Business & Corporate Articles

GDPR Is Coming. How Do Fines of Up to Four Percent of Global Revenue Sound?

Major change is afoot in the European Union (EU) data privacy law realm. Those who know this applies to them have been girding themselves for going on two years now. However, many companies may be at risk and not even know it.

Unlike the United States, the EU has taken the data privacy of its residents very seriously at least as far back as Germany’s introduction of the first modern privacy law in 1970. Through a variety of laws, treaties, directives, and other actions, the EU and various European countries and organizations have established broad and fundamental rights and principles relating to individual privacy. This culminated in 1995 in the adoption of Directive 95/46/EC, also known as the Data Protection Directive or the EU Directive, which created a set of seven privacy principles governing individual privacy. EU member states were charged with enacting privacy laws that comported with these principles, which has led to obvious challenges in cross-border compliance in the age of big data.

Meanwhile, in the U.S., we have dealt with data privacy regulation on a more limited, segmented, and ad hoc basis. Concern around a particular sphere of information pushes us to enact legislation governing that sphere. Thus, we have HIPAA for health data, COPPA for personal data of children, and GLBA for financial data along with a raft of other state and federal privacy laws, none of which approach the breadth and scope of EU privacy regulation.

However, the Atlantic has long ceased to be an information barrier and personal data of U.S. and EU residents flows freely back and forth. Prior to October 2015, the EU dealt with protecting outgoing EU personal data through a transatlantic agreement with the U.S. called Safe Harbor. More specifically, the EU was concerned with transfers of personal data to countries they deemed lacking adequate protections of which the U.S. is one. Safe Harbor was a means by which such transfers to the U.S. were blessed. The U.S. entity importing EU data would self-certify to maintaining certain data privacy and security protections and certain federal agencies were obligated to enforce such certifications. In October of 2015, stemming in part from complaints about Facebook’s handling of EU personal data, the European Court of Justice decided that Safe Harbor had failed to insure compliance with the EU Directive’s principles and declared it invalid. Much consternation ensued as companies scrambled to implement alternative means of importing EU personal data in a compliant manner. They’ve done this primarily by putting standard contractual clauses (SCCs) in place between the exporting and importing parties. SCCs are a set of provisions that, among other things, obligate the contracting parties to comply with EU data privacy law in their data processing and are in a form that has been blessed by EU authorities. Additionally, in early 2016, the European Commission and the U.S. agreed upon a replacement to Safe Harbor called Privacy Shield. However, Privacy Shield is already subject to brewing challenges in the EU and adoption has been spotty.

Overlaid on this, in May of 2016, the General Data Protection Regulation (GDPR) was adopted in the EU and will begin to be enforced on May 25, 2018. GDPR is a single pan-EU law that will essentially supersede the individual privacy laws of the EU member states thereby easing the challenges of complying with conflicting or varying laws. However, GDPR will also stiffen some of the data privacy compliance obligations and, much to the dismay of multinational companies, will allow levying of fines for certain violations of up to 20M EUR or up to 4% of annual worldwide turnover (i.e. net revenue, not profit), whichever is greater. And GDPR expands the reach of companies that can be directly held liable under the law to so called “processors”, not just “controllers.” Controllers are those parties exporting EU personal data who are deciding what to do with the data. Processors are parties that process that data at the direction of a controller and in accordance with their instructions. So a large multinational that collects its EU employees’ personal data and exports it to the U.S. for their purposes would be the controller of that data. A third party service provider that receives that data from the multinational and uses it in providing, for example, training or other HR services to the multinational, would be a processor of that data. Data protection authorities under GDPR will be able to enforce the law against both controller and processor wherever located making this a law of global reach. As practical matter, most exposure for smaller service providers handling EU personal data received from their larger customers will remain in the form of contractual liability under the service provider agreement and large companies are actively pushing more risk and responsibility as well as increased or no liability caps down to their service providers.

Thus, every company that receives and handles personal data should assess whether any of that data is that of an EU resident and consider whether they will have exposure under GDPR whether directly or through contracts with their customers. Even an existing boilerplate provision requiring the vendor to comply with applicable law in its performance of its service agreement could have new and very consequential meanings once GDPR goes into effect. 

-- Will Marshall

**This article is for information purposes only and does not contain or convey legal advice.  The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting an attorney. Any views expressed are those of the author only and not of the SDCBA or its Business & Corporate Law Section.**