A number of companies providing ITAM Services to clients with data originating from within European Union (EU) are wary of the EU’s new General Data Protection Regulation (GDPR) coming into effect in May. Why is that?
It seems that despite the extensive efforts of US businesses to put in place new rules and procedures for the processing of personal data on EU residents, it still remains to be seen what procedures will ultimately emerge as the standard for satisfaction of the mandates under the new GDPR. Ultimately that uncertainty is causing some concern.
You may recall that in 2000, the US Department of Commerce and the EU reached an agreement regarding the manner in which US businesses would handle personal data of European citizens. This Safe Harbor Law was the response to the European Commission Directive on Data Protection and was a single set of data protection requirements for transferring data across the borders of countries who joined the Safe Harbor collective. In 2015, however, the European Court of Justice overturned the Safe Harbor agreement finding it insufficient in providing privacy protection and the ability for an individual to pursue legal remedies regarding his personal data. The immediate effect was that US businesses could become subject to different data protection rules for each individual European country – a logistical nightmare.
At the time the Safe Harbor Law was overturned, the EU had been working on a directive to establish a uniform set of rules for protection of its citizens’ personal data. After years of effort, the EU has now adopted its new GDPR describing its motivations, rules, remedies, and penalties in a short 88-page document. It is this writer’s opinion that the document is difficult to read because it is verbose, and unfortunately for us, the multitudinous words do little to delineate or clarify the precise rules which will now govern the handling of personal data on European citizens despite the global reach of the Regulation and the horrifically harsh penalties prescribed for any violation of it.
Nonetheless, the Regulation takes effect on May 25, 2018, and everyone in the US is scrambling to take some affirmative action to ensure they will be in compliance with the GDPR based on each’s interpretation of the Regulation despite the inevitable uncertainty of how strictly it will be applied or how frequently it will be tested.
The language of the GDPR appears to be deliberately inclusive with very broad definitions that can arguably include anything and everything. It is this type of language that will give the EU and its members sweeping control over the handling of subject data. For example, these definitions appear in the GDPR:
“’personal data’ means any information relating to an identified or identifiable natural person (“data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
“’processing’ means any operation of set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
The GDPR includes significant obligations of accountability when processing personal data, as well as requiring data breach notifications, and imposition of fines which may be as high as 4% of a company’s global annual revenue or 20 million Euros. These significant penalties have not simply caught the attention of US businesses; they have reeled them in for the long haul. In addition, the Regulation provides EU citizens with a specific set of rights related to the use of their personal data including the right to have it deleted entirely as well as more stringent requirements for obtaining consent to use the data at all.
As with every significant legal issue to which the writer has been exposed, I expect that this is only the beginning of a long process to determine what is actually meant and intended by the words of the GDPR, what is a reasonable interpretation, what are the practical and therefore likely methods of enforcement, and what interpretation will ultimately become the standard on which US businesses can rely.
With the protection of personal data being such a hot button issue in our society today, do you believe that such extensive encompassing regulations like the GDPR are sensible? Reasonable? The way of the future? Will it change the way ITAM service providers, and others, do business in the EU?