GDPR – What Non-EU Entities Need To Know

GDPR – What Non-EU Entities Need To Know

The General Data Protection Regulation (the “GDPR”) came into effect on 25 May 2018 and is designed to harmonise national data protection laws across the EU, while at the same time, modernising the law to address new technological developments. As a regulation, the GDPR is directly applicable, and therefore enforceable, in all 28 EU Member States. For an interesting summary, check out this infographic from the European Commission’s official website.

However, for those entities based outside of the EU, but who may do business within, or market to, the EU, or have EU clients, you may be asking: how will the GDPR affect you?  This question is the focus of this post, as entities based in the EU will, no doubt, have obtained advice locally with regard to their compliance requirements.

To Whom Does The GDPR Apply?

The creation of a level playing field for businesses established inside and outside the EU through the expansion of territorial scope was a key objective of the GDPR, which provides that:

1. Personal data processed in the context of the activities of an establishment of a controller or a processor in the EU will fall within the scope of the legislation (Article 3(1)); and
2. The processing of EU data subjects’ personal data by a controller not established in the EU, where the processing activities are related to the offering of goods or services to the relevant data subject (even if for free) or the monitoring of the data subjects’ behaviour in the EU (e.g. via cookies), will also be caught (Article 3(2)).

Therefore, this test may catch many non-EU businesses. Relevant factors to assess whether businesses based outside of the EU will be caught by the GDPR include:

1. Use of a currency or language used in the EU;
2. Ability to place orders in, and have goods delivered to, the EU;
3. References to EU users or customers; and
4. Tracking EU residents online.

All websites that use tracking cookies and apps that track usage will be caught to the extent that the information they collect, in aggregate, renders an individual identifiable. Non-EU companies that carry out cookie profiling (i.e. persistent, not session only, cookies tracking users’ overall online activity across websites) will most likely be deemed to be processing personal data to monitor behaviour. Cookies which do not collect personal data or do not track usage are unlikely to be caught under the GDPR as “monitoring”.

Individuals can be tracked or monitored in other ways, such as through the storing and sharing of IP addresses, which may well amount to personal data, especially where the user’s internet access provider has data that, in combination with such IP address, can identify the user. Does this mean that non-EU businesses whose websites are visited by individuals located in the EU are deemed to be tracking such individuals and, thus, caught by the GDPR? Should websites restrict access to those based in the EU, even if this could be bad for business?

The sensible view, supported by language in the GDPR recitals, is that the GDPR does not intend to catch such incidental collection. It would seem that monitoring requires not only the gathering of personal data involving personal aspects of natural persons, but also an element of intentional or active tracking, the automated processing of such data for the purpose of making decisions about the data subjects. Nevertheless, it is still unclear exactly how detailed the tracking of a data subject must be in order to trigger the application of the GDPR.

What is also unclear is how this broad geographical scope will be enforced in practice. The unanswered questions regarding the enforceability of the regime against non-EU companies suggest that, despite increased fines and sanctioning powers, reputation may continue to be the key driver behind privacy compliance for market leaders outside the EU.

Perhaps to address concerns regarding enforceability, the GDPR provides that where a controller or processor is not established in the EU, it must designate, in writing, a representative in the EU. The representative role is akin to one of limited agency, whereby the representative is available locally to data subjects and acts as intermediary between them and the controller or processor who is located overseas.

A representative is only required in the Member State of the controller’s or processor’s “main establishment”.  Non-EU businesses with a number of establishments in the EU or with no clear EU establishment are likely to encounter practical difficulties in designating a single “main establishment”. Although it makes no explicit reference to enforcement, Article 27(4) of the GDPR also implies that the representative could be a named party in administrative actions or litigation, and one can see the logic in this as the representative may be the only party susceptible to effective jurisdiction by an EU court. It seems clear that an EU representative may be legally liable for non-compliance by its a non-EU principal, including (presumably) for paying administrative fines and awards of damages, and, at the very least, for legal and other costs arising from addressing enforcement actions. Also, given the questions about enforceability of the rules of extra-territoriality, it would seem likely that EU regulators and courts will be inclined to pursue a party located within the EU if there is doubt over enforcement externally.

While an obvious “hook” to address concerns regarding enforceability of the GDPR against non-EU entities, these representative provisions do raise the question as to why anyone would want to accept a representative role, especially given that a representative cannot force their principal to comply, but could still be liable for non-compliance. Presumably this role is only likely to be filled by group companies, affiliates or an SPV specifically set up for such purpose, as third party representatives would be expected to require both significant fees for taking on the role as well as a raft of indemnities and appropriate insurance cover.

To summarise, the scope of the GDPR makes the location of the data subject key to the determination of the regulation’s territorial reach. In practice, this means that many companies based outside of the EU that are not currently subject to EU data protection law, but who are targeting customers within the EU, will be subject to the requirements of the GDPR.

What Penalties for Non-Compliance Does The GDPR Impose?

Under the GDPR maximum fines for breach of data protection law will significantly increase and businesses could now face potential fines of up to the higher of:

1. 4% of total annual worldwide turnover; or
2. €20 million depending on the type and severity of the breach.

Notably, there is the potential for such percentage fines to be imposed on the turnover of the entire global group of companies (the interpretation of which is still to be determined), and not just the processing or controlling group entity which is in breach. This means that businesses which had previously regarded compliance with EU data protection law as presenting a relatively low risk will need to rethink their privacy law compliance strategy. The GDPR also makes it more straightforward for individuals to bring private claims against data controllers and processors. In addition, reputational damage may result from breaches of the GDPR, which is difficult to quantify.

Building A GDPR Compliance Roadmap

The GDPR may require significant changes for many businesses, and many of these changes will require substantial time to implement. It is, therefore, important for businesses to move quickly, if they have not already done so, in order to avoid the risk of significant fines and adverse publicity.

Here is an action list to begin assessing gaps in your organisation’s compliance:

Extra-territorial reach – Conduct an analysis as to whether the GDPR applies to you?

Resources and budget — Appoint an individual (or team) in your organisation to oversee the transition and ensure that an appropriate budget has been allocated to build out new processes and policies;

Personal data assessment — Assess what personal data your organisation collects and holds, where it is stored, and how it is used. Consider instructing a third party to audit your IT and security systems;

Third parties — Know from whom you are collecting personal data and to whom you are transferring it. You may need to renegotiate contracts with data processors (which could take some time) and obtain clearer consent from data subjects;

Data Processing — Review and update any data subject consents, internal training, privacy notices, policies and data transfer mechanisms. Review existing procedures and create new ones to address restrictions on certain types of processing, such as automatic profiling, and support new data subject rights being introduced, such as data portability, enhanced data subject access requests, and the right to erasure and rectification;

Data Breaches — Design and implement a data breach response plan to ensure you are able to meet the new 72-hour deadline to report sufficiently serious breaches to the relevant supervisory authority. Note that you will only have to notify the authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. Consider in advance which breaches of which personal data are likely to have this impact so that you are able to swiftly identify breaches that need to be reported;

Accountability — Implement additional accountability measures (i.e., privacy impact assessments, audits and record keeping) and appoint a data protection officer (if required or desired).

For more information, please visit the European Commission website’s 2018 reform of EU data protection rules pages.