US companies need to prepare for controls over their marketing to EU citizens in the wake of agreement on EU General Data Protection Regulation
This blog is part 3 of Ardi Kolah's series on the GDPR. See the others here.
The State of the European Union address by EU President Jean Claude-Juncker on 9 September 2015 may appear on the surface to be largely insignificant for US-multi-national marketing activities within the EU.
However, such thinking is highly dangerous as it reveals an almost total lack of awareness of the risks to business continuity facing some of America’s biggest corporations that generate vast profits from their marketing activities with EU citizens.
Here in Europe, many companies and organisations are bracing themselves for the biggest shake up in data protection and privacy for a decade with the forthcoming EU General Data Protection Regulation (GDPR).
This one EU Regulation at a stroke will update the former Data Protection Act Principles and the previous EU Data Protection Directive. In fact, the new EU Regulation is three-times longer than the Data Protection Act 1998.
Under GDPR, US-based companies that have never set foot within the EU will face significant fines – between 2%-5% of global turnover if they refuse to play by the new rules. This may sound like a nightmare scenario but data protection and privacy laws across the largest single trading block in the world are just about to get harmonized.
There are several drivers for these changes and the big one is definitely privacy. Interestingly, the word ‘privacy’ doesn’t appear in the words of the US Constitution. However, like the right to carry arms that so many Americans feel defines their version of democracy, millions of Europeans consider their right to privacy of their personal information to be just as sacred and is a fundamental human right.
European experiences in the last century, where personal information was extensively used for totalitarian and genocidal purposes, may be at least partially responsible for an array of national laws enshrining a right to privacy, as well as supranational protections beginning with Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms and Protocols in 1950, and more recently, the EU Data Protection Directive of 1995.
The EU Directive, which is still in force until GDPR has been agreed (possibly as early as the end of November 2015), established a broad set of principles with respect to the protection of privacy and personal data. However, each EU Member State was given wide discretion to implement these principles at a national level with the result that US companies faced a patchwork of data protection and privacy laws that made it very difficult to work out how to run marketing campaigns across the EU without the fear of falling foul of data protection and privacy laws that varied between different jurisdictions.
The legacy is that today, EU privacy and data protection laws are far from uniform, and their impact on commercial activities varies greatly which is one reason why these will be swept away by the forthcoming GDPR.
Cross-border transfer of data between US and EU is now going to change
A critical commercial impact of these assorted data protection and privacy laws is on cross-border data transfer between the EU and other jurisdictions.
Only a small number of other countries, such as Canada and Israel, had been viewed in the EU has having “adequate security,” so transfers of personal data from the EU to these countries isn’t generally restricted under the current EU Directive.
All other countries, including the US, hadn’t measured up. Now that’s all changed, thanks to a deal that’s just been reached between the EU and the US.
Following four years of negotiations, it would appear that EU and US authorities have put ink to paper on an umbrella agreement on law enforcement-related transatlantic data protection. The agreement covers personal data exchange, such as criminal records and addresses that are transferred between EU and US law enforcement and judicial agencies. Though not on the level of the long-awaited updated Safe Harbor Agreement that covers corporate data transfers, this looks to be a crucial development after Edward Snowden's 2013 intelligence revelations.
EU Justice Commissioner Vera Jourová described this latest move as "an important step to strengthen the fundamental right to privacy in Europe in practice and to rebuild trust in EU-US data flows."
Key to it coming into force is the US Congress passing legislation giving Europeans the right to sue US agencies that misuse their data. Should Congress rubber stamp this new right to privacy for EU citizens to take action within the US the umbrella agreement will place restrictions on how data can be used, how long it can be held and where it can be transferred.
A mechanism in the agreement would also cover the notification of security breaches that will fall in line under those proposed under the GDPR – and this will have a significant impact on all US companies. The European Parliament has been very vocal that a state of reciprocity be conditional to cooperation. It sounds like the ball is very much with the Americans at the moment and according to the IAPP the outcome could herald a significant "rapprochement" between the regions.
MEP Jan Philipp Albrecht, who has been one of the architects of GDPR described this new agreement with the US as representing “a very major step forward to transatlantic common standards for the protection of civil liberties in a digitalized world."
The Computer and Communications Industry Association (CCIA), one of the biggest lobbying groups for the US tech industry, also welcomed the news. "We repeat our call on the US Congress to pass the Judicial Redress Act," said CCIA Europe Director Christian Borggreen.
