US companies are behind the curve on understanding how GDPR impacts their businesses

There’s an eerie lack of awareness about the impact of the GDPR on US businesses that target consumers in the European Union. According to recent research by the IAPP, complexity of laws, inadequate budget and too little time combined with the lack of qualified and trained staff have conspired to perpetuate this lack of readiness by US companies.

Here in Europe, many companies and organisations have been bracing themselves for the biggest shake-up in data protection, privacy and security for over two decades that’s fully effective from 25 May 2018 – in 13 days’ time.

I’ve been in conversations with senior US-executives who’ve boldly told me that the “GDPR doesn’t apply to them” and in any event they can rely on ‘legitimate interest’ to continue to market goods and services and monitor the behaviour of EU citizens as they’ve always done.

Well, they’re in for a nasty shock.

US-based companies that have never set foot within the EU will face significant sanctions and fines – between 2%-4% of global annual turnover or €10-20m, whichever is greater, if they refuse to play by the new rules.

This may sound like a nightmare scenario but data protection, privacy and security laws across the world’s largest digital single market have got a lot tougher.

In fact, it’s less about being the ‘general’ and more about being the ‘global’, so perhaps GDPR should be an acronym for ‘Global Data Protection Regulation’. Other jurisdictions are following the European lead here, and this is reflected in many of the papers submitted to be as Editor- in-Chief of the Journal of Data Protection & Privacy.

There are several reasons for the evolutionary change in the global data protection landscape. And the big one of course is definitely privacy. The Facebook/Cambridge Analytica scandal that impacted 87m personal data records may only be the tip of the iceberg of what’s now known as ‘surveillance capitalism’.

Interestingly, the word ‘privacy’ doesn’t appear in the US Constitution, unless I missed this? However, like the right to carry arms that so many Americans feel define their version of democracy, millions of Europeans consider their right to privacy of their personal information to be just as sacred and a fundamental human right.

But this isn’t just a European thing. It’s a global thing. In a landmark judgment in August last year, the Indian Supreme Court highlighted the fundamental and universal value of the right to privacy as an “essential facet of the dignity of human being.”

But it would be wrong to ignore American jurisprudence on this point. In 1928, the celebrated US jurist and one of the founders of modern privacy law, Justice Louis D Brandis of the US Supreme Court said: “The right to be left alone is the most comprehensive of rights and the right most valued by free people.”

European experiences in the last century, where personal information was extensively used for totalitarian and genocidal purposes, may be at least partially responsible for an array of national laws enshrining a right to privacy, as well as supranational protections beginning with Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms and Protocols in 1950, and more recently, the EU Data Protection Directive of 1995.

The EU Directive 95/46/EC (now repealed and replaced by the GDPR) had established a broad set of principles with respect to the protection of privacy and personal data. However, each EU Member State was given wide discretion to implement these principles at a national level with the result that US companies faced a patchwork of data protection, privacy and security laws that made it extraordinarily difficult to work out how to run marketing campaigns across the EU without the fear of falling foul of data protection and privacy laws that varied between different European jurisdictions.

The legacy is that today the patchwork quilt of different EU Member State laws is now vastly reduced to a few operational areas and although not perfect and not without its critics, the GDPR is a bold and ambitious attempt at achieving a degree of harmonization and consistency not achieved in the past 20 years.

Cross-border transfer of personal data between US and EU is now going to change

A critical commercial impact of these assorted data protection and privacy laws is on cross-border personal data transfers between the EU and other jurisdictions.

Only a small number of other countries, such as Canada (part) and Israel, had been viewed in the EU has having “adequate security,” so transfers of personal data from the EU to these countries isn’t generally restricted under the GDPR. The US struck it’s own style adequacy mechanism with the EU-US Privacy Shield. But really how long will this last as this remains in the balance.

