Have any data on people in the UK or France? New EU data privacy rules will be setting de facto global standards that will apply to US companies, like it or not.
Europe’s lawmakers have given a preview of the new General Data Protection Regulation, which will give European citizens more control over their personal data. While we wait for the final text, here’s a summary of what you need to know now to prepare your business, even if you are located in the US.
The good news is that the General Data Protection Regulation will provide businesses with a “one-stop shop” for the entire EU, with a unified set of rules and just one supervisory authority to execute and enforce those rules. This is being done in the hope that the Regulation will rebuild consumer confidence when giving personal data online. The intent is for consumers to get more protection and to have more knowledge about how their data will be used, including for Big Data applications.
The bad news is that everyone who offers any services in the EU is covered by the new Regulation, even if located elsewhere. Many companies collecting data from EU citizens while operating from the US have taken the position that the prior EU privacy regime does not apply to them. This position may no longer be viable.
When implemented, the Regulation will require businesses to obtain consent before collecting and processing individuals’ data. For social media companies, this consent will extend to parents if the user is under age 16 (unless an EU national government lowers the age limit to 13, which is the standard in the US). Further, businesses will be required to delete data that is outdated or incorrect upon request by an individual. In the case of a data hack, notices will be required to be provided to national regulators within 72 hours, and to compromised individuals as soon as possible. These notice requirements—and many others—will be far more stringent than any corresponding US law or regulation.
Businesses must also take specific measures to enhance data privacy. All businesses must build privacy safeguards into products and services during the R&D process and maintain them throughout the product or service life cycle. This may be analogous to US efforts to work in “privacy by design.” Additionally, unless it meets the EU definition of a small and medium-sized enterprise (“SME”), each business will be required to appoint a data protection officer and perform privacy impact assessments. If personal data processing is a core business activity, many of these requirements will also apply to SMEs.
Failure to comply with this European Regulation could result in a fine totaling up to a staggering 4% of a company’s global revenue. For the Facebooks, Googles, and Ubers of the world, fines could run hundreds of millions to billions of dollars.
To comply and avoid those hefty fines, all impacted businesses should perform a preemptive data protection audit to identify and remedy weaknesses in their systems. Privacy policies should be updated for clarity on data collection, classification, search, storage, and destruction. Processes need to be in place for individuals to consent effectively, and for management of data and deletion upon request. Businesses will need breach detection, management, and notification processes to enable appropriate and timely responses to the inevitable hacks. Managers should confirm that the design of all products and services, whether developed in-house or by contractors, incorporates EU-compliant privacy safeguards. Finally, appointment of a data protection officer and corresponding governance changes will be required for larger companies and smaller ones whose activities fall into various categories (and should be kept in mind for those who want to scale up).
While the Regulation’s language is not yet final and many of the requirements are still quite vague, the European Parliament’s Civil Liberties Committee is expected to confirm it. Together with a Data Protection Directive, which is aimed at the criminal justice sector, the Regulation will then be put to a vote by Parliament in early 2016. The Regulations will likely take effect in 2018.
Lawyers at McCarter & English, LLP routinely advise clients on data privacy and continue to monitor the space for updates in this rapidly evolving area of the law.