Blog

Where are we now? Six Months Into the GDPR

On May 25, 2018, the European Union’s General Data Protection Regulation (“GDPR”) went into effect, and largely took the corporate world by surprise. In the ensuing six-plus months, the negative speculation on the impact of the GDPR has run rampant: it will destroy innovation, companies will be put out of business with extraordinary fines — and the list goes on. While the interpretation of some key GDPR provisions is still very much in flux, and will continue to evolve as most laws do, these six months have provided some key information for companies and shed light on the GDPR’s long-term trajectory.

National Data Protection Laws

The GDPR, as a regulation, is directly applicable in each EU Member State without any additional national legislation. It also provides each Member State the latitude to create heightened data protections in certain areas. As of the GDPR’s effective date (May 2018), most Member States had not formalized any specific national data protection regulations. As of the end of 2018, there are still many Member States who have not yet finalized their internal data protection regulations.

Beyond the adoption of national data protection regulations, each Member State is charged with enforcing the GDPR and creating a national data protection authority. Establishing these national data protection authorities has been challenging because the most significant burden is filling those offices with experienced staff that can truly enforce the Regulation. Just as the corporate world struggled to meet and understand GDPR “compliance”, so too the national data protection authorities also are struggling to meet the complexities and nuances of the regulation from an enforcement perspective. Now, six months in, the national data protection authorities are continuing to grow and develop, and as they do so, the enforcement of the GDPR will likely pick up both in speed and severity.

Territorial Impact of the GDPR

As recently as November 2018, the European Data Protection Board (EDPB) issued provisional Guidelines on the territorial scope of the GDPR. For many companies, the question of whether the GDPR even applies to the entity is still a looming question. What does it mean to provide “goods or services” to a data subject within the Union? How far does — and can — the GDPR apply? While this is an area that will be fleshed out in the coming months and even years, these provisional Guidelines are providing some much-needed guidance.

The Guidelines break the territorial article (Article 3) down into two separate criteria: the establishment criterion and the targeting criterion. For the first criterion (establishment), the Guidelines state that in assessing whether an entity is established, “both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned.” Guidelines, at 5. Thus there needs to be a link between the processing activity and the activities establishing that entity within the Union. Guidelines, at 7. The Guidelines acknowledge that there may be some activities “so far removed from the processing of personal data” that they would not be sufficient to bring that processing under the purview of the GDPR.” Guidelines, at 6. However, the Guidelines clarify that the location of the actual processing is irrelevant for this analysis.

Under the targeting criterion, the determination hinges whether the entity is offering goods or services to a data subject within the Union, regardless of the actual citizenship of that data subject. Guidelines, at 15. The key geographic component is that the data subject is located within the Union at the time of the goods or service offering. For many companies, this result is a broader interpretation of the GDPR, as it does not just protect those data subjects who can claim more than just a transitory relationship with the European Union. For example, if an American citizen vacations for one week in Paris, these Guidelines could be read to extend the GDPR protections to the personal data related to that American tourist (and, it is not clear how extensive, and for how long, that American tourist now receives those protections). While this may not be the intended result, as written, the Guidelines appear to support this interpretation.

EU-US Privacy Shield and International Data Transfer

For those sitting in the United States, the ability to transfer data legally, efficiently, and often between the U.S. and the EU is top of mind. The EU-U.S. Privacy Shield Framework replaced the Safe Harbor Provision as a mechanism to transfer data between the European Union and the United States. The Privacy Shield is a self-certification under the purview of the Department of Commerce. Many companies, including most of the large technology conglomerates, use this framework as an avenue to legally transfer massive amounts of personal data to and from their servers within the United States.

While the EU has repeatedly questioned whether the U.S. provides adequate levels of privacy protections (see the First Annual Review of the Framework and the EU Parliament’s resolution), the EU Commission released a recent statement on December 19, 2018 confirming that the EU-U.S. Privacy Shield framework is still viable. The U.S. has come under increasing scrutiny for its privacy practices for many years. With a tightening of data protection requirements under the GDPR, and the global trends towards privacy, the U.S. is becoming an outlier in how it regulates and protects privacy. This growing discrepancy in data protection schemes continues to cause strain between the U.S. and other legal regimes, as well as headaches for businesses that have cross-border operations (and thereby transfer data across borders).

The First Enforcement Actions

Less than two-months after going into effect, the United Kingdom’s Information Commissioner (“ICO”) issued the first GDPR Enforcement Notice (“ICO Notice”) against Aggregate IQ Data Services Ltd. (“AIQ”). AIQ is a digital advertising, web and software development company based in Canada that focuses on political advertising (a hot topic these days).
The ICO Notice expressed concern with AIQ’s use of personal data to create targeted messaging on behalf of various UK political organizations, and claimed that AIQ violated Articles 5, 6, and 14 of the GDPR. These violations stemmed from AIQ “process[ing] personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.” Notice, ❡ 12.

