EU’s New Privacy Rules May Affect Your Company

By Brent Sims

EU’s New Privacy Rules May Affect Your Company

May 25, 2018 was the day.

Over 18 months ago, the European Union authored regulations causing a wholesale reevaluation of privacy and data storage policies throughout the internet. From the rafters of Google to the dusty corners of MySpace, every company that collects and stores personal information of consumers has been forced to examine their policies and procedures to conform with the General Data Protection Regulation (GDPR).

If your company manages, stores or processes personal data, then you have likely been involved in the overhaul. If you have not, it's time to catch up.

If you are involved in internet commerce, the GDPR likely applies to you. It is a common misconception that the GDPR applies solely to companies based in the EU. In fact, the extraterritorial reach of GDPR has made it a global mandate; it requires compliance from non-EU organizations that either offer goods or services to EU residents or monitor their behavior. Notably, the GDPR does not confine itself to EU citizens, but can be taken advantage of by "data subjects who are in the Union."

The new privacy rules apply to

  • Companies with US offices and customers around the world;
  • B2B companies with offices in the EU
  • Companies with offices in the EU

A complex regulation involving 99 articles, GDPR sets a high bar for how EU customers expect their data to be protected and treated by any company with which they interact. GDPR brings a variety of new rules, the most significant of which require data breach notification; privacy by-design and by-default, extraterritorial compliance; and risk management documentation, including a privacy impact assessment (PIA).

For example, the new rules require that firms consider privacy at the start of any new project and ensure that stringent security controls are in place throughout all development phases and that any data breach must be reported by companies to affected customers and authorities within 72 hours from the moment the company becomes aware of the security breach.

In sum, GDPR raises the stakes and risks associated with the collection, transport and storage of personal data in the EU and internationally. It continues the thrust of the Schrems decisions. In Schrems I and II, the Irish High Court took Facebook to task for the inadequate protection of EU consumer data, and its improper transfer. This led to the scrapping of the old Safe Harbor regime of privacy rules agreed on by the United States and Europe.

According to GDPR requirements, affected companies must demonstrate that they have implemented appropriate measures to mitigate privacy risks. Even in the absence of a privacy breach or customer complaint, EU regulators can require firms to show evidence of their compliance and risk management strategies.

Noncompliance with the GDPR can prove costly. Companies can face regulatory fines as high as four percent of their global annual turnover or 20 million Euros, whichever is higher. Note that fines relating to profit deal with global profit, and not just profits related to operation within the EU.

Including a novel right, the right to be forgotten - the requirement that companies erase personal data when requested - GDPR sets a new baseline for privacy and security and goes far beyond American law. U.S and Asian companies doing business internationally need to be aware of this important new regulation.

To understand the compliance requirements of the General Data Protection Regulation, consult a lawyer knowledgeable about international law and privacy. The lawyers at WHGC focus on international law and business.