In a little more than a year, U.S. companies that do business in Europe or have customers or employees there will need to comply with a new set of European Union data protection and privacy laws. The EU General Data Protection Regulation (GDPR), which was adopted in 2016, will take effect in May 2018, subjecting most companies to its somewhat onerous provisions. While many data privacy experts have focused on the GDPR, another regulation, this one passed by authorities in Switzerland, will also have a big impact on U.S. companies that collect or transfer data of Swiss citizens.
The GDPR was designed to enhance data protections for EU residents and to provide a framework for company usage of personal data of those who reside in the European Union, including non-citizens. It comes with hefty penalties for non-compliance. Fines for violating its provisions can run as high as 20 million euros ($22 million) or 4 percent of total global revenues, whichever is higher!
By way of analogy, the United States has two main categories of laws: federal and state. Of course, within those categories, there are a multitude of regulations, statutes, and judicial opinions. Similarly, the EU has laws that impact every member country, as well as individual country laws, which also include directives, court opinions, and statutes. The GDPR is intended to harmonize data regulations across the EU, but some regulations of individual countries, such as Switzerland, remain relevant.
Data privacy laws have different requirements in relation to cybersecurity and agreements with other countries outside of the EU. The Swiss-U.S. privacy shield, for example, provides a specific mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.
A New Data Privacy Regime
The GDPR is replacing an older set of EU data security and privacy regulations generally referred to as the EU Data Protection Directive. Enacted in October 1995, the original EU Data Directive laid the foundation for the protection of a person's data in relation to the storage, processing, and movement of personal information. The fourteenth paragraph of the preamble of 1995 Data Directive is very telling as to the law's primary purpose: "Whereas, given the importance of the developments under way, in the framework of the information society, of the techniques used to capture, transmit, manipulate, record, store, or communicate sound and image data relating to natural persons, this Directive should be applicable to processing involving such data..."
The Directive goes on to indicate that these "principles of protection" are to be imposed on all persons including governmental authorities, enterprises, businesses, and individuals. These fundamental principles have subsequently been reflected in various opinions and directives. For example, in September 2015, Opinion 02/2015 - C-SIG Code of Conduct on Cloud Computing was adopted, which provides a set of specific standards for cloud providers to follow. Of the various provisions related to cloud service providers (CSPs), the two that stand out are the international transfer of data and liability.
The current draft of the Code is only superficial on the matter of law enforcement or government access requests. Yet, as stated in the WP29 opinion in 2012 on cloud computing, this issue is a major one in relation to data protection and cloud computing.
WP29 specifically insists on its specific requirements on the issue of transfers or disclosures of data to non-EU authorities, based on its interpretation of the proposed Article 43A in the GDPR. The inclusion of such requirements in the draft code would also match its expectations that a code of conduct exceeds the mere compliance to the law.
Also, as described in previous opinions, the Code should specify that:
- A processor (such as a cloud provider) shall communicate any legally binding request for disclosure of the personal data by a law enforcement authority to the controller (the data's owner) unless otherwise prohibited.
- And in any case, transfers of personal data by a processor to any public authority cannot be massive, disproportionate, and indiscriminate in a manner that it would go beyond what is necessary in a democratic society.
Section 7 also provides a reminder to reference the agreements between the CSP and the customer. Hence, underscoring the importance of the content of the governing contractual language between the parties.
In this particular opinion, international transfer of data is followed up by liability. In 2015, the liability was left to the contracting parties to define in their agreements. Yet, a balance needs to be struck between being too limiting of cloud providers' obligations and restricting clients' rights. These opinions were espoused after the European Commission set forth its EU Data Protection Reform in January 2012, but before "the European Parliament, the Council and the Commission reached an agreement on the new data protection rules, establishing a modern and harmonized data protection framework across the EU."
What people refer to as the EU General Data Protection Regulation that is replacing the EU Data Directive is actually a pair of EU directives. Regulation (EU) 2016/679 and Directive (EU) 2016/680 will effectively repeal Directive 95/46/EC and Council Framework Decision 2008/977/JHA. The Directive (EU) 2016/680 provides for several novel data protection rules not presently in existence. As a result of these new regulations, an increase accountability of data controllers and processors will include: expansion of the duties of data controllers and processors; increased reporting obligations; and strengthened individual rights.
Many Changes to Implement
Among the major provisions of the new data regulation is the requirement that companies that collect data of EU citizens (known as data processors or data controllers, depending on what they are doing with the data) must seek the clear consent of those individuals. The request for consent must be given in a straight-forward and easily accessible form without legalese and other unclear language. Companies must also provide individuals with a mechanism to withdraw that consent that is as easy as it is to provide it. Data collectors must also provide the purpose for which they are using the data.
