A company headquartered in the US uses its online store to sell products to customers located in the European Union ("EU"). Prices are displayed in euros, and the company offers international delivery to the EU. The US-based general counsel wants to know more on how the company's e-commerce activities will be affected by the EU General Data Protection Regulation.

What is the EU General Data Protection Regulation?

The General Data Protection Regulation ("GDPR") introduces a new privacy framework in the EU and will come into force on May 25, 2018. The GDPR will replace existing EU data protection laws and bring about significant changes and requirements that will have a wide-ranging impact worldwide on the way organizations handle and use data.

The GDPR is a real game changer for e-commerce businesses and online stores. Those companies, by their nature, receive and process a vast amount of personal data and have cross-border activities.

GDPR considerations for e-commerce businesses

The main issues that companies engaged in e-commerce should take into account when implementing policies and procedures in compliance with the GDPR are related to:

1. The territorial scope

The GDPR will apply to organizations established outside of the EU when they process personal data in connection with: (a) the offering of goods or services to an individual in the EU and/or (b) the monitoring of the behavior of an individual in the EU. As a consequence, companies that offer products and services to individuals in the EU via their websites or other online platforms will now have to comply with EU data protection rules. The mere accessibility of the company's website from the EU will not be sufficient to trigger the application of the GDPR. For the new regulation to apply, the company must clearly intend to offer services to individuals located in the EU, for instance by mentioning EU currency, by referencing EU customers or by presenting ordering information in an EU language (when this is not the language generally used in the country where the company is based).

2. Legal basis for processing

Companies will need to identify a legal ground for their processing activities. In this regard, the main change introduced by the GDPR relates to consent, which now requires a clear affirmative action by the data subject—silence, pre-ticked boxes, inactivity, failure to opt-out or other such mechanisms will not be enough to qualify as valid consent. E-commerce businesses should keep in mind that the GDPR allows for processing of personal data on other legal grounds, including if the processing is necessary for the performance of a contract with the data subject. This legal basis applies to data required to process an online payment or deliver the purchased product. In such cases, there is no need to get consent. Companies seeking to rely on such alternative grounds should conduct a necessity test to determine if only the information necessary for the purposes of the contract is being collected. When requiring other personal data (e.g., personal data for use beyond the primary purpose of processing a payment, filling an order, delivering the purchased good, etc.), the company will need to identify another legal basis (e.g., consent or legitimate interest). This is especially relevant when customer data are used for marketing or advertising purposes.

3. Retention periods

Under the GDPR, personal data should not be retained longer than necessary. As a consequence, companies should delete personal data when the purpose of the processing has been achieved. For example, personal data collected when a good is purchased should be deleted at the end of the contract. However, companies might want to keep all or some of the data. In those circumstances, companies should find other grounds for keeping the data—for example, the need to retain to comply with legal requirements that might apply under national law.

4. Privacy notices

The GDPR requires companies to inform data subjects on how their personal data are being processed. Specific information must be provided, such as the purpose and the legal basis for processing, whether personal data are shared with third parties, if the company conducts profiling activities, etc. E-commerce businesses will have to provide data privacy notices at the time personal data are obtained. For this purpose, a link to the terms and conditions and to the privacy notice of the company should be displayed when the customer purchases goods online, and privacy notices may need to be updated to comply with the GDPR.

5. Data subjects’ rights

The GDPR strengthens data subjects' rights. It introduces new rights such as the right to be forgotten, the right to data portability and the right to restrict the processing. Companies should also allow their customers to exercise these rights. And to comply with their obligations, online stores and e-commerce businesses should ensure that customers are in control of their personal data, being able to access and modify the data. To facilitate meeting these requirements, companies should provide information on whom customers can contact regarding their data privacy concerns.

6. Contracts with third parties and international transfers

Companies involved in e-commerce activities often outsource components of these activities, such as payments, marketing or IT. Under the GDPR, whenever a data controller (the e-commerce company) uses a processor (a third party who processes personal data on behalf of the controller), the controller needs to have a written contract in place that includes certain specific terms such as data processed and duration, obligations such as data breach reporting and audit assistance, use of technical measures, etc. Outsourcing agreements should be reviewed and, where necessary, renegotiated to ensure that companies are appropriately supervising the manner in which they process personal data and that the specific required provisions are included. When service providers are located outside the EEA (European Economic Area), legal mechanisms for carrying out personal data transfers should also be identified.