthed the GDPR regulation, but also shed light on why some American companies may be caught unaware when the May 2018 implementation deadline arrives.
Except for medical records, in the US, personal information is essentially a commodity item, explains Peter Alterman, COO at SAFE-BioPharma Association. “Much—if not most—of the personal information about each of us that’s floating around is considered raw material that’s reasonably appropriate to make money from. That's not the way it is in Europe. It hasn't been that way in Europe for a long time, because the European Commission and the European Parliament have adopted privacy of personal information as a basic civil right. It is that fundamental difference in thinking about and operating about personal information on the internet that really is the fundamental and important context here.”
That difference informed many of the GDPR rules, and the disconnect could get US companies in trouble. The GDPR requires that people affirmatively opt in to uses of their data, rather than the more common opt out that Americans may expect. When a company wants to use personal data or process it for the purposes of direct marketing toward an EU data subject, consent must be obtained. “Permission has to be clear, unambiguous, and in writing,” Diener explains. EU data subjects have the right to be forgotten.
The GDPR also defines “sensitive” data more broadly that US companies may expect. “Sensitive data now includes, under this regulation, genetic data, biometric data,” Diener says. “Let me just give you a quick comparison, that is a broader set of data than is covered by HIPAA.”
Companies in the United States seek to be compliant with HIPAA privacy rules, or the expanded HITECH Act. That’s just not enough, Diener warns.
“A company sitting in the United States that handles health data—a health company, a clinical trial group, a hospital, a doctor's office—they could feel very good that they actually are doing everything that they have to do under HIPAA and HITECH. But if that organization could be considered to be within, or covered by, the parameters of this EU regulation, then just doing what they've been doing for HIPAA might not be compliant with what is required under the GDPR.”
At Risk Groups
Alterman and Diener are concerned that companies across the United States are going to find themselves unprepared for GDPR enforcement next May either because they’ve been thinking too locally, or because their understanding of data is so different from what’s represented in GDPR.
“I'm thinking about the hospitals or the research organizations within universities, and the labs where they may not be as aware of what's happening and they're going along doing their research and striving for new insights… thinking locally not globally,” Diener says.
“Some research groups aren't aware of the fact that they have global exposure or that they have subcontractors or supply chain partners who are covered by or under the umbrella of these regulations,” Alterman adds. “And if they have a supply chain provider or two, or they have a clinical trial site or three that are covered under this regulation, then they are covered under this regulation. They need to understand and be alerted that… their company’s exposure is a lot broader than they think it is.”
Diener worries that younger start-up data companies may be particularly at risk. Tech companies, especially, tend to view data as a fluid commodity, she says, collecting data today that they aren’t even sure of the applied uses for in two years.
“Younger people today—and perhaps even older people—think of the world as membrane free,” she says. “To them, data is data. It is malleable; it is interchangeable. They're sitting in X place but they're talking with people in Y place. They may not even know; they may not even care… it has become so broad for them and so interchangeable that a person starting a startup today may be very unaware of where he, she, they are getting the data, where they're using, and how they want to use it.”
It’s complicated for sure; Diener and Alterman don’t deny that. But the repercussions for ignoring the GDPR could be staggering. The fines that can be imposed for noncompliance are up to 4% of a company’s total worldwide annual profits for the preceding year or up to 10 million Euros, whichever amount is higher, Diener says.
She and Alterman suggest that groups do at least an internal mapping. “They have to be aware of what the GDPR does at a high level, and the way their business model could map to it, the way their data flows could map to it,” Diener says. There is a great deal of legal information available about GDPR. Firms have written recommendations and guidances. “I'm not suggesting [anyone] spend a wealth of money to become educated,” Diener says, “but they need to be aware of it and think about it and not just assume that they're not covered because they say, ‘Well, we're only in the United States.’”
The work of preparation is far less painful than having to defend against an international investigation or inquiry in an EU country. Diener says. “The head in the sand approach is going to be the most disastrous.”