Expanding Your Business Into The European Union
For businesses that are considering expanding into the European Union (“EU”), there are privacy laws and regulations that must be taken into account. There is a great deal of complexity in understanding how to comply with these laws and regulations, but doing so is essential for any business that wants to access the EU market. This article focuses on some of the key considerations when it comes to privacy laws and regulations in the EU that businesses need to be aware of.
General Data Protection Regulation (GDPR) Compliance
The Data Protection Directive, officially Directive 95/46/EC (“DPD”) was adopted by the EU in 1995 as part of the EU’s strategy for protecting the processing of personal data across all member states and the free movement of such data. In 2018, a data and privacy security legislation, known as the General Data Protection Regulation (“GDPR”), was introduced by the European Commission as an update to replace the DPD. The GDPR requires organizations operating within the EU or those offering services or goods related to individuals living in the EU and the European Economic Area (collectively with the EU, “EU”) to comply with the GDPR. Businesses (including online businesses) that target or do business with EU data subjects must comply with the GDPR.
Let’s start by reviewing the 6 key principles that GDPR is based on and that businesses should adhere to when creating their organization’s privacy management program. Article 5 of the GDPR recites these principles and states that personal data shall be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, collected for specified, explicit and legitimate interest;
- limited to what is necessary in relation to the purposes for which they processed (data minimisation);
- accurate;
- stored for only as long as is necessary for the purposes for which it is processed; and
- processed with integrity and confidentiality.
Organizations are responsible for complying with the above principles and this requirement is known as “accountability”. Organizations are required to take reasonable measures such as implementing appropriate technical safeguards and organizational processes designed to protect personal data against unauthorized access or disclosure; providing customers with clear notices regarding how their data will be used; and taking steps to ensure customer consent is obtained before collecting or using personal data for certain purposes. EU data subjects have various rights when it comes to their personal data and organizations must publish these rights in their privacy policies. These rights include:
- Right to be informed: about how the data subject’s personal data is being processed by a company;
- Right of access by the data subject: to the personal data a company holds about the data subject. Data subjects have the right to request copies of their personal data.
- Right to rectification: this means that a data subject has the right to have their personal data corrected if it is inaccurate and to have incomplete personal data completed.
- Right to erasure (“right to be forgotten”): this means that under certain circumstances, a data subject has the right to request a company from removing their personal data from the company’s system and direct its sub-processors to do the same.
- Right to restrict processing: this means that in certain conditions a data subject has the right to restrict processing of their personal data.
- Right to data portability: a data subject has the right to request a company to transfer the data that it has collected to another organization/ company, or directly to the data subject, under certain conditions.
- Right to object: this means that under certain conditions, a data subject has the right to object to the processing of their personal data.
- Rights in relation to automated decision making, including profiling: this means that if applicable, a data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects the data subject.
Data subjects have the right not to be discriminated against for exercising their rights and may lodge a complaint about an organization’s privacy practices with a Data Protection Authority.
Organizations must also notify their customers if any changes are made to their policies related to handling customer information. Administrative fines for violating the GDPR can reach up to 20 Million Euro or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (GDPR Article 83).
ePrivacy Directive (EPD) and Cookie Compliance
In addition to the GDPR, businesses must also familiarize themselves with the ePrivacy Directive (“EPD”), which has become known as the “EU Cookie Directive” and provides a legal foundation for how website operators could collect and use cookies from EU data subjects. While the GDPR only mentions cookies directly in one of its Recitals, together with the EPD they provide guidance and legal requirements for website owners. Among other things, a business that has a website must obtain affirmative consent from data subjects for enabling all cookies with the exception of those that are strictly necessary; provide accurate and specific information about the type of cookies that are used and the data each cookie tracks, together with the purpose of tracking; all cookie consents must be tracked; and data subjects must be able to withdraw their consent as easily as it was given.
For businesses looking to expand into the EU, cookie compliance under GDPR and the ePrivacy Directive will be crucial.
Additional Considerations
Businesses should ensure they have adequate internal procedures in place for responding quickly and effectively to a security incident/ breach of personal data, which GDPR Article 4(12) defines as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.” Aside from compliance with GDPR and EPD, businesses should also consider other privacy regulations that may exist in each country where they operate such as those concerning employee privacy rights or children’s online privacy protection laws. Furthermore, organizations should review their existing contracts with vendors and service providers who may store customer-related data on their behalf since those third parties, known as processors or sub-processors, as the case may be, must also comply with applicable privacy laws and written contractual obligations when handling such information.
Final Words
Privacy laws can seem daunting but being aware of them is essential for any business operating within the European Union—or outside it—that deals with data subject’s personal data originating from within its borders. In this article, we touched upon the main privacy regulations but an in-depth analysis of the organization’s structure and ultimate business goals is needed in order to create an accurate road map to compliance and protect customers and employees from potential risks associated with mishandling of their personal data.
Jenya Beylin is a Senior Attorney at Meyer Law, one of the fastest growing law firms in the United States. Jenya helps companies with domestic and international privacy, data protection and compliance matters. Jenya is a blog contributor at Meyer Law and is a member of the International Association of Privacy Professions (IAPP). Learn more about Meyer Law here and follow us on Instagram @loveyourlawyer
