As the deadline to comply with GDPR (the EU’s General Data Protection Regulation) looms, businesses outside of the EU are confused as to what they need to do to comply, or whether they need to comply at all (they do). In this article GDPR legal compliance expert attorney Anne P. Mitchell explains why companies in the U.S. and other non-European Union countries need to comply with this complex and confusing regulation that goes into effect in May.
You may have heard that the European Union’s General Data Protection Regulation (affectionately known as GDPR) goes into effect on May 25, 2018, but if you’re like many small to mid-sized businesses you may think it’s nothing to be concerned about if your business isn’t located in the EU.
Unfortunately, you’re wrong. The pending regulation applies to anyone who does business or collects data from individuals and organizations in the EU. Here’s an overview of what the regulation covers and why you need to be concerned (and comply).
What is the GDPR?
GDPR is an acronym for General Data Protection Regulation. In the simplest terms, the regulation is intended to give individuals in the EU more control of how their personal data is used by businesses and individuals. When it goes into effect, it will apply to the collection, processing, use of, retention and deletion of personal data by companies. It will replace the Data Protection Directive 95/46/EC.
What kind of personal data falls under the GDPR?
The GDPR paints the term “personal data” with a very broad stroke. It considers personal data to be any information related to an individual’s personal, public or professional life. That includes information such as their name and address, phone number, email address, financial accounts, medical information and even their computer IP address.
Why comply with GDPR even if your company is in the United States or another non-EU Country?
Although the GDPR protects individuals in the EU, it will protect them from unwanted data usage from any source inside or outside of the EU. The GDPR specifically states that actions and fines can be leveled and levied against any business, anywhere, that is found to be in violation of GDPR. This means that starting on 5/25/18, if your business – regardless of where you are located – is found to have improperly handled any data that is covered by GDPR, your business can (and according to GDPR, will) be subject to legal actions, and fines of up to 20,000,000 EUR (nearly $28million USD as of the time of the writing of this article) or 4% of worldwide annual turnover (annual sales after sales taxes and discounts) of your company, whichever is greater. This is why you should question anybody who tells you that you don’t need to worry about complying with GDPR if you are in the United States or another non-EU country.
Can the EU enforce GDPR outside of the EU?
International jurisdiction is a very complicated thing. However, at base, jurisdictional law requires that the jurisdiction in which the aggrieved party is located or in which the offending act happened, and the offending party, have some connection. In other words, generally speaking, for example, if Mary from Germany was hit by Joe’s car while vacationing in the United States, she would have a very hard time getting German courts to hear the case – she would almost certainly have to sue in the U.S. as the incident (her injury) occurred in the U.S. by Joe driving his car in the U.S.
However, if Mary is sitting in Germany and is defrauded by Joe who (from in his New York location) takes money from Mary’s German bank account (which is headquartered in Germany, and which has no U.S. branches), you can bet that Germany is going to have an interest in going after Joe.
Using that example, it’s not hard to see how the EU would have an interest in someone who is violating GDPR, even if that someone is headquartered outside of the European Union. GDPR and the agencies charged with enforcing it take breach of data privacy and data handling very seriously, and if you think about all of the nasty things that can be done with someone’s personal data, who can blame them?
The above doesn’t completely answer the question “How are they going to enforce it?”, but it does show that they have both the law, and the intentions, to do so and, as we tell our clients, our job is to make sure that you don’t end up as a test case. Being a test case is way more expensive, time consuming, and stress-inducing, than just biting the bullet and getting GDPR compliant.
Can you avoid GDPR Compliance by blocking EU visitors from your website?
Many companies think that they can simply avoid the whole thing by only taking on customers or clients from outside of the EU. They think that instead of getting compliant, they can just use one method or another to determine whether someone is “in the Union” and thus whose personal data falls under the protection of GDPR. Some of the things that these companies propose are:
- Refusing website or other Internet traffic from (i.e. blocking) anyone whose IP address is located within the EU
- Putting in their Terms of Service that the user or customer confirms that they are not in or from the EU
- Asking people at the time of signup where they are from
The problem with these and other such schemes is that they will fail. The first one – identifying people within the EU and refusing them access to your site or service based on the geolocation of their IP address – is actually specifically prohibited by GDPR. GDPR contains a prohibition against ‘profiling’, which GDPR defines as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, LOCATION or movements.”
