On May 25, 2018 the European Union’s General Data Protection Regulation and Regulation on Privacy and Electronic Communications (the “ePR”) will go into full force and effect. That gives companies that do business in the EU, or collect data from residents of EU nations, only a short period of time to comply fully with these very strict new rules.
The EU General Data Protection Regulation (“GDPR”)
Though the GDPR does not take effect until May 25, 2018, company’s should take steps now to consider how the GDPR will affect its business, whether compliance is necessary, and if so, to implement a program to ensure compliance by the effective date.
The GDPR applies to all organizations that collect, process, or transfer personal data of individuals located in the EU. Therefore, any company in the world that that offers goods or services to individuals in the EU, whether payment is required or not, must comply with the regulation. “Personal data” is defined very broadly and includes a wide variety of information relating to an individual including their name, photo, email address, bank account information, posts on social networking websites, medical information, geo-location data, and their computer’s IP address.
The fines for violations of the GDPR regarding data processing can be up to the greater of 20 million euros or 4 percent of the annual worldwide turnover of the preceding financial year of the violator (an amount which essentially equates to the gross revenue of the violator).
The GDPR implements certain obligations in response to a security breach. A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information requires that the controller of the data notify the designated data protection authority “without undue delay” and not later than 72 hours after becoming aware of the event. If the breach creates a “high risk” to the rights of individuals, the affected data subjects must also be notified without undue delay.
Another complication for U.S.-based companies is that the GDPR implements new requirements for organizations to obtain consent from data subjects prior to collecting personal information. Consent must be obtained through affirmative conduct and the data subject must be properly informed of the uses of their personal information. Furthermore, the data subject must also have the ability to revoke consent at any time without detriment.
Regulation on Privacy and Electronic Communications (the “ePR”)
To complement the GDPR, last week the EU published its new Regulation on Privacy and Electronic Communications (the “ePR”). The ePR aligns the rules that apply to the confidentiality of electronic communications with the GDPR. All entities, wherever located, that provide electronic communications services to users in the EU are subject the requirements of the ePR.
Violations of the ePR can lead to penalties similar to the penalties set forth in the GDPR.
We recommend that companies immediately take steps to assess whether any of their activities, products, or services fall within the scope of the GDPR and/or ePR and, if so, to begin the process of becoming GDPR and ePR compliant prior to the May 25, 2018 effective date for these two new and very important regulations.