What's All the Fuss About GDPR?
History
Some of you may remember GDPR's predecessor, the Data Protection Directive (often referred to in the U.S. simply as the "European Directive"). GDPR is intended to remedy perceived shortcomings with the older Data Protection Directive ("DPD"). While aimed specifically at EU citizens and activities conducted within the EU (even by non-citizens), GDPR has a global reach because it expressly applies to the storage and processing of data outside the EU. Hefty penalties for violations are expected to ensure the cooperation of multinational companies that cater to European markets.
Both the DPD and the GDPR came about because large corporations, enabled and emboldened with modern data analytics, were able to form contracts with individuals on terms far more favorable to corporations. Government regulation, of one form or another, is seen as a way to redress the imbalance in favor of the individual. DPD was the first attempt at such redress, but was found to have some significant loopholes in enforcement. For example, DPD forbade certain processing of individual's data within the EU, but that provision was easily circumvented by multinational corporations merely by moving their data processing outside the EU. GDPR is meant to fix the previous law's shortcomings.
The Basic Provisions of GDPR
Because the GDPR is so unlike the privacy provisions commonly found in the U.S., a review of some the EU Parliament's "recitals" is in order. First, in Europe, data about individuals are not a commodity to be acquired and sold cavalierly. Rather, the protection of an individual's data is a fundamental right in Europe. Moreover, GDPR is meant to ensure a "high level of data protection despite the increased exchange of data." Because the EU treats an individual's personal data as extremely important, far more stringent duties are imposed on companies who collect, store and process such data. These recitals (and others) set the tone for the provisions of GDPR.
GDPR has four major provisions, namely what data is affected (Art. 4, "definitions"), where the activities are covered (Art. 3, "territorial scope"), and by whom (Art. 2, "material scope"). The other articles (5-76 and 85-99) go into more detail about the aforementioned three provisions. Chapter 8 (Articles 77-84) covers remedies, liabilities and penalties.
Article 4 defines 'personal data' as: "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". That is a broad definition, particularly because of the word "indirect." For example, there are algorithms used by major companies that specialize in tracking an individual's behavior indirectly, and it is precisely those activities and algorithms that GDPR is intended to cover. The question for attorneys is just what constitutes "indirect"? Article 4 also defines twenty five other related terms used within GDPR.
According to Article 2 ("material scope"), GDPR "...applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." Essentially, GDPR applies to personal data, regardless of whether the processing is accomplished by machines or humans when the information is intended to be stored somewhere. Incidentally, "‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction". (Art. 4).
Article 3 states that GDPR "applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not". Moreover, GDPR expressly covers individuals whose personal data is handled by non-EU entities, specifically: "[t]his Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 1) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or 2) the monitoring of their behaviour as far as their behaviour takes place within the Union." Note that 'data subject' as defined in Article 4 does not require that the subject be an EU citizen. It could include an American who happens to be in within the EU when the relevant data was collected.
Remedies and Penalties
Data subjects (individuals) are afforded several options to redress wrongs. They are allowed to lodge complaints with a 'supervisory authority' (Art. 77) and to obtain an "effective judicial remedy" against that supervisory authority (Art. 78) should the supervisory authority's actions be inadequate. Moreover, under Article 79, the data subject may seek an effective judicial remedy against a 'controller' or 'processor' (which may be a U.S. company or law firm). Article 82 affords the data subject a right to compensation and/or liability. Finally, Article 84 allows for penalties to be imposed according to the conditions outlined in Article 83. Article 83.4 imposes an administrative fine of 10,000,000 Euros or "2% of the total worldwide turnover [gross sales] of the proceeding financial year, whichever is higher. However, those hefty administrative fines are not the only potential exposure for U.S. companies and law firms.
Applicability to Texas
So, what does European privacy regulations have to do with Texas attorneys? Because GDPR applies to data about European individuals that is transmitted to the U.S.; stored in the U.S.; and/or processed in the U.S. – including data that is stored and/or processed in U.S. law firms. If you think that GDPR has extraterritorial jurisdiction, you’re right. But Europeans can point to U.S. laws with similar extraterritorial aspects.
A recent example hits close to home. Many law firms use Microsoft’s Office 365 for handling client information. The later versions of Office 365 store the data “in the cloud.” Widely adopted by European companies and governments, Microsoft then found itself on the wrong end of a report commissioned by the Dutch government regarding the potential violation of GDPR by Microsoft via Office 365. The report itself outlines the risk assessment for organizations that use Office 365 (and as such is important reading for U.S. law firms). Specifically, Microsoft gathers data from users (and calls said data “diagnostic data”) and other data (termed “telemetry data”) that is separate from “Customer data,” the latter of which is a defined term in the End User License Agreement. The diagnostic and telemetry data are routinely sent from the user’s machine and processed and/or stored on Microsoft’s servers in the U.S., including some previous versions of Office (before Office 365). The Dutch government recognized the potential for that diagnostic and telemetry data to contain GDPR-affected information (given the broad definition of ‘personal data’ in Article 4 noted above. This case illustrates the way that law firms can innocently use third-party software without realizing the ways that that software can violate GDPR.
Note, there is no “grandfather clause” in the definition of ‘personal data.’ Nor is there an intent requirement for violation with GDPR, or a “safe harbor” provision. Strict liability is the rule. A law firm may obtain data from another source without knowing that said data contains the personal data of European citizens, yet that law firm would still be liable for violations of GDPR. Caveat emptor!
Texas law firms with European clients, or law firms having lawsuits dealing with European individuals, are affected. Moreover, with the recent data privacy scandals of Facebook and other social media sites, there has been an increased awareness of data privacy within the U.S., and thus many American companies may adopt GDPR-like provisions in order to forestall something more onerous. Besides law firms, many clients are also affected because smartphone apps often are disseminated to European customers as well as those in the U.S.
Conclusion
GDPR is broad in scope and territory. Texas law firms (and U.S. companies) should be mindful of its provisions and penalties. Moreover, GDPR is proving to be popular with individuals in Europe as well as Americans, so wider adoption of GDPR-like provisions is possible.
i The General Data Protection Regulation (EU) 2016/679 and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Document 32016R0679, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679