And even if it were not prohibited by GDPR, people use VPNs to mask their actual IP address all the time. So that IP address that looks like it’s in the U.S. or elsewhere could actually be masking someone’s EU-based IP address.
“But Anne,” you ask, “GDPR says ‘any form of automated processing’, so it’s ok if we just ask them or somehow manually get that information, right?”
No, because this leads us to the other ways that trying to get around GDPR by excluding anyone from the EU will fail.
First, people lie. Or they simply don’t tell the truth. Or may not even know the exact truth.
Second, as we point out in our article on how and why to comply with GDPR, GDPR hides the ball about exactly what is meant by “in the Union” and when you might get in trouble for using data acquired from someone that you thought wasn’t in the EU during the time of acquisition.
For example, under the language of GDPR, if Joe Smith who is a U.S. citizen is signing up for your U.S.-based service, or placing an order through your U.S.-based website – while on an airplane flying over an EU country – by the language of GDPR, the data that Joe provides to you is covered by GDPR.
It also doesn’t clarify whether “in the Union” means specifically “sitting at a location within the EU boundaries at the time of data acquisition” or also means anchored in the Union (the EU), such as where an email address or telephone number is anchored. For example, I live in Colorado, but my telephone number, which begins with 408, is anchored in California. If California had a law similar to GDPR, that could be enough of a hook for California to prosecute a company who has my personal data, including that California-anchored telephone number, even if that company is not itself in California.
Also, GDPR has provisions providing for what you must do in the event of a data breach, and the way it is written, it covers any and all personal data, even that which you collected prior to GDPR going into effect, if that data is the personal data of someone “in the Union”.
And, because GDPR includes a private right of action, any aggrieved individual who thinks that they are protected under GDPR can bring an action against your company if they believe you have not handled their personal data according to the requirements of GDPR.
How to Comply with GDPR
Below is a brief overview of what you need to do to comply with GDPR. The document containing GDPR and the precatory language explaining it is nearly 100 pages long. The actual regulation itself is nearly 50 pages long. So while this is a brief overview, it’s important that your company actually drills down to make sure that you are in compliance. In other words, consult an expert to review what you are doing and to help make sure that you are GDPR compliant.
To comply with GDPR you must:
- Gain full informed consent for both the personal data that you are acquiring, and any use to which you will put it. If you haven’t both disclosed a particular use you intend for that data, and received specific consent for that use, you cannot use the data for that purpose. Yes, that means that if you have a great idea for a way to use that data after you have initially acquired it, you can’t do it unless you go back to the person and get their specific consent for that use.
For instance, suppose you are using a lead magnet (ie, something you giveaway for free) to attract people to your website. Under the GDPR, you can’t add someone to a mailing list just because they accepted your giveaway. You must not only let them know up front that they will be signing up for your mailing list when they request your giveaway, but you must obtain, and be able to prove, that they gave you fully informed consent for you to put their email address on that mailing list.
Note that GDPR specifically states that “Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.” - Store that data in a highly secure manner.
- Allow the person whose data it is access to that data.
- Make sure that the person whose data it is has a way to readily and easily remove their data from your possession (i.e. delete it completely), and make sure that they know how to do it.
- Notify the proper authorities within 72 hours of a data breach.
Also, because there is liability to any business that collects data (for example, the collection of email addresses) and then gives that data to a data processor who is not GDPR-compliant (for example an email service provider or other email marketing service) it is also imperative that you update all of your third-party contracts with various service providers with language to both confirm that the service provider is GDPR-compliant, and to provide for indemnification if that service provider is breached or sued for a violation of GDPR, because you are on the hook for having given that personal data to a non-compliant entity. Some third-party service providers will push back on the indemnification part, but it’s your assets on the line if they are sued and found to have not been GDPR-compliant.
Despite the above, it should now be obvious that it is actually much simpler to comply with GDPR than to try to get around it.
In fact, we have not run into a company yet who is not already at least half-way compliant simply by virtue of their current practices.
Plus being able to say on your website that you are GDPR compliant is a positive thing for people to see, which will give them a sense of security around doing business with you.
© 2018 Institute for Social Internet Public Policy
Anne P. Mitchell is the CEO of the Institute for Social Internet Public Policy. In addition to being one of the first Internet Law and Policy attorneys in the United States, and one of the only attorney experts on GDPR legal compliance, she is also the author of the Email Deliverability Handbook, and President of SuretyMail, providers of email reputation certification. For more information about GDPR compliance or to contact Ms. Mitchell, please visit www.isipp.com.