December 4, 2017
The General Data Protection Regulation (GDPR), a new European Union data privacy and protection regime, has already entered into force and is slated to become effective on May 25, 2018. Designed to provide greater protections to the personal data of individuals located in the EU, the GDPR imposes a host of new obligations on both “controllers” and “processors” of such data. Additionally, the GDPR calls for large penalties when companies fail to comply with these new obligations. While many U.S. companies have already begun the process of bringing themselves into compliance, the GDPR has such a long reach that it may encompass a large subset of U.S. organizations that would not ordinarily expect to be subject to European data privacy laws. Smaller organizations or those that deal with a relatively small amount of data originating in the EU may be especially likely to be caught off-guard. Such organizations must take immediate steps to assess whether they are subject to the new GDPR and to bring themselves into compliance.
This client alert lays out the global scope of the GDPR and describes which organizations may be required to comply. Next, we explain the obligations that the GDPR imposes on controllers and processors, as well as the stringent restrictions placed on cross-border data transfers to countries outside of the EU. We then provide an overview of the various compliance mechanisms and penalties the GDPR includes, and potential deviations in the implementation of the GDPR that might be seen in particular EU member states. Finally, we conclude with practical advice for organizations transitioning to the new regime.
As 2017 draws to an end, U.S. companies that handle the personal data of individuals located in the European Union (EU) are closer to confronting a new data security and privacy regime that will require an increased focus on compliance, even where such companies do not have establishments in the EU. Though it has already entered into force, the EU’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018, formally replacing the 1995 EU Data Protection Directive (1995 EU Directive) as the framework governing the processing of personal data across EU Member States. The GDPR is intended to provide greater protections to personal data belonging to individuals located in the EU, as well as greater consistency in application across the Union. Significantly, the GDPR will impose new obligations on organizations involved in the processing of EU personal data. Fines under the GDPR will likely vary significantly, with a maximum of the greater of either €20,000,000 or 4% of annual worldwide turnover, depending on the seriousness of the violation.
While large, data-driven companies with a global footprint are likely already well-aware of the GDPR, U.S. organizations that handle even small amounts of EU personal data may be surprised to find themselves subject to the GDPR and need to take steps to bring themselves into compliance before the regulation goes into effect. One significant change is that while the 1995 EU Directive currently places the burden of compliance on controllers of personal data, the GDPR creates direct obligations and liability for processors, including those based in the U.S. In other words, the GDPR rebalances obligations between companies requesting services (controllers) and companies offering services (processors). The purpose of this client alert is to increase awareness of possible GDPR obligations among smaller U.S. organizations, organizations in which data processing is not a large proportion of their business, and organizations that do not have a large European footprint but may nonetheless handle some data belonging to persons located in the EU, as well as to explain the different EU-approved mechanisms for the transfer of data from the EU to the United States for processing. Because controllers and processors may incur both large penalties and liability for non-compliance with the GDPR, and because it will take time to bring programs into compliance, the time is now for entities involved in the processing of EU personal data to familiarize themselves with the relevant requirements of the GDPR and to work on implementation of any necessary changes.
First and foremost, U.S. organizations that interact with the EU market and/or that have entities in the EU should assess whether they will be required to abide by the GDPR when it takes effect in May 2018. The GDPR applies to organizations involved in the processing of personal data of individuals located in the EU. “[P]ersonal data” is defined broadly as “any information relating to an identified or identifiable natural person.” “Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data.” These are broad definitions encompassing a range of data types and a variety of data usages—they are designed in particular to sweep in U.S. technology companies. Indeed, information such as log-in information, IP addresses, and vehicle identification numbers, though not enabling direct identification of individuals, allow for identification of individuals indirectly and are therefore considered to be personal data. This means that, in practice, most services and/or projects will be considered to involve processing of personal data. Also important to note is the possibility that, because these definitions—particularly the definition of personal data—are specific to the EU and the GDPR, U.S. companies may be less familiar with their scope and contours.
Organizations involved in processing personal data are divided into two categories: “controllers” and “processors.” A controller, acting alone or together with others, “determines the purposes and means of the processing of personal data.” A processor, on the other hand, “processes personal data on behalf of the controller.” These definitions remain essentially unchanged from the 1995 EU Directive, and thus an entity that qualifies as a controller or processor under the 1995 EU Directive will likely continue to be a controller or processor under the GDPR.
