The recently-enacted General Data Protection Regulation may have been created on another continent but, in some ways, its ripple effect could be felt for organizations in Missouri as much as in Munich.
“It is a pretty big piece of legislation — not just in the scope of what it does but also the impact that it is having on companies worldwide,” said Steven Hengeli, an associate with Polsinelli in Kansas City.
On the other side of the state, Matthew Bodie, a law professor at Saint Louis University, has a similar assessment.
“If EU citizens interact with your commerce in any way, you are going to have to worry about justifying your use of their data,” he said.
That simple fact has set general counsels scrambling on both sides of the Atlantic to figure out what exactly the GDPR means for them and precisely how it might be enforced.
One way it could change the world is by reframing what constitutes personal data. The document’s Article 4 defines it as “any information relating to an identified or identifiable natural person” and mentions a wide array of factors including the “physical, psychological, genetic, mental, economic, cultural or social identity” of the person in question.
“When I give trainings, I tell my clients that’s what we call the elastic clause of the GDPR,” said F. Scott Galt, a partner at Armstrong Teasdale in St. Louis. “You can envision that, five years from now, things that are different than we contemplate today would potentially fall within that purview. It covers the waterfront.”
Bodie said other changes were in place as well, including more stringent mandates on garnering permission for collection and analysis of a subject’s data.
“The requirements for consent got much more specific — and you could say onerous — if you are someone trying to comply with them,” he said, noting a particular focus on the placement of tracking cookies. “The consent had to be very specific. It had to be transparent in terms of explaining what the consent was being requested for.”
Nor is having data the same as having permission to use it.
“In the U.S. we think of consent for collection of the data as the primary concern, and once the data is collected, you can do whatever you want with it,” Bodie said. “The EU doesn’t really think about it that way. They think of it in terms of processing, so you have to get consent not only for taking the data but also for how you are going to use the data.”
Hengeli said some of these issues remain up in the air, and it is still unclear how strictly European regulators will enforce the provisions of the regulation.
“The reality is that it does raise some challenges, but there are strategies that companies can implement to try to address the requirements without completely jettisoning what they are doing,” he said.
Galt said the GDPR largely divides data holders into two groups. There are “controllers” who possess and make decisions about the data and “processors” who carry out directives to use the data in various ways. Among other things, it not only mandates a contract between the two parties but even spells out what must be in that document.
“It is not called for specifically, but in order to achieve things that are called for specifically, I think GCs need to be out there at least annually vetting these third parties to make sure that their information-privacy practices are up to snuff to what they represented in these contracts,” he said.
Galt said that, as a practical matter, organizations should have someone to run point on data issues, and GDPR even contains requirements for the addition of a “data protection officer,” or DPO, to the ranks of certain entities. But he cautions that semantics matter.
“In fact, I counsel my clients to not call that person a data protection officer unless it is required by the GDPR,” he said. “The DPO is a magic term, and with that term comes some pretty onerous obligations on the company.”
According to the GDPR, a DPO is required when an organization requires “regular and systematic monitoring of data subjects on a large scale” or when the information in question consists of certain sensitive data including health status, religious views, genetic factors, political opinions, trade union membership or sexual practices.
One of the most intimidating things about GDPR: It has teeth. The fines are enormous, reaching as much as 20 million Euros or 4 percent of global annual turnover — whichever is larger.
“It is serious. Once they start issuing these penalties, which they are going to do a lot of in the next six months, people are going to stand at attention and say, ‘Well, I guess maybe we did need to get compliant with that thing,’” Galt said.
Meanwhile, Bodie said that if a data breach does occur, the authorities want to know about it rapidly.
“They do have a data-breach notification which is 72 hours — which is much quicker than a lot of the U.S.,” he said.
As for matters of data usage, the first shots in the war may have been fired earlier this year when German officials restricted Facebook’s data-collection activities. The social networking giant could appeal the issue to the European Court of Justice, setting up a potential battle under GDPR.