The General Data Protection Regulation (the “GDPR” or “Regulation”) will come into effect in the European Union on 25 May 2018. While the GDPR mainly applies within the EU and to EU companies operating abroad, it also affects non-EU personal data controllers and processors whose activities target EU citizens. Therefore, Russian companies with such activities should consider whether they need to be GDPR-compliant before the Regulation comes into force.
What the GDPR says
According to the GDPR, personal data controllers and processors that are not based in the EU must comply with the Regulation if they: (i) offer goods or services to individuals in the EU; or (ii) monitor the behaviours of people in the EU.
The preamble to the GDPR sheds some light on what should be considered as “offering of goods and services”. Thus, such activity should explicitly cover EU individuals, in particular, by making available websites in language(s) used in EU countries and processing payments in EU currencies. That said, the mere availability of a website in English should not be considered as a sign of a company’s business focus on the EU market.
In broad terms, the Regulation places a set of obligations on data controllers and processors, whose implementation may imply vast legal, organisational and technical measures. A failure to fulfil these obligations may result in significant fines that could be up to EUR 10m (or 2% of the company’s total worldwide annual turnover) or EUR 20m (or 4% of the total worldwide annual turnover), depending on the type of violation.
Should any of the above cases be applicable, the controller or processor must appoint a representative in the EU, except in the following cases: (i) the processing is occasional; (ii) the processing does not include or involve big volumes of special categories of data or any data relating to criminal convictions and offences; or (iii) the processing is unlikely to result in a risk to the rights and freedoms of people, taking into account the nature, context, scope and purposes of such processing.
The application of the GDPR to non-EU controllers raises the question of its enforceability and effectiveness in practice. The Regulation provides the EU supervisory authorities with considerably broad powers, ranging from issuing warnings and reprimands to suspensions of data flows to third parties and bans on data processing. However, it is unclear how the local EU Data Protection Authorities would enforce the GDPR provisions in other countries, such as Russia, given that any orders or decisions of the EU authorities are most unlikely to be recognised in Russia.
If a representative is appointed, the GDPR expressly allows the enforcement of its provisions against the representative for violations committed by the controller or processor. One cannot exclude the possibility of the EU supervisory authorities considering EU-based or other foreign subsidiaries of Russian companies as their representatives in the EU, even if these subsidiaries do not have such mandate.
Potentially, the EU supervisory authorities could block the websites through which the non-GDPR compliant controllers or processors conduct their operations.
It is clear that the GDPR has not addressed the questions regarding the legality of its applicability to Russian controllers and the possibility of its enforcement against them. That said, Russian companies, especially those that have EU-based subsidiaries which conduct data processing operations concerning EU citizens on a large scale, should take these GDPR requirements into consideration, including the consequences of non-compliance from a legal, commercial and reputational perspective.
This new Regulation may create a serious problem, especially for IT firms, software suppliers and other companies that offer goods and services around the world. Similarly, marketing agencies and e-commerce platform operators which monitor customer behaviour could also be affected by this Regulation.