The EU General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. This follows a two-year implementation period following which the GDPR will replace the existing 1995 Data Protection Directive. The GDPR will change the landscape of European data protection law by introducing high financial penalties for non-compliance and expanding the territorial and material scope of EU data protection law.
The existing EU Data Protection Directive provides that only companies established in the EU are subject to the legislation. However, the GDPR has increased the scope of EU data protection law so that it will now also apply to companies that have no establishment within the EU but offer goods or services to, or monitor the personal data of, EU data subjects (i.e. data subjects in the EU at any given time as opposed to EU residents or citizens).
As a result, even companies that are not based in Europe will have to consider the effect that the GDPR will have on their business if they are currently dealing with the personal data of EU residents. In respect of monitoring, the GDPR guidance defined monitoring as when “individuals are tracked on the Internet,” which has the potential to include profiling, the collection of analytical data for marketing purposes or the processing of personal data by the EU subsidiary of a non-EU company. Furthermore, the GDPR also applies to non-EU data processors, which may include cloud service providers that unknowingly or inadvertently provide storage or hosting services involving the personal data of EU data subjects.
Whether or not a company is considered to be offering goods and services to data subjects within the EU depends on the context in which the apparent offer is made. For example, a non-EU company with a website accessible to people in the EU is not, on its own, sufficient to require the company to oblige with the GDPR. However, if, for example, the website is available in a European language that is not used in the company’s own jurisdiction, offers payment in an EU currency or provides for delivery in the EU, it could imply that the goods or services are being offered to data subjects in the EU and therefore the GDPR will apply.
There are a number of different purposes of the GDPR. Firstly, it is intended that the GDPR’s implementation will result in the uniformity of data protection regulations within the EU. In addition, the GDPR emphasises the importance of transparency and accountability when it comes to the processing of personal data, as well as requiring that compliance to these principles be demonstrable.
The GDPR provides for a number of sanctions in the event of a breach of its provisions. Administrative sanctions impose liability based on a case-by-case assessment of the circumstances of the infringement with the level of potential fine being dependent on the breach. Potential fines range from up to 10 million euros or 2 per cent of total worldwide annual turnover in the previous financial year to fines of up to 20 million euros or 4 per cent of total worldwide annual turnover, depending on the seriousness of the breach.
At present, there is no clarity on how the GDPR will be enforced upon non-EU companies with no establishment in the EU. However, it is likely that the EU data protection authorities would aim to seek a court injunction to block a non-EU company from offering its services to, or monitoring, EU data subjects if it is not in compliance with the GDPR.
If your company is obliged to comply with the GDPR, it is required to appoint a representative within the EU to act as a point of contact for EU data subjects and national regulators relation to any issues that may arise as a result of the processing of personal data of EU residents. This representative must be established in one of the EU member states where the affected data subjects are located.
The GDPR requires companies acting as data controllers of personal data to implement appropriate technical and organisational measures and procedures necessary to comply with the legislation, having regard to the state-of-the-art and the cost. The GDPR also requires data controllers to ensure that if they are appointing a data processor that a contract is in place ensuring that the rights of data subjects are protected. Furthermore, the GDPR imposes new requirements on controllers and processors to keep appropriate records of data processing activities in order to demonstrate compliance with the legislation.
Even if you are a business that does not directly operate within the EU, the scope of the GDPR is such that your company may be obliged to comply with it even if you are not aware whether you interact with EU data subjects. It is important that businesses undertake an assessment to analyse whether they will be subject to the GDPR and, if so, whether any steps need to be taken to ensure compliance.
If your company is subject to the GDPR, it is important that you ensure that you are in compliance by May 25. This means ensuring that your company has undertaken self-assessments, audits and compliance reviews to ensure compliance by that time.
The views expressed in this opinion editorial are the author’s own and do not necessarily reflect Emerging Europe’s editorial policy.