Anytime a new statute or regulation comes along some service providers can’t help but jump on the fearmongering bandwagon. This seems to be worse the longer the statute, and the more complex and obscure (and therefore hard to verify) its provisions.
The irony when it comes to the European Union’s General Data Protection Regulation (“GDPR”) is that given the difficulty complying with the real requirements of the GDPR and given the draconian penalty structure of the real regulation you would think that there would be no need for fearmongers to try to generate more concern from companies than companies already have. Unfortunately fearmongers persist in coming out of the woodwork – either because they believe that scare tactics will generate more business or because they fundamentally don’t understand the GDPR. Regardless of the reason companies need to carefully evaluate any information they read about the regulation even when it comes from seemingly credible consultants (or, gasp, law firms).
The following are five real-life examples of (mis)statements that some of our clients received from a company advertising services to help prepare for the GDPR.
1. Myth: Directors are required to certify compliance with GDPR.
One article stated that “the new [GDPR] rules require the company’s directors and officers to certify that their company is in compliance” with the regulation. This is simply incorrect. There is no obligation within the GDPR to affirmatively “certify” compliance with the regulation. Like other regulations within the EU and within the US, regulators can bring enforcement actions if they have a reason to believe that a company is not in compliance, but the regulation does not require that companies step forward and announce their level of compliance absent an investigation.
2. Myth: Data subjects are always required to provide their consent to processing.
A brochure advertising GDPR-related technical compliance solutions stated “customers must actually check a box or use a similar method to actively grant permission for a company to use their email address.” This is also incorrect.
It is true that if a company’s permissible purpose for processing consumer data is based upon the consumer’s consent, then the company might have to have the consumer “check a box” granting the consent. It is not true, as the statement implies that the only permissible purpose for using a consumer’s email address is their consent. To the contrary, companies can use personal data (including email addresses) based upon other permissible purposes. For example in many situations a company can base its processing on its “legitimate interests” as a data controller so long as those legitimate interests are not “overridden by the interest or fundamental rights and freedoms of data subject[s].” GDPR Art. 6(f). The GDPR expressly recognizes that using personal data “for direct marketing purposes” can be a “legitimate interest.” GDPR Recital 47. When processing is premised on a data controller’s legitimate interest pursuant to Article 6(f) the company does not need to seek a consumer’s consent.
3. Myth: Boards of directors are subject to “criminal prosecution.”
A brochure advertising consulting services to boards of directors states that the “GDPR reinforces the potential for criminal prosecution to be sought against directors and officers for deliberate breaches.” This is also incorrect.
There are no criminal penalties or provisions in the GDPR. While it is theoretically possible that a member state might enact legislation that imposes criminal penalties separate and apart from the GDPR, the GDPR itself does not contemplate, encourage, or “reinforce” such an action.
4. Myth: Boards of directors are personally liable for violations of the GDPR.
The same brochure states that “individual directors . . . may be personally responsible for cybersecurity-related issues.” This is also incorrect. There are no personal liability provisions within the GDPR (for board members or otherwise). Put differently, the personal liability of a board member is no different if their company violates the GDPR than if their company violates any other statute.
5. Scope of the GDPR.
One of the most common errors made by consultants and law firms when writing about the GDPR is to refer to its provisions as applying to the data of “EU citizens.”
The GDPR is not based, triggered, or bound by the citizenship of a person, and the word “citizenship” does not appear once in the 88 pages of the regulation. To the contrary, the GDPR states clearly that it is intended to apply regardless of the “nationality or residence” of an individual. GDPR Recital para. 2.
That does not necessarily mean that a person’s location is not important when analyzing a company’s obligations under the GDPR. Location of individuals can impact, for example, whether the GDPR purports to apply extra-territorially to companies that are not established in the EU but are offering goods or services to EU data subjects. Location, however, is wholly different then citizenship.