In April 2016, the European Union (“EU”) Parliament approved the General Data Protection Regulation (“GDPR”) replacing the now antiquated “Data Protection Directive” originally adopted in 1995. Beginning on May 25, 2018, subject companies must comply with the terms of the GDPR, or run the risk of facing harsh monetary penalties and sanctions. The EUGDPR will apply to all businesses that maintain a presence in any EU member country, whether or not the information processing takes place in the EU, and also to businesses that do not maintain any presence in the EU but nonetheless offer goods or services to EU data subjects or monitor the behavior of EU data subjects. EUGDPR, Art. 3.
The objectives of the EUGDPR are to “protect fundamental rights and freedoms of natural persons and in particular the protection of personal data” and to ensure that “[t]he free movement of personal data within the Union shall be neither restricted nor prohibited…” EUGDPR, Art. 1, ¶¶ 2-3. To accomplish these objectives, the EUGDPR promulgates several rules to which the controller (owner of personally identifiable information) and the processor (entity collecting, recording, organizing, storing, using, or disseminating personally identifiably information) must abide. EUGDPR, Art. 4, ¶¶ 2, 7-8.
Of particular importance are two rules which justify particular attention for companies doing business in the EU. First, entities that process or store large volumes of data pertaining to EU citizens, process or store special information (referenced in Articles 9 and 10 of the EUGDPR), or that regularly monitor citizen data must designate a “data protection officer.” EUGDPR, Art. 37, ¶ 1. Article 39 of the EUGDPR defines the responsibilities of the data protection officer. Second, the controller of the data has a 72 hour window in which to notify the relevant supervisory authority of the breach. EUGDPR, Art. 33, ¶ 1. The controller of the data also has a responsibility to notify the data subject of the breach “without undue delay.” EUGDPR, Art. 34, ¶ 1.
The EUGDPR provides investigatory mechanisms and very severe penalties for compliance failures. In addition to compensating persons suffering “material or non-material damage” as a result of the data breach, there are three tiers of administrative penalties for infringements of the regulation as set forth in Article 83. EUGDPR, Art. 82, ¶ 1. The administrative penalties may be imposed in addition to or in lieu of the supervisory authority’s corrective powers, such as issuing reprimands or orders to controllers of information. EUGDPR, Art. 58, ¶ 2.
Under the first tier, the fines can be as high as the larger of €10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the proceeding financial year. EUGDPR, Art. 83, ¶ 4. Under the second tier, the fines can be as high as the larger of €20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the proceeding financial year. EUGDPR, Art. 83, ¶ 5. Penalties in the third tier are to be proscribed by individual EU members for all regulatory violations not referenced in Article 83. EUGDPR, Art. 84, ¶ 1. Penalties under Article 84 are to be “effective, proportionate, and dissuasive.” EUGDPR, Art. 84, ¶ 1.
In determining whether to impose an administrative sanction and the amount of the sanction, due regard is to be given to the nature, gravity and duration of the infringement; whether the infringement was intentional or negligent; whether there was attempted mitigation; relevant previous infringement; degree of cooperation with the investigators; the manner in which the infringement was made known; and a catchall for all aggravating or mitigating factors. EUGDPR, Art. 83, ¶ 2.
As set forth above, the EUGDPR, which becomes effective May 25, 2018, will impact numerous types of businesses working in the EU. If you would like to discuss the implications of the new regulation or would like compliance guidance, please do not hesitate to contact any of the firm’s Cybersecurity and Data Privacy practice group leaders set forth below.