Editor’s note: The European Union is an important market for many U.S. businesses, and now firms must comply with new EU data protection requirements by May 25 or face penalties.
The General Data Protection Regulation (GDPR) authorizes fines of up to 4 percent of the company’s global revenue or up to 20 million euros ($23 million), whichever is higher.
While the penalties are clear, how companies should address compliance isn’t. The impending deadline has set off a scramble to adhere to the new rules before they go into effect.
Certifying to the EU-U.S. Privacy Shield Framework through the U.S. Department of Commerce can help U.S. companies comply with GDPR data transfer requirements.
The U.S. Export Assistance Center in Atlanta, which helps Georgia-based companies better tap export opportunities, supplied the below Q&A with Isabelle Roccia, Commercial Specialist at the U.S. Mission to the European Union located in Belgium, to illuminate some of the regulation’s nuances and help companies avoid being caught off guard.
Q: Could you give readers some background on the privacy issue?
Ms. Roccia: Similar to the United States, policymakers in the EU have spent years addressing the complex issues of privacy, economic innovation and questions of trust and security online. In fact, the EU established its first overarching personal data protection law in 1995. This law was designed to encompass all sectors, an approach different from the sectoral approach adopted in the United States. The GDPR is the EU’s effort to update its 1995 law.
Successfully managing the digital revolution is key to the EU’s future. The European Commission’s Digital Single Market initiative, for example, aims to create a 28-country market for digital goods and services that is innovative and competitive. GDPR seeks to ensure that European law upholds a fundamental right to data protection
Q: Could you describe Europe’s General Data Protection Regulation (GDPR)?
Ms. Roccia: The GDPR replaced the data protection Directive 1995/46, but retains its essence — businesses must tell consumers that they are collecting data, what they intend to use it for, and to whom it will be disclosed – while introducing numerous new requirements and setting a two-year transition period to allow companies to achieve compliance. The transition period ends on May 25, 2018, at which time GDPR requirements will be enforceable.
Some key principles of the GDPR are:
- Lawfulness: processing of personal data must be lawful and where it is based on consent, the consent must be freely given, specific, informed and unambiguous;
- Transparency: information regarding processing must be provided in a concise, transparent, intelligible and easily accessible form;
- Purpose limitation: the purpose for which data is collected must be specified, explicit and legitimate;
- Data minimization: only data relevant for the purpose laid out can be collected and processed;
- Data integrity: data must be accurate and kept up-to-date;
- Security: data must be processed in a way that ensures appropriate security of the personal data;
- Accountability (new principle): the data controller is responsible for, and must be able to demonstrate compliance with its GDPR obligations.
Q: How broad is the scope of GDPR in terms of what data is covered?
Ms. Roccia: The GDPR applies to the processing of personal data, which is defined very broadly under EU law. “Personal data” is any information relating to an identified or identifiable natural person, “such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. “Processing” is also defined broadly to mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, including storage, collection, consultation etc.
Q: How does this regulation impact U.S. businesses?
Ms. Roccia: The territorial scope of the GDPR is much broader than that of the ’95 Directive, which it replaces. The GDPR applies to the activities of an establishment in the EU, to activities related to the offering of goods or services to EU persons (even if the seller is outside the EU), and to activities related to the monitoring of behavior of persons in the EU. A U.S. company engaged in these activities would likely be subject to the GDPR.
Q: What types of U.S. businesses might be affected, and are big and small companies treated equally and subject to the same rules?
Ms. Roccia: All U.S. businesses doing business in Europe, seeking to sell to EU persons, or that have clients or employees in Europe should be aware of the GDPR and assess what obligations they may have under the GDPR. For example, a company based in Ohio that sells products to customers in the EU should examine information it is collecting from those customers. If that information includes personal data such as name, address, and credit card information, the GDPR may apply. In general, the GDPR makes no distinction between large and small companies, except that organizations with fewer than 250 employees are generally not subject to the record-keeping requirements.
Q: Would GDPR apply to non-IT companies such as manufacturing, pharmaceuticals, or agriculture companies processing data?
Ms. Roccia: Yes. It does not distinguish between IT and non-IT companies. It also potentially applies to other types of organizations such as universities, research centers, etc.
Q: How might new GDPR Requirements potentially impact the interests of U.S. companies?
Ms. Roccia: As of May 25, 2018, companies falling within the scope of the GDPR will have to comply with numerous requirements. The GDPR is more complex than its 1995 predecessor and includes several elements with a potentially significant impact on the interests of U.S. companies. Some key changes include the following and can be found in the full text of the GDPR:
- Enhanced data protection principles (namely Article 5)
- Stricter rules around consent (Articles 4, 7, and 8)
- Expanded data subject’s rights (Chapter 3)
- Breach notification rules (Article 33 and 34)
- Joint liability obligations (Article 79 and Article 26)
- A data portability right (Article 20)
- A requirement for a data protection officer or representative in the EU (Articles 27, 37, 38, and 39).
Q: What is the penalty for businesses that are not in compliance with the GDPR?
Ms. Roccia: Non-compliance can be very expensive. There is a fine of up to 4 percent of the company’s annual global revenue or up to 20 million euros ($23 million), whichever is higher.
Q: The fourth industrial revolution or “Internet of Things” continues to improve manufacturing capacities. How can U.S. manufacturing companies learn about specific privacy requirements?
Ms. Roccia: The International Trade Administration’s (ITA) Commercial Service has prepared an overview of the GDPR to familiarize companies with some of the basic requirements of the GDPR so they can begin to assess whether the GDPR would apply to them.
Q: How can the EU-U.S. Privacy Shield Framework help U.S. companies comply with GDPR?
Ms. Roccia: In 2016, the Commerce Department’s International Trade Administration launched the EU-U.S. Privacy Shield Framework to provide U.S. companies with a mechanism to comply with those EU data protection requirements pertaining to the transfer of personal data from the EU to the United States.
To join the Privacy Shield Framework, a U.S.-based organization is required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment becomes enforceable under U.S. law. For further information, visit www.privacyshield.gov
Q: The Commerce Department has a Digital Attaché program with 12 Digital Trade Officers including three of these specialists in Europe. How can they assist U.S. companies (particularly small and medium-sized firms) on EU privacy matters?
Ms. Roccia: Europe-based Digital Trade Officers can assist U.S. companies in navigating both EU and EU Member State government privacy regulations. Like U.S. companies responding to state-level and federal-level regulations, operating in EU markets requires careful attention to both EU and EU Member State rules. More on the Digital Attaché program and embassy contact information is available on export.gov. You can also locate a Commercial Service office in the United States near you.
Q: What should U.S. businesses keep an eye on in the future?
Ms. Roccia: The European Data Protection Authorities are issuing publicly-available guidelines to help organizations better understand how the DPAs interpret GDPR requirements. Furthermore, the privacy landscape continues to evolve in Europe, including vis-à-vis international data flow mechanisms. The U.S. Commercial Service will continue to monitor this area very closely and will strive to keep U.S. companies abreast of changes.
GDPR and Privacy Shield
- Full text of the GDPR
- Market intelligence report on GDPR
- The European Commission’s public site on GDPR
- Data Protection Authorities’ GDPR guidelines
- Privacy Shield
U.S. Department of Commerce Export Resources and Office Network