However, the GDPR significantly expands the territorial reach of EU data laws, applying its requirements to three specific categories of entities:
Organizations, including U.S.-based companies, that fall within any of these three categories will be required to comply with the numerous obligations imposed by the GDPR.
The GDPR imposes many obligations on controllers of EU personal data. Some of these obligations are a continuation of those established by the 1995 EU Directive, but others are either new or expanded. These obligations can be organized into three different streams: (i) principles applicable to the processing of personal data; (ii) data subjects’ rights, and (iii) accountability.
Organizations are expected to be accountable in relation to the processing of personal data. Consequently, they will need to implement several governance measures to demonstrate and document their compliance.
The GDPR creates a number of direct obligations for processors who fall within the scope of the regulation. While processors may have undertaken certain similar obligations by virtue of contracts with controllers in the past, the 1995 EU Directive does not itself impose such requirements on processors. While processors should carefully assess their new obligations with their legal counsel, the GDPR addresses the following topics:
The 1995 EU Directive significantly restricts the transfer of EU personal data to third countries, and these restrictions continue under the GDPR. Both the 1995 EU Directive and the GDPR allow for transfers of personal data out of the EU when the data are being sent to a country that the European Commission (EC) has determined provides an adequate level of protection. But the United States is conspicuously absent from the list of countries that have received an EC adequacy decision. Transfers to countries which have not received the EC’s blessing, like the United States, must either fall within one of the various derogations in the Directive (or Regulation) or the parties involved in the transfer themselves must provide adequate assurances that the data will be protected. Because the GDPR requires the same protections be carried over for “onward transfers” or transfers following the initial third-country transfer, compliance with transfer requirements is important for any organization down the chain.
Adequate assurances of data protection can be made in a number of ways, including:
Between 1998 and 2000, the International Safe Harbor Principles were developed in order to provide an alternate mechanism by which U.S. companies could comply with the 1995 EU Directive’s data transfer requirements. Safe Harbor provided a framework of seven data protection principles, and companies could self-certify under the program. In July of 2000, the EC determined that companies complying with the Safe Harbor principles could transfer EU personal data to the United States in compliance with the Directive. But a combination of factors, including the rapid expansion of global online activities and their importance to the transatlantic economy; the rapid increase in the number of U.S. companies taking advantage of the Safe Harbor principles; and the controversy resulting from Edward Snowden’s 2013 leaks of classified information related to U.S. government surveillance activities threw the continuing viability of Safe Harbor into question. In 2015, the European Court of Justice struck down its previous decision that the Safe Harbor Program provided adequate protections for data transferred to the United States.
Consequently, the U.S. government began talks with the EU seeking to develop a new framework. In February of 2016, a political agreement was reached to implement the new Privacy Shield program. Despite concerns raised by the Article 29 Data Protection Working Party and the EU Data Protection Supervisor, the EC adopted the framework in July of 2016.
The 2016 EU-U.S. Privacy Shield allows participating organizations to transfer EU personal data to the United States. Organizations must self-certify as Privacy Shield-compliant, committing to process data only in accordance with the principles set forth by the program. Only organizations subject to the enforcement authority of the Federal Trade Commission or the Department of Transportation are eligible to participate.
Despite the concerns raised by some groups, the Privacy Shield recently successfully passed its first annual review by the EC, with the relatively lukewarm endorsement that the “Privacy Shield works well, but there is some room for improving its implementation.” While the EC found that the framework provides an adequate level of protection for personal data, it made five key recommendations to ensure continued protection:
The continued viability of the Privacy Shield may hinge on the Trump administration’s response to these recommendations. The four vacant PCLOB positions require Presidential appointment and Senate confirmation. President Trump has explained in general that many vacancies across federal departments have not been filled because the administration believes the underlying positions are unnecessary. While it remains unclear whether and how quickly the Ombudsman and PCLOB vacancies will be filled, the Trump administration recently nominated Adam Klein as the PCLOB’s chairman. It also remains unclear whether the administration would support the codification of PPD-28’s protections for non-U.S. persons.
In spite of these concerns, over 2,400 companies currently participate in the Privacy Shield. For U.S. companies that routinely receive transfers of EU personal data, the Privacy Shield provides the easiest method of ensuring compliance with the EU data regimes, present and future, and also affords those companies goodwill with their European customers.
