Transatlantic commerce is invaluable to companies in the US and EU. The sale of goods and services is made easier for both sides by following consistent operating standards for data protection. In some ways the US is already moving towards tougher privacy laws with the introduction of the California Consumer Privacy Act of 2018, followed by recent calls from the CEO of Facebook for the US and countries around the world to adopt privacy regulations built on the GDPR. Focussing upon US companies considering their privacy policies and procedures in Silicon Valley and beyond, in this blog we consider the geographic scope of GDPR and the core business functions it impacts upon.
When does the GDPR apply to US companies?
According to Article 3 of the GDPR, your company is subject to the requirements of the GDPR if it is based outside the EU but collects (i) personal data of individuals located in the EU for the purpose of offering goods or services regardless of whether a payment by the individual is required (i.e. marketing); or (ii) behavioural information as far as their behaviour takes place within the EU. Such behavioural monitoring may include internet tracking by a website or app through the use of cookies to predict a person’s preferences for targeted advertising purposes. Your company may therefore be subject to the GDPR even if it has no physical presence in the EU. Conversely, the GDPR will not apply to the processing of data relating to individuals located outside the EU when the data is collected. US companies with an online presence should therefore be particularly mindful of the GDPR.
There are three categories of individuals who you should bear in mind:
1. Marketing to potential customers in the EU
The GDPR differentiates between targeted and general marketing. Put simply, the GDPR only applies to targeted marketing i.e. material that is clearly aimed at a particular market. Key indicators of targeted marketing include using a local website suffix (such as “.co.uk”) and listing prices in the local currency. The mere accessibility of a company’s website or contact details to customers in the EU is more general in scope and would not be classed as targeted.
Pertinent to marketing is the GDPR principle of lawfulness, fairness and transparency. This means that you must be clear, open and honest with people from the outset as to how their personal data will be used. In particular, customer consent must be freely given, specific, informed and unambiguous when signing-up for marketing materials. It is not acceptable to use pre-ticked check boxes or bulk consent to multiple processing activities with information for customers spread across numerous legalistic documents. A record must also be kept for each individual, including when the consent was provided and what was consented to.
2. Sales of goods or services to customers in the EU
The GDPR requires US companies (i) offering goods or services to individuals located in the EU; or (ii) collecting behavioural information of such individuals, to appoint a representative based in the Member State where such individuals are situated. This representative will then be the point of contact for interactions with supervisory authorities and data subjects (i.e. those individuals to whom the personal data relates) on all issues relating to data processing in connection with sales for the purpose of ensuring compliance with the GDPR.
3. Employees based in the EU
Any US company with employees in the EU will need to ensure that suitable measures are implemented for the handling, storage and transfer of their employees’ personal data which protect the data subject’s human dignity, legitimate interests and fundamental rights in connection with the transparency of processing, intra-group transfers of personal data and workplace monitoring initiatives (such as diversity surveys).
Once you have identified the scope of your GDPR compliance, these are some of the most pressing issues which you will need to consider:
Fair, lawful and transparent processing
The golden rule of the GDPR is that processing can only take place insofar as there is a lawful basis for doing so, the processing is fair and you are transparent with the individuals involved with respect to the processing. This normally involves the communication of a privacy notice. Where particular sensitive data is involved, such as health, race or ethnic origin or sexual orientation, you must comply with even narrower conditions to ensure your handling of this data is lawful. Your consideration and compliance with these issues should be recorded within a suite of compliance documents. It is not only necessary to comply but to be able to demonstrate you comply as discussed in our blog GDPR: The significance of the new principle of accountability.
Retention of data
The GDPR principle of storage limitation is one of the biggest challenges of GDPR compliance. Essentially it means that personal data must not be stored for longer than needed. For GDPR compliance purposes, it is fine to delete or anonymise the personal data once you no longer need it. It is prudent to carry out regular reviews of whether you still need to keep personal data and have processes in place to deal with requests from individuals exercise their right to ask for it to be deleted. Retention periods must be justifiable and where possible documented in a standard retention policy.
International data transfers
Many US headquartered companies have subsidiaries in the EU meaning that employee and client personal data is transferred from the EU to the US on a regular basis. This is fine for US companies that are Privacy Shield certified in so far as they are deemed to provide sufficient protection to the rights and freedoms of individuals’ personal data in the transfer process. US companies that are not Privacy Shield certified that process employee or client data from the EU can either (i) enter into standard contractual clauses with their client or subsidiary; or (ii) establish binding corporate rules as an internal code of conduct for data protection standards. These safeguards are approved by the European Commission and national supervisory bodies respectively, for insights please see our blog GDPR & Brexit: Data transfers from the EU and the UK’s new status as a “third country”. Once these safeguards are in place data can be transferred from the EU to the US provided that all other aspects of GDPR are complied with.
Breach notification and fines
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The GDPR introduces a duty on all organisations to report such breaches (whether deliberate or accidental) to the relevant supervisory body within 72 hours of discovery, where there is a risk to the fundamental privacy rights of the individuals involved. The individuals concerned will also need to be notified without delay where there is high risk to these rights.
It is important to ensure that you have robust breach detection, investigation and internal reporting procedures in place.
The increased fines for non-compliance with the GDPR have been well publicised; with a fine up to 20 million euros or 4 per cent of your global turnover being levied, potentially combined with the other corrective powers.
Brexit
Post-Brexit a UK-only version of the GDPR will be introduced with variations to show that it is domestic rather than EU law as discussed in our blog GDPR for the UK: Brexit and international transfers of personal data.