EU Model Contracts are an alternative to Safe Harbor. The “Model Contracts” are forms negotiated between the Commerce Department and the European Commission that are to be used when personal information is transferred from the EU to the US.
These documents typically can’t be modified to suit the business transaction and this inflexibility can sometimes be a barrier to their use. A very few organizations have implemented “binding corporate rules” (BCRs) that allow multinational corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law.
The rules must conform to strict protocols, and be approved by multiple data protection agencies in Europe.
The time, cost and expense of enacting BCRs has slowed adoption by even very large companies, which is why the GDPR will become de facto the way in which data transfers will now be regulated with the objective of harmonization across Europe and sweeping away the wide variety of rules and regulations among EU Member States and replace them with a uniform set of principles.
Why a single EU Regulation is a game-changer for US marketers
At first glance, the concept of uniformity is extremely attractive. This new EU Regulation has been regularly promoted as a means to simplify conducting business in Europe.
However, the ‘devil is in the detail’ and especially with respect to how GDPR will be implemented. A central driver behind introduction of the new EU Regulation is to affirmatively enhance protections for individuals and their data — which will entail an inevitable, and in some cases, potentially dramatic increase in the regulation of companies, not to mention very substantial increases in the potential financial penalties.
US companies will be the controllers of personal data that belongs to the data subject and will also be responsible for directing the use of that data by processors.
There may be situations where US companies will be working jointly with processors for different purposes.
Legal liability for ensuring protection of the data typically rests with the controller (although controllers may have claims against processors data misuse, breach, etc.).
The GDPR proposes a significant change in this framework, establishing that controllers and processors may be jointly and severally liable for personal data breaches or other unauthorized use and/or disclosure of personal data, including direct claims by the affected data subjects.
From a commercial perspective, this new approach has the potential to immensely complicate routine transactions.
A vivid example of the impact on commercial operations can be seen in last year’s Google Spain v AEPD and Mario Costeja González case in the EU Court of Justice that effectively established the concept of “the right to be forgotten” now part of the forthcoming GDPR.
A Spanish citizen filed suit when a Google search of his name disclosed publicly available information regarding past financial reverses, alleging that he had the right to be forgotten for such ancient events.
EU Court of Justice agreed and forced Google to implement a process for individuals to request that information be deleted from search results, which is a daunting task since the opinion provided little guidance on the limits of the “right to be forgotten.”
However, as of now, the results of the same Google search conducted in the US and in the EU may be different.
US marketers must carry out a data protection impact assessment (DPIA) and appoint a DPO
US companies that are doing business with EU citizens right now need to get on and carry out a data protection impact assessment (DPIA) across their entire operations, not simply on a project by project basis as well as appoint a Data Protection Officer (DPO) that will effectively be the eyes and ears of the company in how it complies with the GDPR.
Under the GDPR, the DPO enjoys a very different status of senior manager given their primary responsibility is to protect data privacy rather than advancing the commercial interests of the company at any cost.
The forthcoming EU Regulation includes draft language with respect to rapid reporting of data breaches – within 24 hours – although a proposed modification would increase the time frame to 72 hours. This will pose a significant burden as many organisations are simply not geared up to respond to such contingencies in such a short time frame.
In addition, there is no de minimis as all data breaches will need to be reported to the Supervisory Authority whether or not they cause harm or distress to the data subject.
Impact of GDPR on internet marketing for US marketers
Internet marketing, the very model that’s inextricably embedded in countless commercial practices and increasingly sustains commercial activity on the Internet, is at risk under the GDPR.
Specifically, “profiling,” the practice of developing a snapshot of an individual’s preferences, browsing history, purchases, etc., would be prohibited unless necessary to perform under an agreement, authorized by law or has been explicitly consented to by the individual.
Behavioural advertising, targeted marketing or remarketing, email solicitations and other direct marketing practices will be less effective if they can’t be targeted using individual profiles, and therefore less valuable.
The collection of information on individuals as a basis for displaying personalized ads, one of the largest tools in the current toolbox of e-commerce, could suddenly disappear.
The question is not whether, but when, and just how the EU Regulation is going to pass. Currently, the European Commission, the European Parliament and the Council are attempting to reach agreement on the final wording of the GDPR behind closed doors. But all indications are that agreement could be reached as early as the end of November this year and then US companies will need to change how they market under the two-year transition period.
So, if you’re reading this and are based in the US, then time is of the essence.
Ardi Kolah is director of GO DPO® EU Compliance. More insights can be read on the company’s website.