Another popular way to comply with the EU data regimes while transferring personal data to third countries that have not received an adequacy decision from the EC is through standard contractual clauses (SCCs) approved by the EC. Through the use of SCCs embedded in contracts between a data exporter and a data importer, the parties guarantee an adequate level of protection for the personal data involved in the transaction. The EC has adopted SCCs for controller-to-processor and controller-to-controller transactions, which will, for now, continue to provide an adequate level of protection for personal data involved in transfers. Under the 1995 EU Directive, only the EC was permitted to adopt SCCs, but the GDPR permits national supervisory authorities to adopt SCCs as well. SCCs remain a burdensome approach to data transfers because, in practice, data protection authorities require organizations to enter into SCCs to cover each new purpose of processing.
The SCCs have been under legal attack on the theory that U.S. law fails to adequately provide legal remedies to EU citizens and that the SCCs do not address that deficiency. Recently, the Irish High Court in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems referred the issue to the EU Court of Justice to assess whether the EC’s prior decisions approving the SCCs remain valid, finding that the Irish Data Protection Controller’s concerns regarding the continued validity of SCCs are “well-founded,” primarily in light of concerns regarding remedies available in the United States to EU data subjects. Still, SCCs remain one of the most common legal methods utilized to effect personal data transfers out of the EU.
While the 1995 EU Directive did not expressly recognize binding corporate rules (BCRs) (which were created by the Article 29 Working Party), the GDPR explicitly codifies the possibility for organizations to adopt BCRs. BCRs are legally binding internal rules that can be adopted by either multi-national groups of undertakings, or groups of enterprises engaged in a joint economic activity (i.e., groups of legally independent entities). The GDPR introduces regulatory requirements related to BCR content and a simplified approval process. Compared to the SCCs and Privacy Shield framework, BCRs offer an opportunity for more customization that is tailored to the needs of the adopting group of companies. BCRs are also seen by data protection authorities as providing more legal certainty to data transfers. Moreover, BCRs are seen as a tool for accountability because the requirements companies must comply with when adopting BCRs will assist the companies’ efforts in structuring their data protection governance.
Companies can also demonstrate compliance with the GDPR through Codes of Conduct and Certification mechanisms. Codes of Conduct are prepared by associations or bodies representing categories of controllers or processors and must go through a specified approval process that differs depending on whether it governs processing activities in a single EU state or in several states. Compliance will be monitored by an independent body with relevant expertise and accredited by the appropriate supervisory authority. Certification mechanisms, seals, or marks, on the other hand, might be established by the supervisory authorities, European Data Protection Board, and the EC in the future as a way similarly to demonstrate compliance. Adherence to a Code of Conduct or certification mechanism, if binding and enforceable, can be used to demonstrate appropriate safeguards for data transfers to third countries. The viability of these new mechanisms under the GDPR remains to be seen.
Significantly, Article 48 of the GDPR could impede a company’s ability to comply with the U.S. legal process requiring the production of EU personal data. Under this provision, any judgment of a court or decision by an administrative authority of a third country that would require transfer or disclosure of EU personal data is only recognizable and enforceable if based on an international agreement, such as a mutual legal assistance treaty between the third country and the EU or a particular member state. Although the United States and the EU have entered into a binding Mutual Legal Assistance Agreement (MLAA), Article 48 may present challenges where there is a conflict between U.S. legal process and the requirements of the MLAA. Further, if the U.S. courts’ collective disregard for European blocking statues is any indication of how they will approach this provision of the GDPR, we may find that courts are particularly unsympathetic to the claim that production would violate the GDPR, potentially placing companies in the difficult position of choosing whether to comply with the U.S. legal process or the GDPR.
The GDPR grants investigative powers to the Member States’ supervisory authorities that are roughly consistent with those under the 1995 EU Directive, and controllers and processors are obligated to cooperate with supervisory authorities on request. Supervising authorities are also given an array of corrective powers with which to address infringements of the GDPR, including the ability to issue warnings or orders and impose administrative fines. Maximum fines for violations of specific articles are provided, topping out at the greater of either €20,000,000 or 4% of the total worldwide annual turnover from the preceding financial year.
The GDPR also creates a right to compensation for any person who has suffered material or non-material damage as a result of an infringement of the obligations in the regulation. For the first time, a processor is directly liable for damage caused by processing that does not comply with GDPR obligations specifically directed to processors or where it has acted contrary to the controller’s lawful instructions unless the processor can prove that it is not “in any way responsible for the event giving rise to the damage.” A data subject’s claim under Art. 82 of the GDPR is without prejudice to any claims involving the violation of other provisions of EU or Member State law.