Some of the other major provisions of the GDPR provide for broad protections for data subjects, including:
Breach Notification: Where a data breach is likely to "result in a risk for the rights and freedoms of individuals" data controllers must provide notice that a subject's data has been compromised within 72 hours of becoming aware of such a breach.
Right to Access: Data subjects must be able to get confirmation from data controllers on whether or not personal data is being collected or processed and for what purpose. Data subjects must also be able to obtain an electronic copy of that data, free of charge.
Data Portability: Along with the right to access the data, individuals also have the right to obtain the data in a "commonly used and machine readable format" that they can transfer to another controller.
Right to Be Forgotten: Data controllers and processors, if asked, must delete the personal data of individuals and discontinue any processing or dissemination of it.
Privacy by Design: Companies must consider the inclusion of data protection mechanisms from the beginning of the design process, rather than in addition later in the process. As it is worded in the regulation: "The controller shall implement appropriate technical and organizational measures in an effective way in order to meet the requirements of this regulation and protect the rights of data subjects."
Another caveat for companies to consider is that language describing the scope of the GDPR includes the idea that it applies to those "monitoring the behavior of EU residents," which many have interpreted to mean a broader application than the prior Data Directive. Since most websites and apps provide some monitoring or tracking capability, companies would need to comply if they expect the websites they run to have any visitors from the EU.
Finally, some companies may be required to have a data protection officer. Companies that would need to appoint a DPO, include those where the core activities of the controller or the processor involve "regular and systematic monitoring of data subjects on a large scale" or where the entity conducts large-scale processing of "special categories of personal data." Those special categories include such sensitive information as race, religion, political views, and others.
In October 2015, the European Court of Justice ("EJC") announced its decision in the Schrems case, when it invalidated the U.S.-EU Safe Harbor program. The program had exempted U.S. companies from the limitations on moving data outside EU borders if they met certain requirements. The court ruled that it provided inadequate levels of protection to personal data transferred from the European Union to the United States. The decision dealt a blow to U.S. companies since they could no longer count on the exemption.
In January, the Federal Council of Switzerland established a new Swiss-U.S. Privacy Shield for transferring personal data from Switzerland to companies in the United States. This was a result of a collaborative effort between the U.S. Department of Commerce and Swiss Federal Data Protection and Information Commissioner (FDPIC).
"The U.S. does not have legislation on data protection that guarantees an adequate level of protection in terms of Swiss law." And, furthermore, "[t]he new regulatory system corresponds to the solution adopted by the USA and the 31 states of the EU and the European Economic Area (EEA). The fact that the two frameworks are similar is highly significant, as it guarantees the same general conditions for persons and businesses in Switzerland and the EU/EEA area in relation to trans-Atlantic data flows." In essence, companies may transfer Swiss personal data to the United States in compliance with Swiss data protection requirements. First, the Swiss Privacy Shield will replace the U.S.–Swiss Safe Harbor Framework. And, the conditions applied will parallel those in the EU–U.S. Privacy Shield Framework, which evolved in 2016 for cross-border transfers of EU personal data.
As of April, companies may self-certify. "U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework's requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework's requirements, the commitment will become enforceable under U.S. law."
The fundamental take away is that like the United States where the individual states may have more stringent requirements (Texas HB 300, for example, versus HIPAA), individual member states, like Switzerland, have more stringent guidelines. In sum, this means that companies, who transact business and create, receive, maintain, or transmit personal data between the EU and the United States, should not only keep abreast of the various laws, but also refine their privacy policies and contractual language to reflect the obligations of each country when appropriate.
Any company that collects or processes any data of EU citizens should get started on reviewing all related policies and processes and a specific audit of such practices, with particular attention to the GDPR, may also be a good idea. Some steps include:
- Assess readiness for GDPR compliance
- Review all data privacy and related policies
- Conduct a gap assessment of requirements vs. current practices
- Develop a plan based on a risk-based assessment of potential non-compliance
- Create monitoring and reporting mechanisms for compliance
- Promote awareness of GDPR regulations throughout the organization
The cybersecurity landscape is constantly changing. It is incumbent upon all parties who create, receive, maintain, or transmit personal data to understand the laws and the associated liabilities in each jurisdiction that the personal data touches. In particular, close attention should be given to CSP contracts and the provisions related to transferring dating outside the United States to be stored elsewhere.