By now, you have probably heard that the European Union (EU) has a new data protection law on the books, the General Data Protection Regulation (GDPR) – but what are the new rules, and how might they apply to broadcasters? Below we address these and other commonly asked questions about the GDPR.
What is the GDPR? The GDPR is a new European privacy law that, as of May 25, 2018, generally governs how organizations – including those EU-based and many that are not – collect, use, disclose, or otherwise “process” personal information. While some limited exceptions exist (e.g., businesses with fewer than 250 employees are exempt from some requirements), the GDPR imposes an array of obligations on companies subject to it.
Who does the GDPR apply to? The GDPR clearly applies to companies established in the EU that collect personal information about individuals in the EU, but it also claims a broad extraterritorial reach. Indeed, it can apply to organizations, including broadcasters, without an EU presence. For instance, it can apply to broadcasters who collect or use data to provide services like streaming TV or radio to individuals in the EU. It also can apply to broadcasters who use website cookies and other online tracking mechanisms to “monitor” individuals in the EU (e.g., profiling for behavioral advertising). That said, it remains to be seen whether regulators will enforce the GDPR against companies that for the most part are not serving EU citizens and do not have EU operations, but may occasionally and unknowingly acquire data of an individual in the EU or an EU citizen in the United States.
The GDPR applies to both “controllers” and “processors” of “personal data” of EU citizens. “Personal data” is broad. It includes any information that relates to an identifiable natural person, including, for example, online identifiers and other similar information that has not always been considered personally identifiable information in the United States. Controllers and processors also are considered broadly. Generally speaking, a “controller” is a company that directly interacts with consumers (e.g., by providing a website) and collects their personal data. And a “processor” provides data processing services on behalf of a “controller,” such as, for example, cloud computing and storage.
If the GDPR applies, what do I have to do? Among other things, companies subject to the GDPR must have a “legal basis” for processing personal data. Consent offers one such basis. Consent must be “freely given, specific, informed, and unambiguous,” and it cannot be inferred, so companies must allow consumers to “opt-in.” At a high level, to ensure that consumers are informed about data practices, privacy policies and other discussions of data practices should be written in clear and plain language (not legal jargon) and state, among other things, the specific purpose or purposes for processing individuals’ data. Importantly, consent previously obtained may no longer be valid if it does not meet the GDPR’s more stringent requirements.
Is GDPR compliance really that simple? The short answer is no. Obtaining consent, or otherwise establishing another legal basis for processing personal data, is only the beginning of GDPR obligations, not the end. Other obligations relate to access, accuracy, data security, data minimization, accountability, and providing a “right to be forgotten,” just to name a few. Companies subject to the GDPR may need to establish new internal mechanisms in order to address the expanded rights available under the law and the requests that can be made. As just one example, the GDPR provides the right to receive one’s data in a “machine-readable” format and transfer it to another company entirely.
So if I have good in-house practices, I no longer need to worry? Unfortunately, not quite. Companies subject to the GDPR may require greater oversight over, and cooperation with, vendors and other partners (e.g., cloud providers that provide storage). If your vendors and partners are processing data you obtained from consumers in ways inconsistent with the law, you could be on the hook.
If the GDPR is primarily an EU law, why are U.S. companies so concerned? U.S. companies are worried for several reasons, but one that may drive much of the anxiety is the exorbitant fines available under the GDPR: Severe violations of the GDPR can result in fines up to 4% of a company’s annual global revenue or 20 million Euros – whichever is higher! The GDPR also makes it easier for individuals to bring private claims against companies in EU court and/or complain to EU data protection authorities. EU data protection authorities also present a bit of an unknown – their enforcement priorities remain to be seen, but it’s clear that at least some intend to aggressively enforce the new law.
OK, I think I understand the GDPR and how it may or may not apply to me. Is that all I really need to focus on in terms of new privacy laws? For now, maybe. But the emergence of the GDPR could have trickledown effects both home and abroad. In particular, the GDPR to date has at least started some conversations about whether the U.S. needs to respond through legislation or other modifications to its consumer privacy approach. Time will tell, but for now, stay tuned!
The GDPR framework is complex, and detailed analysis of compliance should be undertaken with counsel qualified to interpret all of its nuances. So note that this article provides only a general description of the GDPR and should not be viewed as legal advice. If you think that your operations may trigger GDPR obligations, get that legal advice to provide a full analysis of your compliance obligations.