The GDPR is Coming ... and Why That Might Matter to Your Business

A few years ago, most every website added a small pop-up asking you to accept cookies, the little files that track your movements across the internet. These requests are the result of a privacy rule originating in the European Union (EU) and proliferating across the Atlantic, regardless of whether the website is based within the EU. Another, more stringent rule from the EU is also starting to reach across the Pond: The General Data Privacy Regulation (GDPR). This rule applies to nearly any business -- including those located outside of the EU – and it may have implications for businesses operating within the United States.

What is the GDPR?

In effect since 2018, the GDPR is a broad rule governing the collection, retention, and transfer of personal data in the EU. The requirements for companies collecting personal data in the EU include (among other things):

• Being transparent regarding what data is collected and why.
• Abstaining from the collection or retention of data beyond the disclosed and necessary reasons and time frames.
• Securing the data against theft.
• Protecting the data against improperly crossing borders (allowing data collected in the EU to flow, perhaps, to the United States).
• Ensuring data subjects are given the continuing option to “opt out” of data collection, even after opting in; “opting-in” must be explicit (and not implied), recognizing that data subjects generally retain the right to change their mind and to opt-out later.

The actual data at issue are similarly broad, and they include any data which may be used to identify an individual, including their name, physical address, IP address, biometrics, etc. Sensitive information (relating to an individual's race, religion, health, political beliefs, etc.) is given special treatment. Some data may be implicitly gathered, not in a form explicitly apparent to the website owner. For instance, simply using cookies would gather an individual's IP address, which would require the appropriate notifications and other safeguards. In recent enforcement actions, employee data has received particular attention.

Of course, the GDPR does not apply to fully anonymized data. Data that may be engineered to discover the data subject’s identity, either through a hash table (“pseudonymized” data) or otherwise (such as location data, from which one’s home may be deduced, and thus their identity), would fall short of this exception, regardless of whether the importer/recipient has access to the hash table. For example, it was recently reported that the Centers for Disease Control used cell-phone location data to track users’ movements during the pandemic. Despite the data being scrubbed of names and other explicitly identifying information, because one could likely determine a subject’s home address from the location data, collection and transfer of such data in the EU outside of the GDPR’s requirements would likely violate it.

Do Companies in the United States Have to Comply?

It depends. The GDPR only applies to companies taking advantage of the EU market by offering goods or services to individuals within the EU, including professional or commercial activities like fundraising and tracking behavioral indicators (there are some reduced requirements for companies with fewer employees). For instance, if an EU resident merely signs up for a blog email list in the US by sharing her name and email address, the blog owner likely has nothing to be concerned about. However, if that same blog owner uses cookies and/or runs analytics on visitors to her blog, such as where their visitors (via their IP addresses) originate and how often they viewed the blog, this would likely fall under the auspices of the GDPR (while jurisdictional issues would make it difficult, if not impossible, for GDPR enforcement authorities to pursue such a foreigner, seizing funds within the EU in the case of noncompliance is not unforeseeable). Note, though, the GDPR would not apply to data collected from an EU resident while that resident is outside of the EU, such as while on vacation in Florida.

Companies with a global reach should be especially concerned with the flow and storage of data they collect, especially data originating in the EU. "Cross-border data transfers" are the transfers of any personally identifiable information outside of the EU. If the EU has determined through an "Adequacy Decision" that the receiving country's privacy protections are at least as strong as those in the GDPR (including the provision of enforceable rights and remedies to data subjects) data may be transferred. While several countries have received favorable Adequacy Decisions, the US is not among them.

The EU and the US tried on at least two occasions to craft an agreement equivalent to an Adequacy Decision, first "Safe Harbor" and later "Privacy Shield". However, in 2020, the latter was invalidated in the Shrems II decision. Among other things, these attempts failed to address concerns about the US Government's reach through secret Foreign Intelligence Surveillance Act (“FISA”) warrants without guaranteeing that the rights and remedies mentioned above would be available to European data subjects. Mr. Shrems, an Irish privacy advocate, argued that his personal data gathered by Facebook in Ireland was sent to servers in the US, where Facebook lacked sufficient controls regarding protection of and notification to the data subject.

Nevertheless, EU data may still be allowed to “cross borders” into the United States. Mechanisms that permit cross-border data transfers (despite Shrems II) must be assessed on more of a case-by-case basis; these mechanisms include Binding Corporate Resolutions (“BCRs”) and Standard Contractual Clauses ("SCC"s), among others. These mimic the effect of the GDPR, in that they are binding upon the importer at the very least to notify a data subject of a request from any requesting authority to investigate the legality of the request, to take legal action in response to a potentially illegal request, and to disclose only the minimum amount of data sufficient to meet a legal request. Note, however, that while there are “standard” SCCs, they have also been found invalid in certain situations.

Doesn't the United States Have Privacy Laws?

There are national laws governing privacy in different sectors (like HIPAA in Healthcare, Gramm-Leach-Bliley in Finance, etc.). Also, several states are developing their own privacy laws which approach the broad reach of the GDPR, specifically in California, Virginia, and Colorado. However, none of these individual state laws reach as far as the GDPR and none can alleviate the concerns over the federal government's broad abilities under FISA and other legislation. The EU and the US continue to work toward an equivalent to an Adequacy Decision.

What Can Our Organization Do Now?

If your organization needs to access the European market, a qualified privacy attorney can best describe the options that may be available. Your organization can also collaborate with a consulting firm to help meet any legal recommendations on compliance with the GDPR and the myriad of existing and evolving privacy laws.

Joe Nelson is a Senior Consultant in CapTech’s Data & Analytics practice. After practicing law for more than 15 years, he joined CapTech as a data engineer, assisting CapTech’s multinational clients with their data infrastructures.

The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials are for general informational purposes only. Information in this article may not constitute the most up-to-date legal or other information.

Readers of this article should contact their attorney to obtain advice with respect to any particular legal matter. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.

The views expressed at, or through, this article are those of the individual author writing in their individual capacities only – not those of CapTech. All liability with respect to actions taken or not taken based on the contents of this site and thereby expressly disclaimed. The content on this posting is provided “as is;” no representations are made that this content is error-free.