EU Standard Contractual Causes (SCCs) are an alternative to Privacy Shield. The “Model Contracts” are forms negotiated between the Commerce Department and the European Commission that are to be used when personal information is transferred from the EU to the US. These documents typically can’t be modified to suit the business transaction and this inflexibility can sometimes be a barrier to their use.

A very few US organizations have implemented “binding corporate rules” (BCRs) that allow multinational corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with the GDPR. The rules must conform to strict protocols, and be approved by multiple data protection agencies in Europe.

The time, cost and expense of enacting BCRs has slowed adoption by even very large companies, which is why the GDPR will become de facto the way in which data transfers will now be regulated with the objective of harmonization across Europe and sweeping away the wide variety of rules and regulations among EU Member States and replace them with a uniform set of principles.

Why a single EU Regulation is a game-changer for US marketers

At first glance, the concept of uniformity is extremely attractive. Regulation 2016/679 has been regularly promoted as a means to simplify conducting business in the European Union and the the broader European Economic Area (EEA).

However, the ‘devil is in the detail’ and especially with respect to how GDPR will be implemented. Here, we need to watch very closely how the European Data Protection Board (EDPR) responds to challenges it will face in the courts.

A central driver behind introduction of the GDPR is to affirmatively enhance protections for individuals and their data — which will entail an inevitable, and in some cases, potentially dramatic increase in the regulation of companies, not to mention very substantial increases in the potential financial penalties.

Big US companies will be the data controllers of personal data that belongs to data subjects and will also be responsible for directing the use of that data by data processors and sub-data processors anywhere on the planet. There may be situations where US companies will be working jointly with data processors for different purposes.

Legal liability for ensuring protection of the data typically rests with the data controller (although data controllers may have claims against data processors for data misuse, breach of contract, etc.). However, US data controllers will be jointly and severally liable for data protection, privacy and security at any point of the value chain. So for any breach or any unauthorized use and/or disclosure of personal data the data controller’s neck is on the line including compensation claims made by affected data subjects.

From a commercial perspective, this new approach has the potential to immensely complicate routine transactions.

A vivid example of the impact on commercial operations can be seen in the Google Spain v AEPD and Mario Costeja González case in the EU Court of Justice that effectively established the concept of “the right to be forgotten” now a data protection right under the GDPR.

US companies must carry out a data protection impact assessment (DPIA) and may well be advised to appoint a Data Protection Officer /Chief Privacy Officer

US companies that are doing business with EU citizens right now need to get on and carry out a data protection impact assessment (DPIA) across their entire operations, not simply on a project by project basis as well as appoint a Data Protection Officer (DPO) that will effectively be the eyes and ears of the company in how it complies with the GDPR.

Under the GDPR, the DPO enjoys a very different status of senior manager given their primary responsibility is to protect data privacy rather than advancing the commercial interests of the company at any cost.

Under the GDPR, the data controller must report a personal data breach that could cause harm or damage to data subjects within 72 hours of knowing about this. This will pose a significant burden as many organisations are simply not geared up to respond to such contingencies in such a short time frame.

Impact of GDPR on internet marketing for US companies

Internet marketing, the very model that’s inextricably embedded in countless commercial practices and increasingly sustains commercial activity on the web, is at risk under the GDPR.

Specifically, “profiling,” the practice of developing a snapshot of an individual’s preferences, browsing history, purchases, etc., would be prohibited unless necessary to perform under an agreement, authorized by law or has been explicitly consented to by the individual.

Behavioural advertising, targeted marketing or re-marketing, email solicitations and other direct marketing practices will be less effective if they can’t be targeted using individual profiles, and therefore less valuable.

The collection of information on individuals as a basis for displaying personalized ads, one of the largest tools in the current toolbox of e-commerce, could suddenly disappear. The disquiet created by Facebook/Cambridge Analytica will effectively tighten the controls over such practices in the new e-Privacy Regulation (E-PR) adopted by the European Commission, possibly not until Autumn 2019.

For further information, get your copy of the GDPR Handbook, published on 3 June by Kogan Page.