The new EU General Data Protection Regulation or “GDPR” takes effect May 2018. Many US companies may wonder why they should care about European privacy laws. The answer may surprise you if you are not a close follower of privacy law developments. The GDPR includes an extraterritorial jurisdiction provision pursuant to which many US companies without any personnel or servers in the European Union may still be subject to the law. So how do you know if you are covered? Here’s what you need to know:
Is My Company Covered by GDPR?
The GDPR covers your company if, among other things, you:
(1) process personal data in the context of activities of an establishment in the EU regardless of whether the processing takes place in the EU; or
(2) (even if you have no establishment in EU) you process personal data of data subjects in the EU and that processing relates to
(a) the offering of goods or services to those data subjects, irrespective of whether a payment of the data subject is required; or
(b) the monitoring of those data subjects’ behavior as far as their behavior takes place in the EU.
The factors to be considered in connection with (a) include the languages you use on your websites, even if they are based in the US, the currencies you accept and whether you are marketing or directing your products and services to customers in the EU.
For purposes of (b), you should ascertain whether your organization tracks natural persons on the Internet for profiling purposes, particularly in order to make decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.
You are not subject to the GDPR if you are yourself a natural person in the course of engaging in purely personal or household activities.
What Kinds of Data are Covered by GDPR?
Once you have determined whether your company is covered, you should then assess which kinds of data are within the scope of the law. The GDPR covers “personal data,” i.e., any information concerning an identified or identifiable natural person (“data subject”). It is important to note that the EU definition of personal data is much broader than traditional definitions of personally identifiable information under US federal and state laws. Under EU law, personal data even includes device identifiers and both static and dynamic IP addresses.
In future posts, we will explore additional concepts under the GDPR like “pseudonymized data” and “sensitive data,” which have additional considerations and, in the latter case, restrictions.
The GDPR does not cover anonymous information, i.e., (1) information that does not relate to an identified or identifiable natural person; or (2) personal data that has been rendered anonymous in such a manner that the data subject is not or no longer identifiable. As noted above, this is a very high bar to meet under EU law. The GDPR also does not cover personal data of deceased persons or data concerning legal persons.
Am I a Data Controller or Data Processor?
If you are covered by the GDPR, you should determine whether you are a controller or processor. This may vary depending on the data you process and there is not always a clear distinction. You may be both, depending on the circumstances of the processing.
A controller determines the purposes and means of the processing of personal data.
A processor processes personal data on behalf of the controller.
We will have a lot more to say about the varying obligations of controllers and processors in future posts, so stay tuned.
If I Am Covered by the GDPR, Where is my Supervisory Authority or DPA?
If your company is covered by the GDPR, your supervisory authority or Data Protection Authority (DPA) is generally in the Member State where you have your “main establishment.”
- For controllers, the main establishment is where you have your central administration unless main decisions on the purposes and means of processing of personal data take place in a different establishment. It is immaterial where the actual processing takes place. A similar rule applies for a group of undertakings (i.e., group of affiliated entities).
- For processors, the main establishment is where you have your central administration, and if no central administration, where the main processing activities take place.
- In cases involving a data controller and data processor, the DPA of the controller is the supervisory authority. However, the DPA where the processor has its main establishment should also participate.
Your supervisory authority may also be in the Member State where (a) data subjects reside and are substantially affected or likely to be substantially affected by your processing; or (b) a complaint has been lodged.
Where a controller or processor does not have an establishment in the EU, it must designate in writing a representative in one of the Member States where a data subject whose information it processes is located.
OK, I Get It, When Do I Start to Prepare for Compliance?
If you are covered by GDPR, now is the best time to start readiness assessment and preparation for compliance. May 2018 may feel like a long time from now, but it is just around the corner and, as we will explore in future posts, the GDPR introduces many compliance obligations unfamiliar to US companies including rights to data portability and the infamous “right to be forgotten.” We will be here every step of the way and will continue with a series of posts on various aspects of GDPR compliance.