The European Union’s General Data Protection Regulation

The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018 and will impose comprehensive data privacy obligations on many unsuspecting US companies.

GDPR applies to controllers or processors of personal data of “data subjects” (i.e., people) who are in the EU if the controller or processor is either “established” in the EU, or processes personal data of EU data subjects related to the offering of goods or services, or monitors personal behavior in the EU. Establishment implies “the effective and real exercise of activity through stable arrangements.” Thus, “established” is a broad term not limited to a legal form such as a subsidiary. Placement of cookies or online behavioral advertising on computers in the EU causes a US company to fall under the GDPR. EU personal data may not be transferred to the US without first meeting stringent requirements.

A controller determines how personal data is processed and for what purpose. A processor carries out the processing on behalf of a controller. In some cases, the controller and processor of a data set may be one and the same. In other cases, a controller may hire one or more processors, in which case it is important for the controller to ensure it has clearly instructed all processors on how and for what purpose the data is to be processed on behalf of the controller. As a practical matter, this may mean controllers need to renegotiate contracts with processors.

A controller is also responsible for seeing that personal data is only collected for a lawful purpose, and only to the extent necessary to achieve that purpose. It must be kept accurate and up to date, and not retained longer than needed. Transparency is also required, meaning that each data subject must understand how the data is being used and why.

Processing of data must be lawful under GDPR. While contractual and legal requirements form preferred grounds for the lawful processing of data, data may be lawfully processed if the data subject gives active consent to the processing of his or her personal information for the expected purpose. As a rule of thumb, companies should treat consent as being required for most commercial purposes, and the controller must be able to show that a data subject consented freely to the processing of his or her data in the manner prescribed by the controller. Additionally, consent may be withdrawn absent certain overriding circumstances. These requirements are more stringent when the data subject is a child.

As a starting point, US companies whose activities subject them to GDPR should revisit all of their data privacy and security programs for compliance, including internal policies, external notices, and processor contracts. Unless exempted by Article 27 (2) of the GDPR, controllers or processors to which GDPR applies may also need to designate a representative in the EU. These and other measures are advisable as companies move toward GDPR compliance.

For more information on this topic, please contact Scott Lloyd at [email protected].