On March 12, we posted GDPR Is Coming: Less Than 80 Days to Get Your House in Order. In it, we outlined the penalties for a transgression that are available to the controlling authorities. One of our analysts asked a few questions, which were interesting enough to require their own visibility. We will answer each one in turn.
Q: Is GDPR enforceable outside the EU and other member countries? Could a bill be sent to a US company with only a US location or three, and should it still expect to pay? Would US law trump EU law? This is not an international law.
The simple answer is yes, GDPR is enforceable outside of the EU. The more in-depth answer is that Article 3 of the regulation handles the territorial scope. For those companies that have a physical presence in the EU, the answer is quick and simple: if you are in the EU and doing business in the EU, you are liable to deal with the strictures of GDPR. No arguments, as you are classed as an EU entity. However, it is not the subsidiary entity, but the head office that is counted as the data controller. This is because technical decisions regarding the “purposes and means” of data control are taken in the head office, and those controls trickle down to the subsidiary offices. This was confirmed in a test case with Facebook, which argued that the headquarters of Facebook Europe was based in Dublin, and it was therefore only liable to Irish law. However, that was pulled down by the German High Court and ratified by the European Commission in 2015. This is enforceable under international law that the US is subject to. This is due to the fact the there is a requirement for the non-European entity to have a Europe-based data controller. (The rules surrounding this are complex, but succinctly, if you have a European presence, you are legally obligated to have a data controller, and this controller is legally bound by the provisions of GDPR.)
It starts to get a little greyer when as company has no physical presence in the EU but does significant business with EU citizens. What is considered significant business? This is the important caveat. It suffices to say that “significant” is not two or three transactions a month (unless your company only does two or three transactions). This will effectively exempt mom-and-pop and hobby businesses from enforcement. That said, this will be on a case-by-case basis. Key indicators that may identify whether your company is actively doing business in the EU or marketing to EU citizens or residents include offering payments in local currency (rather than only in USD or AUD) and giving customers the ability to navigate your website in French, German, Polish, or Welsh, for example. This shows a significant marketing effort and potentially that you are directly targeting EU citizens or residents.
Therefore, if your company is regularly undertaking business with EU citizens and it does not have an EU presence, then you will need to register yourself with an independent data controller in each of the EU countries. Now, this may be considered onerous, but your accountant or lawyer will be able to offer advice, and there are already institutions within each EU member state that fulfill these obligations. Yes, there will be a cost. But consider the fact that a transgression of the regulation could be followed by a fine of up to 20 million euros or 4% of annual global turnover—not global turnover, not global or regional turnover or margin.
On to enforcement. As mentioned in my previous post, there is tiering of sanctions ranging from a stern rebuke in the form of a letter and continuing data audits, up to a potentially bankrupting 20 million euros or 4% annual global turnover. Most GDPR discussions are vendor driven and paint the worst possible picture of Mom and Pop’s craft business and lives being ruined by a GDPR breach. This situation is highly unlikely. The vast majority of breaches will likely to be managed by stern letter. In fact, it is very likely that the vast majority of non-EU businesses will be exempt, as they will be able to prove that they are not “regularly partaking in business with the EU.” However, if a breach letter is received, data audits will follow.
For those companies that are found to have occasioned a significant breach under the regulations of GDPR, the EU will issue a fine. The EU and the US, and the EU and Australia, have reasonably good relationships regarding cross-border compliance issues: consider tax evasion as an example. While there is no official EU-US or EU-AUS negotiated deal to enforce civil enforcement mechanisms, consider this: Germany takes personal information management very seriously and has on occasion considered data breaches a criminal matter. These could be enforced under international law with potential cooperation between EU and non-EU law enforcement agencies.
This is still a grey area, but this regulation has teeth, and the EU will bite, as it does take individual personal information leaks very seriously.
Q: Would it be safer to just not deal with the EU if you are an entity foreign to the EU?
While it would be an option to ignore the second-biggest market in the world for your goods, why would you when all this act is doing is protecting the personal identifiable information of its citizens? A better option, I would argue, would be to get your data management in order. Before May 25, search your data records for EU addresses and mail those customers requesting permission to keep their data. If you do not receive a response or the response is to remove the data, do so.
Consider your backups, too, as they will include the data. This is a grey area, especially with the right to forget rules. Put processes in place such that whenever a restore is conducted, the data is re-purged of noncompliant data.
Q: What if you do everything right according to standards, yet the breach still happens and by using quantum computing, all the encryption is broken? That will be where the criminals will go next.
This is an interesting question, as it considers unforeseen circumstances, or what is called force majeure in legal terms. This essentially means that all bets are off. A significant jump in the capability of processors to crunch algorithms to the extent that all encryption or other methods of control would be breached would most likely cause more issues than PII problems. Further, the targets of any potential hack as a result of these advances would most likely be nation states, or global multinationals. Any resulting cases would hinge on the capability of the data processor to foresee and mitigate the breach. And in this case, potentially there would be no fault found, but new procedures and controls would need to be put in place, and not just for Pii.
Yes, GDPR is around the corner, and yes, there are significant ramifications for failing to comply with the requirements of the regulation. However, the vast majority of obligations can be managed with good data-management polices. The requirement for an EU-based data controller is only for those businesses that actively target the EU as a marketplace, and it just makes good business sense to comply with local legal requirements. The additional processes required to comply with the new GDPR regulations are, in reality, not that high.
If you are dealing with the EU on a regular basis and do not have an EU presence, get your lawyer or accountant to register with a local data controller. Monitor the data that you receive from EU-based customers and make sure that you can identify it and that it can be removed/anonymised.
The vendors of data-protection software would have you believe that GDPR is akin to the apocalypse, and this is just not the case. GDPR is just a codification of EU rules surrounding the management of personally identifiable information. Yes, there are greater sanctions under these regulations than previously, but these are only going to be rolled out in the worst cases. Facebook, for example, is lucky that the Cambridge Analytics fiasco surfaced now and not in two months. Perhaps this was a little more than serendipitous, but we will never know.