Data subjects may lodge a complaint with a competent supervisory authority for violations of the GDPR. They may also seek a judicial remedy against a controller or processor before the courts of the Member State in which the controller or processor has an establishment or where the data subject habitually resides. Additionally, both data subjects and controllers/processors can seek a judicial remedy against legally binding decisions of a supervisory authority in the courts of the Member State in which the supervisory authority is established.
While the GDPR was designed to provide a more uniform data regime across the EU than its predecessor directive, which required implementing legislation in each Member State, it includes a number of opening clauses that allow Member States to introduce particularized legislation in certain areas of data protection. Organizations should therefore pay close attention to any national distinctions that develop as Member States begin to pass such legislation. In particular, the GDPR allows for Member States to set general data protection requirements involving the processing of employee personal data that align with their respective labor law regimes. Notably, most European countries are currently working on the adoption of national legislation that intends to embody the GDPR’s requirements. The risk, however, is that each national legislature will introduce its own specific constraints.
In October 2017, the Article 29 Working Party issued guidance with the stated objective of helping supervisory authorities across the EU to apply administrative fines consistently. Given the general nature of the criteria to apply, uniformity will be challenging to achieve.
The German Parliament recently adopted the new Federal Data Protection Act (the “DPA”), which will come into force simultaneously with the GDPR on May 25, 2018, and which is meant to implement the GDPR into German law. During the legislative process, Germany made use of several opening clauses contained in the GDPR to maintain certain well-established provisions of the old DPA. However, the EC has questioned whether all new provisions in the DPA are actually covered by these opening clauses; in fact, some European officials noted off the record that the new DPA may undermine the goal of full harmonization within the EU.
Important deviations from the GDPR include:
Respecting the results of a national referendum that took place on June 23, 2016, the UK government gave the European Council formal notification of the UK’s intention to withdraw from the EU (“Brexit”) on March 29, 2017. Absent an extension agreed upon by all other Member States, the UK will leave the EU at midnight on March 29, 2019.
In preparation for Brexit, the UK government is planning to enact national legislation that would continue to apply GDPR-compliant standards of data protection in the UK after Brexit. It is hoped that an agreement will be reached under which UK laws are acknowledged by the EU to provide an adequate level of protection post-Brexit, thus permitting data transfers between EU countries and the UK without the usual restrictions applying to “third country” transfers (see section 4 above). While transfers of data between the UK and U.S. may fall outside the EU-U.S. Privacy Shield after Brexit, it is hoped that a similar UK-U.S. agreement will maintain free data flows with the U.S. post-Brexit.
As the implementation date for the GDPR approaches, organizations need to bring their operations into compliance with the new regime. The very first step an organization must take is to determine whether it is covered by the GDPR. If so, the organization must make efforts to fully understand what data it collects, processes, and stores. An organization must identify what personal data is being gathered across all of the organization’s groups and functions and determine the purpose for collection, whether that collection is being minimized to meet only that purpose, and whether the company is collecting any of the various types of sensitive data under the GDPR.
Beyond collection of data, the organization must understand how the data is being processed and stored. This includes the lawful basis for processing each set of data, data protection measures that are being used, the location of the stored data, the period of time such data will be stored, where and how records of processing and storage are being kept, and many other considerations. Obtaining all of this information will likely require a company-wide audit and stakeholders in all aspects of the business should be involved in this assessment. Often, collection and processing activities take place in departments that are not normally associated with data processing. Thus, data mapping is an important first step in determining what changes an organization must make to bring itself into compliance with the GDPR.
On top of the collection, processing, and storage considerations, organizations must be aware of how they transfer and share data. As discussed above, the GDPR places restrictions on data transfers, especially those in which data is transferred across borders to countries outside the EU. These considerations apply regardless of whether such transfers take place only within the company or group of companies. Further, companies that transfer data to processors or sub-processors will need to reevaluate their contractual relationships with such processors, as well as the capabilities of the processor.
After data mapping and auditing, the company should put together a plan to bring itself into compliance with the GDPR. Processing activities that imply processing of sensitive personal data or that relate to purposes implying intrusion into data subjects’ lives should be given top priority. The compliance plan should include specific training needs, as well as legal and technological elements that need to be addressed. Again, stakeholders in all aspects of the business should be involved in order to best implement organization-wide changes.