AIQ appealed the Notice, and that appeal is pending. Companies are closely watching the ICO Notice to better understand how the enforcement articles of the GDPR will be put into practice. The fines can be extensive — a maximum of 20 million euros or 4% of global turnover, whichever is higher — and companies do not want to get caught paying the maximum amount. Further, what constitutes “full compliance” with the GDPR is an unknown. There are certainly clear areas of non-compliance, but what it means to demonstrate full compliance is still to be seen. And while the GDPR fines are concerning, there could be further complications for a company found to be non-compliant with the GDPR as it relates to their contractual relationships with clients, providers, and partners.

Private Litigation

Within a few hours of the clock striking May 25th, private litigation was filed against some of the larger corporations regarding the GDPR. Unlike most domestic privacy legislation, the GDPR provides for a private right action under Article 82(1) — opening up the potential for litigation across all member states and a headache for entities collecting personal data. In fact, Max Schrems, a well-known European privacy advocate, raised funds to start a non-governmental organization, “None Of Your Business (NOYB)” with the sole intent of filing private litigation against companies failing to comply with data privacy rights.

On May 25, 2018, both Google and Facebook were served with summons commencing lawsuits against them that amount to approximately $8.8 million in damages. These lawsuits claim that the technology giants have violated the consent requirements under Article 6 of the GDPR, forcing users to consent to the provision of certain data in order to use the services. These lawsuits are likely just the beginning. As more individuals become informed of their rights — and consequently aware if entities are not complying with those rights — these lawsuits will be another avenue for GDPR enforcement.

Brexit and Data Transfers

Heading into 2019, also top of mind for many companies is the pending Brexit and what it will mean across a variety of business functions. The structure of Brexit still remains to be seen, but there are some operational and legal ramifications for data protection that should be considered.

First, inherent in the United Kingdom leaving the European Union is that they will no longer be considered within the Union for data transfers under Chapter V of the GDPR. Presuming that the UK does not receive an adequacy decision (at least not immediately), any data transferred between the UK and the EU would trigger the international data transfer requirements. This would necessitate changes to the agreements between the parties transferring data, a time-consuming endeavor for any organization.

Additionally, since the UK would be considered outside of the EU, many companies may decide to transfer their data storage to another region within the EU — such as Ireland, France, Germany, etc. With an increasing emphasis on data localization (i.e., requiring that data remain in a certain region unless there is an exception that permits its transfer), companies are assessing their network infrastructures and making changes as to how data is stored, both internally and externally, by their service providers.

The beginning of 2019 will bring more clarity around Brexit, and how it will impact companies. At this point, it is a wait-and-see with some companies proactively deciding to distance themselves from the UK regardless of how Brexit turns out.

Global Data Protection Trends

The GDPR is not the only data protection regulation to go into effect in the last eighteen months. Japan, Canada, Brazil — just to name a few — have implemented — or are in the processes of considering — data protection and security requirements at varying levels. Just in the past month, Australia passed a highly controversial bill that would decrease the effectiveness of end-to-end encryption technologies to allow intelligence and police agencies access to communications. Many privacy advocates are concerned that this bill directly cuts against individual privacy — and may open the door to broader privacy violations.

Against this backdrop, the United States is trailing behind. While recent privacy and security controversies have created a national dialogue on data protection, the U.S. is becoming an outlier in not having more requirements around the processing and security of data. 2019 will certainly see this conversation continue, both domestically and internationally; ultimately, data protection is here to stay, and it is just the form it takes that remains to be seen.

Conclusion

While the initial frenzy leading up to and following May 25th seems to have died down, there is still a lot of work to be done. Companies are in varying degrees of GDPR compliance, making any one company’s GDPR compliance difficult to obtain and ascertain since an organization is only as compliant as its entire data processing chain.

Furthermore, regulators and businesses are still struggling with fundamental questions of how to even achieve compliance from a technological and administrative perspective. It is one thing to say you intend to delete data per a data subject request — it is another thing entirely to accomplish that across an entire system. Innovation is needed to develop the tools that will make the GDPR requirements a reality. Companies need to think creatively about data privacy and security and also need to consider the considerable advantages to GDPR compliance. Beyond avoiding fines and lawsuits, GDPR compliance provides an organization with a granular understanding of its data- how it is processed, stored and used. Using that information to develop data efficiencies and create stronger and better vendor relationships are just a few examples of turning lemons into lemonade when it comes to GDPR compliance. Organizations that truly embrace the GDPR and all it has to offer will be the eventual “winners” in the data privacy field.

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.