The European Union May Change the Way in which U.S. Companies Must Protect Personal Data

The United States has always viewed the protection of personal data as a commercial issue and has tried to draw a reasonable balance between the use and protection of personal data. The EU views the protection of personal data as a fundamental human right. It is willing to place a heavier burden on companies with respect to their commercial use of data and to provide individuals with greater rights to control and restrict the use of their personal data. Over the last few years, the EU has become more aggressive in seeking to ensure EU-type protection for the personal data of EU residents collected by U.S. companies.

Sweeping changes are now on the horizon. In 2016, the EU adopted a new regulation on personal data that will become effective in May 2018 - the General Data Protection Regulation. Under existing law, which will remain until the effective date of the new GDPR, EU law does not generally apply to the typical small U.S. business that operates solely in the United States but accepts online orders from EU residents. The GDPR purports to extend its coverage to any company that processes the personal data of EU residents if the processing is related to the offering of goods or services to EU residents or monitoring the behavior of EU residents in the EU, even if the U.S. company has no office in the EU and does not process data using equipment located in the EU.

If the GDPR applies to a U.S. company, that company will be subject to new requirements that will change the way in which it handles the personal data of EU residents. As a starting point, the EU will require “fair processing” of such personal data, which will generally impose obligations on the collection, storage and use of personal data that are slightly more stringent than the current best practices in the United States. Among other things, the fair processing requirement will require companies to have more detailed privacy policies and new and more cumbersome user registration procedures to ensure that users provide “freely given, specific, informed and unambiguous” consent to many of the common uses of personal data.

A more troubling aspect of the GDPR relates to new rights granted to EU residents to control, limit and prohibit the processing of their personal data. If these requirements apply to a U.S. company, they will fundamentally change the way in which the U.S. company uses such personal data and will impose material new costs and burdens. The most significant rights are discussed below:

• Right to review and correct personal data. An individual will have the right to request and obtain a significant amount of information on the type of data being collected and retained and how it is being used. In addition, the individual can obtain a copy of his or her personal data being processed, and can require the correction of any personal data that is inaccurate or incomplete.

• Right to be forgotten. Under many circumstances, an individual will have a relatively broad “right to be forgotten and to erasure.” If an individual properly exercises this right, then subject to certain exceptions, the company must erase the individual’s personal data and, if it has already provided the personal data to any third party, it must take all reasonable steps to cause the personal data to be erased by that third party.

• Right to object to direct marketing. An individual can object to the use of his or her personal data for direct marketing purposes, including the creation of any user profile that is used for direct marketing, and the company will have to discontinue any such use of that personal data.

• Right to data portability. Under most circumstances, an individual will have the right to obtain a copy of any personal data that he or she has provided, together with any additional personal data generated as a result of the individual’s use of the online service. The copy must be provided in a structured, commonly used and machine-readable format. The individual will also have the right to transfer the personal data to another company. This right is intended to make commercial relationships less sticky by making it easier for an individual to change service providers.

Finally, the GDPR will strictly control any covered company’s collection and use of sensitive types of personal data, such as data concerning racial or ethnic origin, political opinion, religious or philosophical belief, trade-union membership, genetic or biometric data, and data concerning a person’s health, sex life or sexual orientation. This type of data cannot be processed without explicit consent, and a company has very limited rights to use sensitive data to make automated (that is, profiling-based) decisions that would have a significant legal impact on the individual.

Many companies will have already had a glimpse of this new legal landscape by taking the required steps to comply with the new Privacy Shield when they transfer personal data from the EU to the United States. To qualify for the Privacy Shield under the rules adopted by the U.S. Department of Commerce, a company must adopt some of the general EU principles of “fair processing” of personal data, including an expanded privacy policy, limitations on the onward transfer of personal data to any company with less stringent protections, and the ready availability of an independent third party to resolve disputes. To qualify for the Privacy Shield, a company must grant the data subject some, but not all, of the rights that will be required by the GDPR. The data subject must have a limited version of the right to review and correct the data discussed above and must have the right to limit the use of provided personal data, but the Privacy Shield does not require a company to extend the right to be forgotten or the right to data portability as discussed above.

Companies trying to cope with these changes will face a fluid situation over the next year for several reasons. First, while the purported scope of the GDPR is expansive, many observers question whether the EU will really try to enforce the GDPR against U.S. companies with no physical presence or assets in the EU. Second, the EU is only slowly releasing guidance, so many of the high-level requirements are still unclear in application. Finally, even recently negotiated mechanisms such as the Privacy Shield continue to be under legal attack in the EU because of widespread skepticism about the adequacy of personal data protection in the United States. It is entirely unclear how the new U.S. administration will respond to demands that the Privacy Shield be strengthened, or what options would be available to U.S. companies if the EU courts were to hold it invalid.

We will update you as these developments unfold over the next year. In addition, when the implementation date for the GDPR gets a little closer, we will provide you with more detailed guidance on the changes you should expect and your options for dealing with those changes.