Data management will likely require significant thought and investment moving forward. Organizations must comply with GDPR requirements surrounding deletion of data, limitations on its use, and ensuring adequate security measures are in place. Systems and processes must be in place to comply with requests from data subjects, such as providing copies of data, transferring data to other controllers, rectifying errors, and even erasure in certain cases. Record-keeping may require further investment, as organizations will have to maintain detailed records of their processing and compliance with the GDPR. Data controllers should reconfigure their privacy policies to properly notify individuals of processing, making sure to comply with GDPR principles governing transparency and consent.
Organizations may even need to make changes to their corporate governance. As discussed above, some organizations will be required to obtain a DPO to monitor GDPR compliance, serve as a contact for regulators, and oversee data impact assessments. The DPO can either exist within the organization or externally, but every indication is that the DPO must be highly knowledgeable both in terms of data privacy expertise and awareness of the inner workings of the organization. Because of requirements relating to the independence of the DPO, organizations should give significant thought to the organizational placement of the DPO and to whom the DPO should report within the corporate structure. Even where a DPO is not required, organizations should reevaluate their current privacy team to account for ongoing compliance requirements under the GDPR, such as data impact assessments, handling requests from data subjects, interfacing with regulators, and ensuring adequate record-keeping. Many larger, data-driven businesses have approached regulators with their current plans to obtain their input.
When the GDPR takes effect in May of 2018, it will take some time to sort out some of the ambiguities that exist and to understand how enforcement is being carried out. Nonetheless, organizations should make concerted efforts to comply with the terms of the regulation from its outset, especially given the potential for such weighty penalties. Any concerns should be discussed with counsel well in advance of the GDPR’s effective date in order to ensure a smooth transition to the new regime.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.
 Rec. 23, GDPR; see also Art. 3, ¶ 2(a), GDPR.
 Rec. 24, GDPR; see also Art. 4, ¶ 2(b), GDPR.
 Art. 28, ¶ 3 (a)–(h), GDPR.
 Guidelines on Data Protection Officers (‘DPOs’), Article 29 Working Party, at 4 (Dec. 13, 2016). http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf.
 See European Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, Section 1 (Dec. 7, 2016). http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision_en.pdf.
 Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 (Oct. 6, 2015). http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1444299455884&uri=CELEX:62014CJ0362.
 Privacy Shield Framework. https://www.privacyshield.gov/article?id=OVERVIEW.
 First Annual Review of the EU-U.S. Privacy Shield (Oct. 18, 2017). http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619.
 EU-U.S. Privacy Shield: First review shows it works well but implementation can be improved (Oct. 18, 2017). http://europa.eu/rapid/press-release_IP-17-3966_en.htm.
 Three Companies Agree to Settle FTC Charges They Falsely Claimed Participation in EU-US Privacy Shield Framework, Federal Trade Commission (Sept. 8, 2017). https://www.ftc.gov/news-events/press-releases/2017/09/three-companies-agree-settle-ftc-charges-they-falsely-claimed.
 Sec. 4, Presidential Policy Directive 28 (Jan. 17, 2014). https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities.
 Irish Data Protection Commissioner v. Facebook and Max Schrems, 2016 No. 4809 P. https://arstechnica.co.uk/wp-content/uploads/sites/3/2016/07/Judgment-of-the-High-Court-of-Ireland-in-the-case-data-protection-Commissioner-v-Facebook-relating-to-motions-to-allow-amicus-curia.pdf
 Arts. 46, ¶ 2(b) & 47, GDPR.
 The Article 29 Working Party is the independent European Union Advisory Board on Data Protection and Privacy established under Article 29 of the 1995 EU Directive.
 Art. 46, ¶¶ 2(e) & (f), GDPR.
 Agreement Between the United States of America and the European Union (signed June 25, 2003; entered into force February 1, 2010). https://www.state.gov/documents/organization/180815.pdf.
 Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, Article 29 Data Protection Working Party (Oct. 3, 2017). https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889.
 Federal Data Protection Act (June 30, 2017). https://iapp.org/media/pdf/resource_center/Eng-trans-Germany-DPL.pdf.
Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed above. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection or National Security practice group, or the following authors:
Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, email@example.com)
Alexander H. Southwell – Chair, Privacy, Cybersecurity & Consumer Protection Practice, New York (+1 212-351-3981, firstname.lastname@example.org)
Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, email@example.com)
Emanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, firstname.lastname@example.org)
James A. Cox – London (+44 (0)20 7071 4250, email@example.com)
Michael Walther – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Ryan T. Bergsieker – Denver (+1 303-298-5774, email@example.com)
Jason N. Kleinwaks – Washington, D.C. (+1 202-887-3793, firstname.lastname@example.org)
© 2017 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.